keepass

command module

v1.0.0 Latest Latest Go to latest Published: Mar 18, 2026 License: Apache-2.0 Imports: 1 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/photowey/keepass

Links

Open Source Insights

README ¶

`keepass`

English | 中文

keepass is a local-first CLI password manager written in Go.

It is designed around three goals:

Security first: one master password unlocks a versioned encrypted vault file.
Low-friction: short commands, interactive prompts, and safe defaults.
Fast lookup: exact alias match first, then unique prefix match.

What It Stores

Each entry is identified by a unique alias and can contain:

username
password
uri
note
tags

Example:

github -> hellopass
gitea -> hellopass

The usernames can be the same. The alias is the unique lookup key.

Security Model

Vault file: ~/.keepass/keepass.kp
Config file: ~/.keepass/keepass.config.json
The config file stores only non-sensitive settings.
The vault file stores encrypted entry data.
The vault format includes a mandatory format_version.
Parsing is strict: unknown versions fail closed.
The master password is required to initialize and unlock the vault.
Passwords are never stored in plaintext on disk.

Quick Start

Initialize the vault:

keepass init

Add entries:

keepass add github hellopass --uri https://github.com --note "personal" --tag code
keepass add gitea hellopass --uri https://gitea.example.com --note "work" --tag code

When adding an entry:

If you type an account password, the CLI asks for confirmation.
If you leave it blank, keepass generates one for you.

List entries:

keepass list
keepass list --tag code
keepass list --json

Get a summary:

keepass get github
keepass get gith

Reveal the password explicitly:

keepass get gith --reveal
keepass get gith --json
keepass get gith --json --reveal
keepass get gith --copy
keepass get gith --copy --copy-timeout 0

Update and delete:

keepass update github
keepass delete github

Transfer and recovery:

keepass export --path ./entries.json
keepass import --path ./entries.json --conflict overwrite
keepass backup --path ./backup-bundle
keepass restore --path ./backup-bundle --force

Credential hygiene:

keepass audit --json
keepass rotate github --generate

Rewrite the vault using the current Argon2 settings:

keepass rehash

Inspect effective config:

keepass config
keepass config --json

Audit local vault health:

keepass doctor
keepass doctor --json

Automation Notes (Non-interactive Mode)

When stdin is not a TTY (scripts, CI, pipes), some commands avoid prompting to prevent hanging:

keepass add requires alias and username as arguments (no interactive prompts).
keepass update requires explicit mutation flags such as --username, --password, --clear-uri, or --clear-note.
keepass delete requires --yes to skip confirmation in non-interactive mode.
You can force this behavior even in a TTY with --non-interactive.

Exit Codes

1: generic error
2: usage / invalid arguments
3: not initialized (missing config/vault)
4: unlock failed (wrong master password)

Shell Completion

Generate completion scripts:

keepass completion bash
keepass completion zsh
keepass completion fish
keepass completion powershell

Alias Resolution

Lookup rules are:

Exact alias match
Unique prefix match
Ambiguous prefix -> fail with all candidates

Examples:

keepass get github -> exact match
keepass get gith -> unique prefix match
keepass get gi -> fails if both github and gitea exist

Password Generation

If you do not provide an account password, keepass generates one with secure randomness.

The generator accepts any non-empty alphabet from config.

The default alphabet intentionally avoids most special symbols for compatibility across websites, shells, and manual entry. If your environment requires additional symbols, switch password_generator.preset or set a custom password_generator.alphabet.

Built-in presets:

compatible
- default, optimized for broad website and shell compatibility
symbols
- adds a moderate set of special symbols
strict-high-entropy
- uses a larger mixed alphabet with more symbols

Default settings live in ~/.keepass/keepass.config.json:

{
  "version": 1,
  "vault": {
    "path": "~/.keepass/keepass.kp",
    "format_version": 1
  },
  "security": {
    "argon2id": {
      "time": 3,
      "memory_kib": 262144,
      "threads": 4,
      "key_length": 32
    }
  },
  "password_generator": {
    "default_length": 21,
    "preset": "compatible"
  }
}

Testing

The project includes:

config validation tests
password generator tests
vault format and crypto tests
manager rule tests
command flow integration tests
a fuzz entry point for vault decoding

Run:

GOCACHE=/tmp/go-cache go test ./...

Release Integrity

GitHub Release artifacts include:

per-file SHA256 checksums in SHA256SUMS.txt
GitHub artifact attestations for build provenance

Documentation ¶

Overview ¶

Package main provides the keepass CLI entry point.

Source Files ¶

View all Source files

Directories ¶

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

Path	Synopsis
cmd
cmder/add Package add builds the command that adds vault entries.	Package add builds the command that adds vault entries.
cmder/audit Package audit builds the command that audits credential hygiene.	Package audit builds the command that audits credential hygiene.
cmder/backup Package backup builds the command that creates local backup bundles.	Package backup builds the command that creates local backup bundles.
cmder/common Package common provides shared helpers for keepass CLI commands.	Package common provides shared helpers for keepass CLI commands.
cmder/completion Package completion builds the command that generates shell completions.	Package completion builds the command that generates shell completions.
cmder/config Package config builds the command that prints effective configuration.	Package config builds the command that prints effective configuration.
cmder/delete Package delete builds the command that removes vault entries.	Package delete builds the command that removes vault entries.
cmder/doctor Package doctor builds the command that audits local keepass health.	Package doctor builds the command that audits local keepass health.
cmder/export Package export builds the command that exports unlocked entries.	Package export builds the command that exports unlocked entries.
cmder/get Package get builds the command that prints a single vault entry.	Package get builds the command that prints a single vault entry.
cmder/importdata Package importdata builds the command that imports exported entries.	Package importdata builds the command that imports exported entries.
cmder/init Package init builds the command that initializes the encrypted vault.	Package init builds the command that initializes the encrypted vault.
cmder/list Package list builds the command that lists vault entries.	Package list builds the command that lists vault entries.
cmder/rehash Package rehash builds the command that rewrites the vault with current KDF settings.	Package rehash builds the command that rewrites the vault with current KDF settings.
cmder/restore Package restore builds the command that restores backup bundles.	Package restore builds the command that restores backup bundles.
cmder/root Package root assembles the keepass root command and subcommands.	Package root assembles the keepass root command and subcommands.
cmder/rotate Package rotate builds the command that rotates entry passwords.	Package rotate builds the command that rotates entry passwords.
cmder/update Package update builds the command that updates existing entries.	Package update builds the command that updates existing entries.
configs Package configs loads, validates, and saves keepass configuration.	Package configs loads, validates, and saves keepass configuration.
internal
audit Package audit inspects keepass config and vault health.	Package audit inspects keepass config and vault health.
clipboard Package clipboard wraps clipboard copy and timed clearing helpers.	Package clipboard wraps clipboard copy and timed clearing helpers.
credentialaudit Package credentialaudit analyzes vault entries for credential hygiene issues.	Package credentialaudit analyzes vault entries for credential hygiene issues.
home Package home resolves keepass home directories and file paths.	Package home resolves keepass home directories and file paths.
manager Package manager orchestrates high-level keepass vault operations.	Package manager orchestrates high-level keepass vault operations.
password Package password generates passwords from named alphabets.	Package password generates passwords from named alphabets.
prompt Package prompt provides interactive text and secret prompts.	Package prompt provides interactive text and secret prompts.
testutil Package testutil provides test-only keepass environments and configs.	Package testutil provides test-only keepass environments and configs.
transfer Package transfer handles export, import, backup, and restore file formats.	Package transfer handles export, import, backup, and restore file formats.
vault Package vault stores, encrypts, and inspects keepass vault data.	Package vault stores, encrypts, and inspects keepass vault data.
version Package version exposes keepass build and release metadata.	Package version exposes keepass build and release metadata.
pkg
files Package files provides small filesystem helpers used by keepass.	Package files provides small filesystem helpers used by keepass.