droidmonkey
commented
3 years ago You need to pipe the password into stdin.
Open dawidol opened 3 years ago
droidmonkey
commented
3 years ago You need to pipe the password into stdin.
dawidol
commented
3 years ago Hi, thanks @droidmonkey Indeed that did the job for creating de database:
echo InsecurePassword |keepassxc-cli create file.kdbx
but if I want to add a new entry I need to send first the database password and after that the password for the new entry. Any idea on how to send 2 consecutive strings to stdin.
Thanks again
droidmonkey
commented
3 years ago Use printf and add a newline in between. https://linuxize.com/post/bash-printf-command/
I'm not sure why we don't have a password parameter. It is generally bad practice to supply one on the command line call, however piping one in is no better technically. Any thoughts @louib ?
For entry creation we definitely encourage using the generator options to make a new random password. You can retrieve it later using show command.
dawidol
commented
3 years ago Thaks @droidmonkey
Yes we are generating passwords on several parts, there is only one place when we want the user have the hability to write a password or choose to generate.
Also printf with a new line, creates the new entry but leave the password as an empty value, this is the command i put:
printf "InsecureDBPassword\nNewPassword" |keepassxc-cli add file.kdbx newEntry
Thanks again
droidmonkey
commented
3 years ago You'll need to enter the password twice (pw\npw\n) since there is a confirmation step.
louib
commented
3 years ago I'm not sure why we don't have a password parameter. It is generally bad practice to supply one on the command line call, however piping one in is no better technically. Any thoughts @louib ?
I think the main reason why we don't have a parameter for that is because we underestimated how much people would rely on the CLI as a secure database backend. If both piping and parameters end up in the shell history, I guess we could add both for convenience. We might want to better highlight that those invocations might be logged though.
dawidol
commented
3 years ago Thanks @droidmonkey looks like is not working for me, here is a screenshot.
thanks again
droidmonkey
commented
3 years ago You need to add "-p" to the add command to prompt for password. Recommend reading the help for the commands.
dawidol
commented
3 years ago I did try with "-p" option and didnt work, here is the output
strk
commented
3 years ago The stdin way works for me, with 2.6.1 I'm missing the database parameter, but that's another story :)
phoerious
commented
3 years ago It is generally bad practice to supply one on the command line call, however piping one in is no better technically. Any thoughts @louib ?
I know that comment is older, but just to clarify: Providing passwords on the command line is bad practice because it will be stored in your shell history and appear for all users in the list of processes (unless you have user-level process namespacing turned on, but even then it's bad and root can always see your password). Piping is always the better option therefore, since pipe contents never appear in the process cmdline. Shell history recording can be easily avoided as well by simply piping from a file or some other source instead of typing it literally into the shell. On the cmdline, your only option is to prefix your command with a space and that's very shell-specific.
Summary
Hi :)
We are working on a web applicaction and we want to storage sensitive information in a kdbx file, we are trying to use keepassxc-cli to achieve this, but it looks like there is no way to send password as parameters without the terminal prompt
Examples
Create a new Database keepassxc-cli create -p "SomePassword" /path/to/file keepassxc-cli add -p "SomePasswordForAnEntry" /path/to/File entry
Context
Any lights on how to achieve this will be very helpful.
Thanks