# keepassxc-cli with keyfile and YubiKey hardware token

## Install
```bash
https://keepassxc.org/download/#macos
```

## Make alias (for Macintosh)
```bash
vi ~/.zshrc
```
```
alias kp='/Applications/KeePassXC.app/Contents/MacOS/keepassxc-cli'
```

If you have YubiKey Manager installed, you can see the serial number of connected token from CLI. Otherwise, observe from KeePassXC GUI.
```bash
/Applications/YubiKey\ Manager.app/Contents/MacOS/ykman info
```


## Write a script to provide credentials
```bash
cd
vi kpopen
```
```bash
# Do not use backwards slashes in the path, as spaces are already in the double quotes!
export kdbx_path="/path/to/db.kdbx"
export kdbx_key="/path/to/db.kdbx.key"
# YubiKey slot:serial
export kdbx_token="2:22xxx984"
echo "Enter kdbx password:"
read -s kdbx_pass
```

## Load credentials and give password
Set variables
```bash
source kpopen
```

Check variables are set:
```bash
set | grep kdbx
```

## Putting all together:
Show entry named 'entry'
```bash
echo "${kdbx_pass}" | kp show -y ${kdbx_token} ${kdbx_path} --key-file ${kdbx_key} entry
```

Show password attribute of 'entry'
```bash
echo "${kdbx_pass}" | kp show -a password -y ${kdbx_token} ${kdbx_path} --key-file ${kdbx_key} entry
```


## Making it more simple
```bash
vi ~/.zshrc
```
Add another alias:
```bash
alias kpsh='echo "${kdbx_pass}" | kp show -a password -y ${kdbx_token} ${kdbx_path} --key-file ${kdbx_key} $1'
```
Relaunch terminal, load credentials and request for pass of 'entry'
```
source kpopen
kpsh entry
```

-"It is easy to make things difficult. It is diffucult to make things easy."

## Security considerations
- Pass remains within launched shell and is in the memory
- Unset pass when not in use or close terminal to kill the shell and its memory (variables)
```
unset kdbx_pass
set | grep kdbx
```