keepassxc icon indicating copy to clipboard operation
keepassxc copied to clipboard
verified publisher icon keepassxreboot

Using Browser Integration to connect keepassxc-cli to gui

Open bendem opened this issue 5 years ago • 7 comments

Summary

When using the cli, instead of specifying a path and entering your password every single time you interact with a database, connect to the running keepassxc using the browser integration.

Examples

keepassxc-cli show --from-open-databases -a Password 'Production/devops/gitea-production'

# we use ansible-vault to store secrets, passwords are in keepass
ansible-vault show --vault-id gitea-production@kpxc-prod-client some/file.vault
ansible-playbook -l prod \
  --vault-id gitea-production@kpxc-prod-client \
  --vault-id postgres-production@kpxc-prod-client \
  playbooks/gitea/setup.yml

#!/bin/bash

set -euo pipefail
set -x

readonly KP_CLI=${KP_CLI:-"$USERPROFILE/scoop/apps/keepassxc/current/keepassxc-cli.exe"}
readonly KP_ROOT=${KP_ROOT:-'Production/devops/gitea-production'}

"$KP_CLI" show --from-open-databases -a Password "$KP_DATABASE" "$KP_ROOT/$2"

Context

We use ansible and ansible-vaults to encrypt secrets, to unlock those secrets we have a script we give to ansible that fetches passwords from the keepass database. Since the cli touches the database file directly, we have to unlock the database every single time.

I saw the open feature, but this is unusable for vaults since the script is run once per password and even if it worked, it would still require the user to enter their password at least once per run.

Bonus

If all commands support the new option, the complexity of having to maintain a REPL can be entirely removed from the code.

bendem avatar Jul 14 '20 09:07 bendem

This is kind of related to #4513 which I didn't find at first, but I feel more strongly about the solution required. Browser integration is already there, it works, I don't see any reason why the cli couldn't be yet another client of it.

As for the key, it can be stored in linux with libsecret, mac's keychain and windows probably has a thing similar. It will actually be more secure than browser's storage where it's just a file or a db in plaintext in the user's profile directory.

bendem avatar Jul 14 '20 09:07 bendem

Good idea. We could have a keepassxc-cli connect command. You can enter the secret key on the cmd line, at prompting, or force a new connection.

droidmonkey avatar Jul 14 '20 11:07 droidmonkey

Shameless advertisement: https://github.com/Frederick888/git-credential-keepassxc#scripting

Frederick888 avatar Jul 14 '20 23:07 Frederick888

Yes!

droidmonkey avatar Jul 15 '20 00:07 droidmonkey

Shameless advertisement: https://github.com/Frederick888/git-credential-keepassxc#scripting

I wish, but that doesn't work on windows:

bendem> git-credential-keepassxc.exe configure
Jul 15 13:57:36.999 ERRO Le fichier spécifié est introuvable. (os error 2), Caused by: N/A, Message: Le fichier spécifié est introuvable. (os error 2)
[98.99 ms]

bendem avatar Jul 15 '20 12:07 bendem

@bendem

  1. I don't speak French(?)
  2. -vv to enable verbose logs
  3. Even better, do a debug build and then -vvv
  4. You should file an issue in my repo instead

Frederick888 avatar Jul 15 '20 12:07 Frederick888

I am after basically the same thing,e.g. keepassxc-cli show --use-proxy --show-protected -a Password /path/to/my/database.kdbx 'my-ansible-vault-password'

I posted a duplicate issue by mistake in https://github.com/keepassxreboot/keepassxc/issues/10238, but it also includes a workaround using https://github.com/hargoniX/keepassxc-proxy-client

The browser integration mechanism seems to be a good fit, as it provides fine-grained access to different databases/entries.

As for the key, it can be stored in linux with libsecret, mac's keychain and windows probably has a thing similar.

My workaround stores the native messaging key in plain text on disk, but +1 :+1: to this idea.

nodiscc avatar Jan 28 '24 15:01 nodiscc