New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using Browser Integration to connect keepassxc-cli to gui #5069
Comments
This is kind of related to #4513 which I didn't find at first, but I feel more strongly about the solution required. Browser integration is already there, it works, I don't see any reason why the cli couldn't be yet another client of it. As for the key, it can be stored in linux with libsecret, mac's keychain and windows probably has a thing similar. It will actually be more secure than browser's storage where it's just a file or a db in plaintext in the user's profile directory. |
Good idea. We could have a |
Shameless advertisement: https://github.com/Frederick888/git-credential-keepassxc#scripting |
Yes! |
I wish, but that doesn't work on windows:
|
|
I am after basically the same thing,e.g. I posted a duplicate issue by mistake in #10238, but it also includes a workaround using https://github.com/hargoniX/keepassxc-proxy-client The browser integration mechanism seems to be a good fit, as it provides fine-grained access to different databases/entries.
My workaround stores the native messaging key in plain text on disk, but +1 👍 to this idea. |
Summary
When using the cli, instead of specifying a path and entering your password every single time you interact with a database, connect to the running keepassxc using the browser integration.
Examples
Context
We use ansible and ansible-vaults to encrypt secrets, to unlock those secrets we have a script we give to ansible that fetches passwords from the keepass database. Since the cli touches the database file directly, we have to unlock the database every single time.
I saw the open feature, but this is unusable for vaults since the script is run once per password and even if it worked, it would still require the user to enter their password at least once per run.
Bonus
If all commands support the new option, the complexity of having to maintain a REPL can be entirely removed from the code.
The text was updated successfully, but these errors were encountered: