keepassxc-cli

Access KeePassXC databases from the command line

TLDR

Search entries

$ keepassxc-cli search [path/to/database_file] [name]

List the contents of a folder

$ keepassxc-cli ls [path/to/database_file] [path/to/directory]

Add an entry with an auto-generated password

$ keepassxc-cli add [[-g|--generate]] [path/to/database_file] [entry_name]

Delete an entry

$ keepassxc-cli rm [path/to/database_file] [entry_name]

Copy an entry's password to the clipboard

$ keepassxc-cli clip [path/to/database_file] [entry_name]

Copy a TOTP code to the clipboard

$ keepassxc-cli clip [[-t|--totp]] [path/to/database_file] [entry_name]

Generate a passphrase with 7 words

$ keepassxc-cli diceware [[-W|--words]] 7

Generate a password with 16 printable ASCII characters

$ keepassxc-cli generate [[-lUns|--lower --upper --numeric --special]] [[-L|--length]] 16

SYNOPSIS

keepassxc-cli [options] <command> [args]

-h, --help
    Show help for the command

-v, --version
    Print version information

--color={auto,never,always}
    Control colored output

--config=<DIR>
    Use custom config directory

--keyfile=<FILE>
    Key file for database unlock (per-command)

--password, -p
    Read master password from stdin (insecure)

--user=<NAME>, -u <NAME>
    Database user for multi-user DBs

--quiet, -q
    Suppress output (per-command)

--write-to-stdout, -w
    Write to stdout instead of clipboard

DESCRIPTION

keepassxc-cli is the command-line interface for KeePassXC, a secure, cross-platform password manager. It enables users to interact with .kdbx databases (versions 3 and 4) directly from the terminal, without launching the GUI.

Key features include viewing entry details, copying passwords/usernames to clipboard, editing or adding entries, generating strong passwords, searching databases, mounting databases as virtual filesystems, and more. It supports master password prompts, keyfiles, and challenge-response for authentication.

Designed for scripting and automation, it's ideal for shell integration, backups, or headless environments like servers. Security is prioritized: passwords are never logged, and operations use secure memory handling. Output can be formatted as JSON for parsing.

Usage requires a KeePassXC database file. Most commands prompt for the master password interactively, avoiding plaintext exposure. Supports YubiKey and hardware keys via challenge-response.

CAVEATS

Avoid --password on shared/multi-user systems due to security risks; prefer interactive prompts or keyfiles. Not suitable for real-time GUI sync. Requires libkeepassxc. Some commands like mount need FUSE. Database must be closed in GUI before CLI edits to avoid corruption.

MAIN COMMANDS

clip <db> <entry>
show [-a] <db> <entry>
edit <db> <entry>
generate [--length N]
locate <db> <search>
ls <db>
mount <db> <mountpoint>

EXAMPLE

keepassxc-cli show --user myuser ~/mydb.kdbx 'My Website'
Copies password to clipboard: keepassxc-cli clip ~/mydb.kdbx 'My Website' password

HISTORY

Introduced in KeePassXC 2.3.0 (2018) as part of the KeePassXC project, a community fork of KeePassX started in 2016. CLI evolved with database format support (KDBX 4.0 in 2.4.0) and features like JSON output (2.6+). Actively maintained for Linux integration.