keepassxc-cli

KEEPASSXC-CLI(1)            General Commands Manual           KEEPASSXC-CLI(1)



NAME
       keepassxc-cli - command line interface for the KeePassXC password
       manager.


SYNOPSIS
       keepassxc-cli command [ -I options ]


DESCRIPTION
       keepassxc-cli is the command line interface for the KeePassXC password
       manager. It provides the ability to query and modify the entries of a
       KeePass database, directly from the command line.


COMMANDS
       add [options] <database> <entry>
              Adds a new entry to a database. A password can be generated (-g
              option), or a prompt can be displayed to input the password (-p
              option).  The same password generation options as documented for
              the generate command can be used when the -g option is set.


       analyze [options] <database>
              Analyzes passwords in a database for weaknesses.


       clip [options] <database> <entry> [timeout]
              Copies the password or the current TOTP (-t option) of a
              database entry to the clipboard. If multiple entries with the
              same name exist in different groups, only the password for the
              first one is going to be copied. For copying the password of an
              entry in a specific group, the group path to the entry should be
              specified as well, instead of just the name. Optionally, a
              timeout in seconds can be specified to automatically clear the
              clipboard.


       close  In interactive mode, closes the currently opened database (see
              open).


       create [options] <database>
              Creates a new database with a key file and/or password. The key
              file will be created if the file that is referred to does not
              exist. If both the key file and password are empty, no database
              will be created.


       diceware [options]
              Generates a random diceware passphrase.


       edit [options] <database> <entry>
              Edits a database entry. A password can be generated (-g option),
              or a prompt can be displayed to input the password (-p option).
              The same password generation options as documented for the
              generate command can be used when the -g option is set.


       estimate [options] [password]
              Estimates the entropy of a password. The password to estimate
              can be provided as a positional argument, or using the standard
              input.


       exit   Exits interactive mode. Synonymous with quit.


       export [options] <database>
              Exports the content of a database to standard output in the
              specified format (defaults to XML).


       generate [options]
              Generates a random password.


       help [command]
              Displays a list of available commands, or detailed information
              about the specified command.


       import [options] <xml> <database>
              Imports the contents of an XML database to the target database.


       locate [options] <database> <term>
              Locates all the entries that match a specific search term in a
              database.


       ls [options] <database> [group]
              Lists the contents of a group in a database. If no group is
              specified, it will default to the root group.


       merge [options] <database1> <database2>
              Merges two databases together. The first database file is going
              to be replaced by the result of the merge, for that reason it is
              advisable to keep a backup of the two database files before
              attempting a merge. In the case that both databases make use of
              the same credentials, the --same-credentials or -s option can be
              used.


       mkdir [options] <database> <group>
              Adds a new group to a database.


       mv [options] <database> <entry> <group>
              Moves an entry to a new group.


       open [options] <database>
              Opens the given database in a shell-style interactive mode. This
              is useful for performing multiple operations on a single
              database (e.g. ls followed by show).


       quit   Exits interactive mode. Synonymous with exit.


       rm [options] <database> <entry>
              Removes an entry from a database. If the database has a recycle
              bin, the entry will be moved there. If the entry is already in
              the recycle bin, it will be removed permanently.


       rmdir [options] <database> <group>
              Removes a group from a database. If the database has a recycle
              bin, the group will be moved there. If the group is already in
              the recycle bin, it will be removed permanently.


       show [options] <database> <entry>
              Shows the title, username, password, URL and notes of a database
              entry. Can also show the current TOTP. Regarding the occurrence
              of multiple entries with the same name in different groups,
              everything stated in the clip command section also applies here.


OPTIONS
   General options
       --debug-info
              Displays debugging information.


       -k, --key-file <path>
              Specifies a path to a key file for unlocking the database. In a
              merge operation this option, is used to specify the key file
              path for the first database.


       --no-password
              Deactivates the password key for the database.


       -y, --yubikey <slot>
              Specifies a yubikey slot for unlocking the database. In a merge
              operation this option is used to specify the yubikey slot for
              the first database.


       -q, --quiet <path>
              Silences password prompt and other secondary outputs.


       -h, --help
              Displays help information.


       -v, --version
              Displays the program version.



   Merge options
       -d, --dry-run <path>
              Prints the changes detected by the merge operation without
              making any changes to the database.


       -f, --key-file-from <path>
              Sets the path of the key file for the second database.


       --no-password-from
              Deactivates password key for the database to merge from.


       --yubikey-from <slot>
              Yubikey slot for the second database.


       -s, --same-credentials
              Uses the same credentials for unlocking both databases.



   Add and edit options
       The same password generation options as documented for the generate
       command can be used with those 2 commands when the -g option is set.


       -u, --username <username>
              Specifies the username of the entry.


       --url <url>
              Specifies the URL of the entry.


       -p, --password-prompt
              Uses a password prompt for the entry's password.


       -g, --generate
              Generates a new password for the entry.



   Edit options
       -t, --title <title>
              Specifies the title of the entry.



   Estimate options
       -a, --advanced
              Performs advanced analysis on the password.



   Analyze options
       -H, --hibp <filename>
              Checks if any passwords have been publicly leaked, by comparing
              against the given list of password SHA-1 hashes, which must be
              in "Have I Been Pwned" format. Such files are available from
              https://haveibeenpwned.com/Passwords; note that they are large,
              and so this operation typically takes some time (minutes up to
              an hour or so).



   Clip options
       -t, --totp
              Copies the current TOTP instead of current password to
              clipboard. Will report an error if no TOTP is configured for the
              entry.



   Show options
       -a, --attributes <attribute>...
              Shows the named attributes. This option can be specified more
              than once, with each attribute shown one-per-line in the given
              order. If no attributes are specified and -t is not specified, a
              summary of the default attributes is given.  Protected
              attributes will be displayed in clear text if specified
              explicitly by this option.


       -s, --show-protected
              Shows the protected attributes in clear text.


       -t, --totp
              Also shows the current TOTP, reporting an error if no TOTP is
              configured for the entry.



   Diceware options
       -W, --words <count>
              Sets the desired number of words for the generated passphrase.
              [Default: 7]


       -w, --word-list <path>
              Sets the Path of the wordlist for the diceware generator. The
              wordlist must have > 1000 words, otherwise the program will
              fail. If the wordlist has < 4000 words a warning will be printed
              to STDERR.



   Export options
       -f, --format
              Format to use when exporting. Available choices are xml or csv.
              Defaults to xml.



   List options
       -R, --recursive
              Recursively lists the elements of the group.


       -f, --flatten
              Flattens the output to single lines. When this option is
              enabled, subgroups and subentries will be displayed with a
              relative group path instead of indentation.


   Generate options
       -L, --length <length>
              Sets the desired length for the generated password. [Default:
              16]


       -l --lower
              Uses lowercase characters for the generated password. [Default:
              Enabled]


       -U --upper
              Uses uppercase characters for the generated password. [Default:
              Enabled]


       -n --numeric
              Uses numbers characters for the generated password. [Default:
              Enabled]


       -s --special
              Uses special characters for the generated password. [Default:
              Disabled]


       -e --extended
              Uses extended ASCII characters for the generated password.
              [Default: Disabled]


       -x --exclude <chars>
              Comma-separated list of characters to exclude from the generated
              password. None is excluded by default.


       --exclude-similar
              Exclude similar looking characters. [Default: Disabled]


       --every-group
              Include characters from every selected group. [Default:
              Disabled]



REPORTING BUGS
       Bugs and feature requests can be reported on GitHub at
       https://github.com/keepassxreboot/keepassxc/issues.


AUTHOR
       This manual page was originally written by Manolis Agkopian
       <m.agkopian@gmail.com>, and is maintained by the KeePassXC Team
       <team@keepassxc.org>.



                                 June 15, 2019                KEEPASSXC-CLI(1)