Using Browser Integration to connect keepassxc-cli to gui

[bendem]

Summary

When using the cli, instead of specifying a path and entering your password every single time you interact with a database, connect to the running keepassxc using the browser integration.

Examples

keepassxc-cli show --from-open-databases -a Password 'Production/devops/gitea-production'

# we use ansible-vault to store secrets, passwords are in keepass
ansible-vault show --vault-id gitea-production@kpxc-prod-client some/file.vault
ansible-playbook -l prod \
  --vault-id gitea-production@kpxc-prod-client \
  --vault-id postgres-production@kpxc-prod-client \
  playbooks/gitea/setup.yml

#!/bin/bash

set -euo pipefail
set -x

readonly KP_CLI=${KP_CLI:-"$USERPROFILE/scoop/apps/keepassxc/current/keepassxc-cli.exe"}
readonly KP_ROOT=${KP_ROOT:-'Production/devops/gitea-production'}

"$KP_CLI" show --from-open-databases -a Password "$KP_DATABASE" "$KP_ROOT/$2"

Context

We use ansible and ansible-vaults to encrypt secrets, to unlock those secrets we have a script we give to ansible that fetches passwords from the keepass database. Since the cli touches the database file directly, we have to unlock the database every single time.

I saw the open feature, but this is unusable for vaults since the script is run once per password and even if it worked, it would still require the user to enter their password at least once per run.

Bonus

If all commands support the new option, the complexity of having to maintain a REPL can be entirely removed from the code.

[bendem]

This is kind of related to #4513 which I didn't find at first, but I feel more strongly about the solution required. Browser integration is already there, it works, I don't see any reason why the cli couldn't be yet another client of it.

As for the key, it can be stored in linux with libsecret, mac's keychain and windows probably has a thing similar. It will actually be more secure than browser's storage where it's just a file or a db in plaintext in the user's profile directory.

[droidmonkey]

Good idea. We could have a keepassxc-cli connect command. You can enter the secret key on the cmd line, at prompting, or force a new connection.

[Frederick888]

Shameless advertisement: https://github.com/Frederick888/git-credential-keepassxc#scripting

[droidmonkey]

Yes!

[bendem]

Shameless advertisement: https://github.com/Frederick888/git-credential-keepassxc#scripting

I wish, but that doesn't work on windows:

bendem> git-credential-keepassxc.exe configure
Jul 15 13:57:36.999 ERRO Le fichier spécifié est introuvable. (os error 2), Caused by: N/A, Message: Le fichier spécifié est introuvable. (os error 2)
[98.99 ms]

[Frederick888]

@bendem

1. I don't speak French(?)
2. -vv to enable verbose logs
3. Even better, do a debug build and then -vvv
4. You should file an issue in my repo instead

[nodiscc]

I am after basically the same thing,e.g. keepassxc-cli show --use-proxy --show-protected -a Password /path/to/my/database.kdbx 'my-ansible-vault-password'

I posted a duplicate issue by mistake in #10238, but it also includes a workaround using https://github.com/hargoniX/keepassxc-proxy-client

The browser integration mechanism seems to be a good fit, as it provides fine-grained access to different databases/entries.

As for the key, it can be stored in linux with libsecret, mac's keychain and windows probably has a thing similar.

My workaround stores the native messaging key in plain text on disk, but +1 👍 to this idea.