This CLI-tool diffs two Keepass (.kdbx) files and prints their differences.
The main installation method is through Rust.
RUSTFLAGS="-C target-cpu=native" cargo install keepass-diff
The RUSTFLAGS
variable will significantly boost performance. See
installation note in keepass-rs.
If you don't have the Rust toolchain installed, there is an alternative installation method using containers. There are two installation steps necessary to be able to run keepass-diff
in your current working directory with a simple command:
The following commands assume docker
for building and running the container, but it should be possible to replace it with podman
and maybe other engines. Please check whether the options are available.
To build the container, run:
docker build -f Containerfile.install -t "keepass-diff:custom-local" .
To get the correct alias for your machine to use, run:
alias keepass-diff='docker run -it --rm -v "$(pwd)":/app:ro "keepass-diff:custom-local"'
The alias
command can be copy and pasted into your .bashrc
or .zshrc
file. This will make sure to have keepass-diff available whenever you start a new terminal session. Either start a new shell or run the command in the current terminal once to make it available right away.
With the alias being set up, keepass-diff
should be available. Try running:
keepass-diff --help
Note: Keep in mind that the alias is set up in a way to allow the current working directory being mounted into the container. That means you're able to access files from this directory, but you won't be able to access files through an absolute path or using ../
from your host machine.
keepass-diff <file-a> <file-b>
The CLI will ask for the password for both files individually.
You can also provide one or both passwords on the command line (please be aware that this will expose them to other users logged on to the system):
keepass-diff <file-a> <file-b> --password-a <password-a> --password-b <password-b>
If the files have the same password, you can use the --passwords <password>
flag. Be aware this has the same problem as above:
keepass-diff <file-a> <file-b> --passwords <password>
To avoid exposing the password, use --same-password
instead. The CLI will ask
you to type it once for both files.
keepass-diff <file-a> <file-b> --same-password
keepass-diff <file-a> <file-b> --keyfile-a <keyfile-a> --keyfile-b <keyfile-b>
If one of these flags is provided, it will use the keyfile for authentication. It will still ask for a password, if the password flags are not provided.
If you want to pipe the output of the command into another file or script, you
may want to disable the terminal colors. You can do so with the --no-color
or
-C
option.
keepass-diff
usually shows changed passwords. If you need it to obfuscate
these protected fields, use --mask-passwords
(or -m
) to show ***
instead
of the real passwords. Be aware that the output can show a changed line without
actual visible changes in the output then.
--help
yields:
This CLI-tool reads two Keepass (.kdbx) files and prints their differences.
Usage: keepass-diff [OPTIONS] <INPUT-A> <INPUT-B>
Arguments:
<INPUT-A> Sets the first file
<INPUT-B> Sets the second file
Options:
-C, --no-color Disables color output
-v, --verbose Enables verbose output
-m, --mask-passwords Enables verbose output
--password-a <password-a> Sets the password for the first file (will be asked for if omitted)
--password-b <password-b> Sets the password for the second file (will be asked for if omitted)
--passwords <passwords> Sets the password for both files (if it's the same for both files)
--same-password Asks for password only once, and tries to open both files with it
--no-password-a Sets no password for the first file (and will not ask for it)
--no-password-b Sets no password for the second file (and will not ask for it)
--no-passwords Sets no password for both files (and will not ask for both files)
--keyfile-a <keyfile-a> Sets the key file for the first file
--keyfile-b <keyfile-b> Sets the key file for the second file
--keyfiles <keyfiles> Sets the same key file for both files (keyfile-a and keyfile-b would take
precedence if set as well)
-h, --help Print help
-V, --version Print version
.kdbx
files.Care to help? I'm pretty new to Rust, so if anyone likes to help or teach me cool stuff, please feel free to reach out to me on X, my GitHub profile, my website or by opening an issue in the keepass-diff repository.
In general, I'm trying to avoid breaking changes with this tool. If you think an option should be added or made to a default, this can be discussed in an issue. I would prefer adding an option first and collect multiple of these changes before releasing a new major version with breaking changes.
There are unit tests (cargo test
) and end-to-end tests (./run-tests.sh
).
Both test suites help find regressions in the code and should be checked before
sending a pull request.
Password for the Keepass demo files: demopass
.
test_file.kdbx
is locked without password and keyfile keyfile.key
.
test2_file.kdbx
is locked with demopass
and the keyfile keyfile.key
.
A small bash script for running tests is run-tests.sh
. It will run a few tests
to see if the outputs is correct. Best run as
RUSTFLAGS="-C target-cpu=native" ./run-tests.sh
for improved performance.
It needs to have the cargo-script
command installed first:
cargo install cargo-script
Then, run cargo script docs_build.rs
to update the docs/index.html
from the
current README.md
file.