search

keepassxreboot / keepassxc

KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
https://keepassxc.org/
Other
21.39k stars 1.48k forks source link

Change database credentials from keepassxc-cli #4927

Open wgordon17 opened 4 years ago

wgordon17 commented 4 years ago

Summary

I would like to propose the ability to reencrypt a keepass database using keepassxc-cli. Currently, the only way to change the password, change the key file, add a key file, add a yubikey, etc. is to open the database in the UI and change it there. I would like to be able to perform these actions via CLI.

Examples

$ keepassxc-cli change-credentials --keyfile=/path/to/existing/key --new-keyfile=/path/to/new/key --leave-password /path/to/database

Something like above would be able to change the key file and leave the password intact. If you omitted the --leave-password, the terminal would prompt for the new password twice.

Context

This is important for automation of rotating database credentials

louib commented 4 years ago

One way to do it would be to use both the export and then the import CLI commands, although it won't be possible to set the key file on import until this PR is merged. This solution is not ideal if you are concerned about the unencrypted database being exported, even if it's piped back directly to the program using import.

I think what we need is a db-edit command (just like we have a db-create and db-show command) to modify both the encryption parameters of the database, and other meta fields like the db name and description.

Colfenor commented 4 years ago

I have a question considering credential prompts for changing the database credentials in the cli-feature wanted in this PR.

Currently as of keepassxc version 2.6.1 when we consider the behaviour of the GUI the user needs to login initially once into his database with attached password and/or keyfile to be able to edit/remove his credentials. Will there be a design choice to prompt an additional time in order to be able to (e.g.) change/remove the database password ?

And considering the CLI behaviour, as @louib suggested with a db-edit command, should the user be prompted to enter his attached password and/or keyfile in order to be able to change these credentials on his database ?

droidmonkey commented 4 years ago

For the first point, there is no sense in asking for credentials again to change them. The database is unlocked, you've authenticated already. For point two, you wouldn't be able to use the db-edit command without entering the credentials.