README
¶
KDBX — KeepPass File Format 
KeePass Password Safe is a free and open-source password manager primarily for Windows. It officially supports macOS and Linux operating systems through the use of Mono. Additionally, there are several unofficial ports for Windows Phone, Android, iOS, and BlackBerry devices. KeePass stores usernames, passwords, and other fields, including free-form notes and file attachments, in an encrypted file. This file can be protected by a master password, keyfile, and/or the current Windows account details. By default, the KeePass database is stored on a local file system (as opposed to cloud storage).
| ID | DataType | Header Name | Description |
|---|---|---|---|
0x00 |
[]byte |
EndHeader |
defines the end limit for the headers block |
0x01 |
[]byte |
Comment |
is current ignored by KeePass and alternate apps |
0x02 |
[]byte |
CipherID |
represents the UUID of the cipher algorithm |
0x03 |
uint32 |
CompressionFlags |
determines if the database is compressed or not |
0x04 |
[]byte |
MasterSeed |
salt to concatenate to the master key |
0x05 |
[]byte |
TransformSeed |
seed for AES.Encrypt to generate the master key |
0x06 |
uint64 |
TransformRounds |
number of rounds to compute the master key |
0x07 |
[]byte |
EncryptionIV |
defines the initialization vector of the cipher |
0x08 |
[]byte |
ProtectedStreamKey |
used to obfuscate some fields of the decrypted file |
0x09 |
[]byte |
StreamStartBytes |
portion of the decrypted database for verification |
0x0a |
uint32 |
InnerRandomStreamID |
algorithm used for individual password obfuscation |
Documentation
¶
Overview ¶
Package kdbx provides basic interfaces to KDBX File Format Library.
KeePass Password Safe is a free and open-source password manager primarily for Windows. It officially supports macOS and Linux operating systems through the use of Mono. Additionally, there are several unofficial ports for Windows Phone, Android, iOS, and BlackBerry devices. KeePass stores usernames, passwords, and other fields, including free-form notes and file attachments, in an encrypted file. This file can be protected by a master password, keyfile, and/or the current Windows account details. By default, the KeePass database is stored on a local file system (as opposed to cloud storage).
Ref: /usr/share/file/magic/keepass Ref: https://en.wikipedia.org/wiki/KeePass
0000: 03 d9 a2 9a 67 fb 4b b5 01 00 03 00 02 10 00 31 |....g.K........1| 0010: c1 f2 e6 bf 71 43 50 be 58 05 21 6a fc 5a ff 03 |....qCP.X.!j.Z..| 0020: 04 00 01 00 00 00 04 20 00 e1 0e 5b a9 47 c7 dc |....... ...[.G..| 0030: 51 86 b9 fb f1 4d 6a 6d af 37 09 2d 97 e3 f1 ec |Q....Mjm.7.-....| 0040: a4 88 8b 8e 17 59 65 aa 56 07 10 00 04 38 8b 41 |.....Ye.V....8.A| 0050: 2d 0d 96 e9 ed 21 6d 5e 1e 45 68 0c 05 20 00 bc |-....!m^.Eh.. ..| 0060: 42 4c 8d 6c b5 40 1d c8 9e ba 27 68 3f ef ef 55 |BL.l.@....'h?..U| 0070: a5 e8 aa 77 4c 83 72 07 25 55 27 f7 f8 79 e8 06 |...wL.r.%U'..y..| 0080: 08 00 60 ea 00 00 00 00 00 00 08 20 00 a2 60 65 |..`........ ..`e| 0090: 6e bc 67 5b 44 15 4c d8 4d d1 eb 39 6c a0 2f 99 |n.g[D.L.M..9l./.| 00a0: 66 79 5c 80 95 fa b6 95 13 5e 7e 1d 23 09 20 00 |fy\......^~.#. .| 00b0: 6e 59 a8 c2 12 d6 d9 fa b5 40 9b de 9d 10 4a 2e |nY.......@....J.| 00c0: 74 ce 72 43 95 6d aa 0e 19 25 e4 9b c8 94 e7 bd |t.rC.m...%......| 00d0: 0a 04 00 02 00 00 00 00 04 00 0d 0a 0d 0a |..............|
Index ¶
- type Block
- type Header
- type KDBX
- func (k *KDBX) CipherID() []byte
- func (k *KDBX) Comment() []byte
- func (k *KDBX) CompressionFlags() uint32
- func (k *KDBX) Content() content
- func (k *KDBX) Decode() error
- func (k *KDBX) EncryptionIV() []byte
- func (k *KDBX) EndHeader() []byte
- func (k *KDBX) FormatVersion() byte
- func (k *KDBX) InnerRandomStreamID() uint32
- func (k *KDBX) IsLockedByArc4Variant() bool
- func (k *KDBX) IsLockedByNone() bool
- func (k *KDBX) IsLockedBySalsa20() bool
- func (k *KDBX) MasterSeed() []byte
- func (k *KDBX) ProtectedStreamKey() []byte
- func (k *KDBX) SetPassphrase(password []byte)
- func (k *KDBX) StreamStartBytes() []byte
- func (k *KDBX) TransformRounds() uint64
- func (k *KDBX) TransformSeed() []byte
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Block ¶
type Block struct {
// contains filtered or unexported fields
}
Block defines the XML data portions.
type Header ¶
type Header struct {
// contains filtered or unexported fields
}
Header defines the KDBX file header.
type KDBX ¶
type KDBX struct {
// contains filtered or unexported fields
}
KDBX defines the main library data structure.
func (*KDBX) CipherID ¶
CipherID represents the UUID of the cipher algorithm.
The default cipher is AES-CBC with PKCS7 padding.
func (*KDBX) CompressionFlags ¶
CompressionFlags determines if the database is compressed or not.
For now, the compression algorithm seems to be GZip, if this header is set to 0x01 the payload will need to be decompressed before it can be read.
Not compressed header data:
[]byte{0x00, 0x00, 0x00, 0x00}
func (*KDBX) EncryptionIV ¶
EncryptionIV defines the initialization vector of the cipher.
KeePass always writes 16 bytes of IV, but the length is not checked when reading a file. An exception may occur in the encryption engine if the database contains the wrong IV length.
An initialization vector (IV) or starting variable (SV) is a fixed-size input to a cryptographic primitive that is typically required to be random or pseudorandom. Randomization is crucial for encryption schemes to achieve semantic security, a property whereby repeated usage of the scheme under the same key does not allow an attacker to infer relationships between segments of the encrypted message.
func (*KDBX) FormatVersion ¶
FormatVersion returns the version of the file format.
- KeePass file format version 1.x is `0x65` - KeePass file format version 2.x is `0x66` - KeePass file format version 3.x is `0x67`
func (*KDBX) InnerRandomStreamID ¶
InnerRandomStreamID algorithm used for individual password obfuscation.
Inner stream encryption may be one of these types:
- 0x00: none - 0x01: Arc4Variant - 0x02: Salsa20
func (*KDBX) IsLockedByArc4Variant ¶
IsLockedByArc4Variant checks if the passwords are obfuscated by ByArc4Variant.
func (*KDBX) IsLockedByNone ¶
IsLockedByNone checks if the passwords are obfuscated by ByNone.
func (*KDBX) IsLockedBySalsa20 ¶
IsLockedBySalsa20 checks if the passwords are obfuscated by BySalsa20.
func (*KDBX) MasterSeed ¶
MasterSeed salt to concatenate to the master key.
func (*KDBX) ProtectedStreamKey ¶
ProtectedStreamKey used to obfuscate some fields of the decrypted file.
func (*KDBX) SetPassphrase ¶
SetPassphrase defines the database main password.
func (*KDBX) StreamStartBytes ¶
StreamStartBytes portion of the decrypted database for verification.
Besides checking if the decryption key is correct, this can also be used to check if the file is corrupt before the entire stream is consumed. The data should have been randomly generated when the file was saved.
func (*KDBX) TransformRounds ¶
TransformRounds number of rounds to compute the master key.
func (*KDBX) TransformSeed ¶
TransformSeed seed for AES.Encrypt to generate the master key.
By default, KeePass writes 32 bytes of transform seed. Any length is accepted when the key is read from a file.
Source Files