Skip to main content

keepassxc-cli with keyfile and YubiKey hardware token

Install

https://keepassxc.org/download/#macos

Make alias (for Macintosh)

vi ~/.zshrc

alias kp='/Applications/KeePassXC.app/Contents/MacOS/keepassxc-cli'

If you have YubiKey Manager installed, you can see the serial number of connected token from CLI. Otherwise, observe from KeePassXC GUI.

/Applications/YubiKey\ Manager.app/Contents/MacOS/ykman info

Write a script to provide credentials

cd
vi openkp.sh

# Do not use backwards slashes in the path, as spaces are already in the double quotes!
export kdbx_path="/path/to/db.kdbx"
export kdbx_key="/path/to/key.db.kdbx.key"
# YubiKey slot:serial
export kdbx_token="2:22xxx984"
echo "Enter kdbx password:"
read -s kdbx_pass

Load credentials and give password

Set variables

source openkp.sh

Check variables are set:

set | grep kdbx

Putting all together:

Show entry named 'entry'

echo "${kdbx_pass}" | kp show -y ${kdbx_token} ${kdbx_path} --key-file ${kdbx_key} entry

Show password attribute of 'entry'

echo "${kdbx_pass}" | kp show -a password -y ${kdbx_token} ${kdbx_path} --key-file ${kdbx_key} entry

Unset pass when not in use

unset kdbx_pass
set | grep kdbx
Back to top