--pw-stdin doesn't work on Windows

[TheChiefMeat]

Expected Behavior

Database is launched and unlocked, given the provided password and/or keyfile.

Current Behavior

Database fails to unlock, only successfully reading the keyfile path (however databases with only a keyfile and without a password unlock successfully).

Steps to Reproduce (for bugs)

1. Run CMD with the below line (I'm unsure if each or any of these lines are correct, as the --help page doesn't specify).
2. keepassxc --keyfile ~/folder/keyfile.key --pw-stdin ~/anotherFolder/database.kdbx
3. keepassxc --keyfile ~/folder/keyfile.key --pw-stdin PASSWORD ~/anotherFolder/database.kdbx
4. keepassxc --keyfile ~/folder/keyfile.key --pw-stdin ~/anotherFolder/database.kdbx PASSWORD

Context

I'm trying to launch my database without any user intervention at startup, and this issue is stopping me from doing so.

Debug Info

KeePassXC - Version 2.2.2
Revision: 6d46717

Libraries:

• Qt 5.9.2
• libgcrypt 1.8.1

Operating system: Windows 10 (10.0)
CPU architecture: x86_64
Kernel: winnt 10.0.14393

Enabled extensions:

• KeePassHTTP
• Auto-Type
• YubiKey

[droidmonkey]

I tried to get --pw-stdin to work on Windows and it just wasn't happening. The issue is mainly in how windows hands of gui apps from the cmd prompt. It is entirely different than Linux. I believe you can accomplish this using the "start" command though, ymmv.

[TheChiefMeat]

I've tried using the START command, but I'm entirely unsure how I'd get it to send the password from the CLI to KeePassXC, I know on the original KeePass is was -pw instead of the --pw-stdin we're using here.

One thing I've noticed is that regardless of what you type for the --keyfile parameter, even if the path doesn't exist, the parameter will still be send to KeePassXC.

Perhaps (I'm no expert) if a new parameter were to be made, say a clone of --keyfile, but instead this parameter would put it's information into the password box for KeePassXC, this issue could be fixed for Windows? I assume that this parameter would be a Windows exclusive parameter seeing as it is working fine for Linux, there must be a reason as to why the --keyfile parameter sends the information, but the other does not.

[droidmonkey]

Basically if you do that, anything running under your user account can get your password by harvesting the start-up script

[TheChiefMeat]

Can you point me in the right direction, what source files I should look at that control the CLI parameters? I'm super rusty on my coding, but I'll have a look if it means I might be able to help fix this issue, honestly it's the only thing stopping me from switching over to KeePassXC.

[droidmonkey]

Its mid way through main.cpp

[Remonli]

@TheChiefMeat Looking forward good news for this to be fixed.

[TheChiefMeat]

I haven't actually been able to work on this at all yet.

Can anyone help me get past this error? I've set up the env but every time I try to compile I get:

CMake Error at C:/msys64/mingw64/share/cmake-3.9/Modules/FindPackageHandleStandardArgs.cmake:137 (message): Could NOT find LibGPGError (missing: GPGERROR_LIBRARIES) Call Stack (most recent call first): C:/msys64/mingw64/share/cmake-3.9/Modules/FindPackageHandleStandardArgs.cmake:377 (_FPHSA_FAILURE_MESSAGE) cmake/FindLibGPGError.cmake:23 (find_package_handle_standard_args) CMakeLists.txt:234 (find_package)

[droidmonkey]

You need to install libgcrypt20-dev

[TheChiefMeat]

Honestly having trouble finding it, couldn't see it at all on the FTP server that gnupg has:

ftp://ftp.gnupg.org/gcrypt/

And msys2 comes up with:

$ pacman -S libgcrypt20-dev error: target not found: libgcrypt20-dev

[droidmonkey]

Sorry my mistake, i was thinking Ubuntu. Here is the msys instructions per our wiki:

pacman -S mingw-w64-$(uname -m)-qt5 \ mingw-w64-$(uname -m)-libgcrypt mingw-w64-$(uname -m)-zlib

[TheChiefMeat]

Thanks, but I'm still getting the error: target not found: mingw-w64-x86_64-libgcrypt

Managed to find it on the https://sourceforge.net/projects/msys2/files/REPOS/MINGW/x86_64/ page though and manually installed it.

Edit: Builds fine now, I'll start digging into the code and see what I can do.

[droidmonkey]

You might have to do a sync by performing pacman -Syu before attempting to install new packages. Either that or your msys install is a little janky because I see that package when I issue pacman -Ss libgcrypt

Pro Tip: pacman -Ss searches the remote index for a package

[TheChiefMeat]

Welp, that was relatively easy, I fixed the --pw-stdin bug already xD

How do I merge the code to the main branch? I've never used Github before this.

[droidmonkey]

You'll want to first checkout develop, then make a new branch called hotfix/pw-stdin, then commit your changes to that branch, then push it to your fork of keepassxc, then in your fork click on the "Create a PR" and follow the process.

https://help.github.com/articles/creating-a-pull-request/

[TheChiefMeat]

Forgot to say, opened up a pull request with the above fix.

[TheZ3ro]

I can't reproduce this
You have to start the database with:

echo 'password' | keepassxc --keyfile ~/folder/keyfile.key --pw-stdin ~/anotherFolder/database.kdbx

[phoerious]

On Windows? With cmd.exe or Powershell?

[TheZ3ro]

I'm using msys. I will test with cmd.exe and Powershell, alternatively I think I have a fix for other shells too

[TheZ3ro]

Nothing, I was trying

#ifdef _WIN32
if (AttachConsole(ATTACH_PARENT_PROCESS)) {
    freopen("CONIN$", "r", stdin);
    freopen("CONOUT$", "w", stdout);
    freopen("CONOUT$", "w", stderr);
}
#endif

But this doesn't seems to work.
Powershell doesn't even start develop keepassxc.exe :'(

[phoerious]

Msys2 works differently, since it's basically a Unix shell.

[hifi]

I think I narrowed this down. If you try this:

echo foo | KeePassXC.exe --pw-stdin ...

the result will depend on your shell. In PowerShell the echo command works as expected but with the old cmd.exe it will include a whitespace at the end.

To use the echo command with old cmd.exe, you need to avoid having space before the pipe:

echo foo| KeePassXC.exe --pw-stdin ...

Redirecting a file works fine with both:

KeePassXC.exe --pw-stdin ... < password.txt

where password.txt contains your password in plain text.

I would expect any program that can output text on stdout will work just fine even on Windows to pipe it in.

[TheChiefMeat]

Can confirm that the following works with CMD even without the echo foo| before.

KeePassXC.exe --pw-stdin < D:\KeePass\pw.txt D:\KeePass\NewDatabase.kdbx --keyfile G:\NewDatabase.key

Having trouble with the other method though. The password box is now being ticked, but the raw password is not being piped through properly if I do:

echo foo| KeePassXC.exe --pw-stdin MYPASSWORDHERE D:\KeePass\NewDatabase.kdbx --keyfile G:\NewDatabase.key

--pw-stdin seems fine with paths, but not with anything else?

[hifi]

If you want to have your password on the command line itself you can use echo like so:

echo YOURPASSWORDHERE| KeePassXC.exe --pw-stdin D:\KeePass\NewDatabase.kdbx --keyfile G:\NewDatabase.key

But please bear in mind special characters will most likely break the echo command and as said before it's not a secure way to handle your passphrase.

[AustinHaigh]

Should this issue be closed? Looks like it was fixed: #1336 (comment)

[droidmonkey]

Yup i agree

[BARR001]

Hello, i also have the same problem. Tried everything, but nothing works. Cant't send my password. would this be fixed in future?

[heX16]

Hello, i also have the same problem. Tried everything, but nothing works. Cant't send my password. would this be fixed in future?

I just create file with password and use "--keyfile". Of course, this is not safety. But that’s all we have.

Example:
start "" KeePassXC.exe --config "%~d0%~p0\keepassxc.ini" --keyfile D:\xxx\mypasswd D:\xxx\database

[BARR001]

Hello, i know that this works. But i have to use a passwort because everyone who uses my PC can open the database. My batchfile has an input parameter like (set /p Input=Enter Crypt:) so the password isn't stored in this file!

[droidmonkey]

What's the point? Why can't you just enter the password after KeePassXC opens

[BARR001]

im starting different programs in a batch. Most have the same Password, so i have to fill it only once!

[heX16]

@BARR001 , Yes, I also wanted to do this: for another program to take the password from a physical device (digispark with homemade firmware (as Memtype) ).
But for the last 2 years I just keep the file in a shared cryptographic repository... And waiting until "pw-stdin" is implemented. 😄

[BARR001]

I'm sorry, but I changed now to the original KeePass and the paramenter -pw: works fine for me. It is realy pity.

[BARR001]

i found a solution that works for me
echo password| "C:\Program Files\KeePassXC\KeePassXC.exe" --pw-stdin "D:\test.kdbx" --keyfile "D:\Bild.jpg"

[BitWuehler]

@BARR001 I tried that and i doesn't worked. But if use the portable version everything works fine. How do you managed, that the batch file closes after it opened the programm? My only closes from itself, if I close the programm.

[droidmonkey]

You must not include a space between the password and the pipe |

[BARR001]

@BARR001 I tried that and i doesn't worked. But if use the portable version everything works fine. How do you managed, that the batch file closes after it opened the programm? My only closes from itself, if I close the programm.

i don't have a solution yet. The console keeps open

[BARR001]

You must not include a space between the password and the pipe |

there is no space. It works fine. It also works if there is no space before and after the pile, like
echo test123|"D:\LupoPenSuite\KeePassXC.exe" --pw-stdin "D:\test.kdbx"

[BitWuehler]

Thanks @BARR001
I found something interesting. Seems like it is a problem with the Browser integration. Thats also the reason why it worked for me before with the portable version. I don't configurate it before. But if I now activate the browser integration the hole password fill thing doesn't work anymore.

[BARR001]

But i have a new Problem so this solution is not useful for me!
If i activate Browser Integration the Software crashes, because only the last three characters from the password where forwardet.
for this i made a new bug report
#4140

[higuti-yuuma]

@BARR001 I tried that and i doesn't worked. But if use the portable version everything works fine. How do you managed, that the batch file closes after it opened the programm? My only closes from itself, if I close the programm.

i don't have a solution yet. The console keeps open

You can close the console by running it through a power shell from a batch file.

@echo off
setlocal
cd /d %~dp0

set kdbx=your.kdbx
set pass=password.txt
set key=keyfile.key

set script=Start-Process -FilePath "KeePassXC.exe" -ArgumentList "%kdbx% --keyfile %key% --pw-stdin" -RedirectStandardInput "%pass%"
set script=%script:"=\"%
powershell -Command "%script%"

endlocal

[steel4me]

@BARR001 I tried that and i doesn't worked. But if use the portable version everything works fine. How do you managed, that the batch file closes after it opened the programm? My only closes from itself, if I close the programm.

i don't have a solution yet. The console keeps open

You can close the console by running it through a power shell from a batch file.

@echo off
setlocal
cd /d %~dp0

set kdbx=your.kdbx
set pass=password.txt
set key=keyfile.key

set script=Start-Process -FilePath "KeePassXC.exe" -ArgumentList "%kdbx% --keyfile %key% --pw-stdin" -RedirectStandardInput "%pass%"
set script=%script:"=\"%
powershell -Command "%script%"

endlocal

very useful, someone have a batch or powershell to open multiple databases? i tried it months ago and i cant open second or third database with stdin...

example:
-ArgumentList "%kdbx1% %kdbx2% --pw-stdin" -RedirectStandardInput "%pass%"

in pass.txt

password1
password2

even password1\npassword2 dont work with windows ;)

[m-a-v]

very useful, someone have a batch or powershell to open multiple databases?

@steel4me It's easier to use the AutoOpen feature as described here:

https://keepassxc.org/docs/KeePassXC_UserGuide.html#_automatic_database_opening

[steel4me]

very useful, someone have a batch or powershell to open multiple databases?

@steel4me It's easier to use the AutoOpen feature as described here:

https://keepassxc.org/docs/KeePassXC_UserGuide.html#_automatic_database_opening

I love you! Thx!

Was AutoOpen always there or has been introduced in the last updates?

[m-a-v]

#477

[steel4me]

#477

facepalm, strange that i didn't found it myself, sorry

[steel4me]

@m-a-v
AutoOpen is very cool! I already open local databases without problems.
But when i try to open databases from cifs / smb share,
how can i add username and password for this share. Example:

kdbx://file://192.192.192.192/share
i tried kdbx://files://domain\user.name:password@192.192.192.192

if this is not possible i will mount a network drive and open it over network drive path

[BARR001]

hello community
does anyone know when --pw-stdin will be implemented? I#m using version 2.6.6.
My actual problem is that my batch stops when i start KeePassXc with following command
echo password| "C:\Program Files\KeePassXC\KeePassXC.exe" --pw-stdin "D:\test.kdbx" --keyfile "D:\Bild.jpg"

after starting i want to start firefox that need the proxy of KeePassXC

[m-a-v]

You could use an AutoIt script ...

#include <AutoItConstants.au3>

$executable = "C:\Program Files\KeePassXC\KeePassXC.exe"
$kdbx = "C:\Users\Dummy\Dummy.kdbx"
$pass = "i_am_aware_that_this_is_a_really_insecure_method_to_provide_the_pw_using_stdin"
$cmd = $executable & " " & $kdbx & " --pw-stdin"
Local $iPID = Run($cmd, @SystemDir, @SW_HIDE, $STDIN_CHILD + $STDOUT_CHILD)
StdinWrite($iPID, $pass)

If WinExists ("Dummy- KeePassXC") Then
	WinSetState ("Dummy- KeePassXC", "", @SW_HIDE)
EndIf

Exit (0)

[droidmonkey]

This feature works on Windows, you just have to use it "carefully"

[beyond9thousand]

You guys could include straightforward instructions to use this feature on Windows, you know? How do i pass a password with special characters? In my case it doesn't pass % and the character following it

[BARR001]

try %% or % or /%