Provided by: lastpass-cli_1.0.0-1.2ubuntu2_amd64 
NAME
lpass - command line interface for LastPass
SYNOPSIS
lpass [ --version, -v | --help, -h ]
lpass <subcommand> [<args>]
DESCRIPTION
lpass is a simple command line interface to LastPass. It is comprised of several subcommands:
lpass login [--trust] [--plaintext-key [--force, -f]] [--color=auto|never|always] USERNAME
lpass logout [--force, -f] [--color=auto|never|always]
lpass passwd
lpass show [--sync=auto|now|no] [--clip, -c] [--expand-multi, -x] [--all|--username|--password|--url|--notes|--field=FIELD|--id|--name] [--basic-regexp, -G|--fixed-strings, -F] [--color=auto|never|always] {NAME|UNIQUEID}*
lpass ls [--sync=auto|now|no] [--long, -l] [-m] [-u] [--color=auto|never|always] [GROUP]
lpass mv [--sync=auto|now|no] [--color=auto|never|always] {UNIQUENAME|UNIQUEID} GROUP
lpass add [--sync=auto|now|no] [--non-interactive] {--name|--username, -u|--password, -p|--url|--notes|--field=FIELD|--note-type=NOTETYPE} [--color=auto|never|always] {NAME|UNIQUEID}
lpass edit [--sync=auto|now|no] [--non-interactive] {--name|--username, -u|--password, -p|--url|--notes|--field=FIELD} [--color=auto|never|always] {NAME|UNIQUEID}
lpass generate [--sync=auto|now|no] [--clip, -c] [--username=USERNAME] [--url=URL] [--no-symbols] [--color=auto|never|always] {NAME|UNIQUEID} LENGTH
lpass duplicate [--sync=auto|now|no] [--color=auto|never|always] {UNIQUENAME|UNIQUEID}
lpass rm [--sync=auto|now|no] [--color=auto|never|always] {UNIQUENAME|UNIQUEID}
lpass status [--quiet, -q] [--color=auto|never|always]
lpass sync [--background, -b] [--color=auto|never|always]
lpass export [--sync=auto|now|no] [--color=auto|never|always]
lpass share userls SHARE
lpass share useradd [--read-only=[true|false]] [--hidden=[true|false]] [--admin=[true|false]] SHARE USERNAME
lpass share usermod [--read-only=[true|false]] [--hidden=[true|false]] [--admin=[true|false]] SHARE USERNAME
lpass share userdel SHARE USERNAME
lpass share create SHARE
lpass share rm SHARE
lpass share limit [--deny|--allow] [--add|--rm|--clear] SHARE USERNAME [sites]
Synchronization
The --sync options control when the current operation involves a synchronization with the server. If now
is set, and the command makes a change, the change is synchronized before the command exits. If now is
set, and the command displays a value, the local cache is synchronized before the value is shown. If now
is set, and the command is otherwise successful, but synchronization fails, the command will return an
error. If auto is set, and the command makes a change, the change is synchronized to the server in the
background. If auto is set, and the command displays a value, the local cache is synchronized before the
value is shown only if the local cache is more than 5 seconds (or LPASS_AUTO_SYNC_TIME seconds, if set)
old. If no is set, the command will not interact with the server, unless there is a current upload queue
being processed. Any local changes that are not synchronized with the server will exist in a queue of
timestamped requests which will be synchronized on the next occurring synchronization.
The sync command forces a synchronization of the local cache with the LastPass servers, and does not exit
until the local cache is synchronized or until an error occurs. Alternatively, if --background is
specified, the synchronization occurs in a daemonized process.
Agent
An agent process will be spawned in the background on a first successful command, and all subsequent
commands will use the agent for decryption, instead of asking a user for a password. The agent will quit
after one hour, unless the LPASS_AGENT_TIMEOUT environment variable is set to an alternative number of
seconds in which to quit, or 0 to never quit. If the environment variable LPASS_AGENT_DISABLE is set to
1, the agent will not be used.
Password Entry
If available, the pinentry program, part of gpg2(1), may be used for inputting passwords if it is
installed. If unavailable, or if the LPASS_DISABLE_PINENTRY environment variable is set to 1, passwords
will be read from standard input and a prompt will be displayed on standard error.
The program used for inputting passwords may also be configured by setting the LPASS_ASKPASS environment
variable. LPASS_ASKPASS is expected to be a binary that produces a prompt using its first command-line
argument, and outputs the entered password to standard out. ssh-askpass implements this protocol, as does
the following shell script:
#!/bin/bash
echo -n "$*: " >/dev/stderr
stty -echo
read answer
stty echo
echo $answer
Entry Specification
Commands that take a UNIQUENAME will fail if the provided name is used multiple times, and return an
error. Commands may alternatively take a UNIQUEID, which will be the integer ID provided by LastPass for
identifying entries uniquely. Commands that take either a NAME or a UNIQUEID will create a new entry if a
NAME is specified and otherwise overwrite an existing entry if UNIQUEID is specified.
Logging In
The login subcommand will initialize a local cache and configuration folder, then attempt to authenticate
itself with the LastPass servers, using the provided command line credentials or by interactively
prompting (in the case of multifactor or an unprovided password). The --trust option will cause
subsequent logins to not require multifactor authentication. If the --plaintext-key option is specified,
the decryption key will be saved to the hard disk in plaintext. Please note that use of this option is
discouraged except in limited situations, as it greatly decreases the security of data.
The logout subcommand will remove the local cache and stored encryption keys. It will prompt the user to
confirm, unless --force is specified.
The passwd subcommand may be used to change your LastPass password: it will prompt for the old and new
password and then re-encrypt all records with the newly derived key.
Viewing
The show subcommand will display a password or selected field.
The ls subcommand will list names in groups in a tree structure. If the --long or -l option is set, then
also list the last modification time. The -u option may be passed to show the last use (last touch) time
instead, if available. Both times are in GMT.
The export subcommand will dump all account information including passwords to stdout (unencrypted).
Modifying
The edit subcommand will edit the selected field. If --non-interactive is not set, the selected field
will be edited using EDITOR; otherwise the command will accept data until EOF or, unless the notes field
is being edited, the first new line. Please note that when editing interactively, the contents of the
field may be saved on disk in tmp files or in editor swap files, depending on your system configuration.
The generate subcommand will create a randomly generated password for the chosen key name, and optionally
add a url and username while inserting the generated password.
The rm command will remove the specified entry, and the duplicate command will create a duplicate entry
of the one specified, but with a different ID.
Shared Folder Commands
The share command and its accompanying subcommands can be used to manipulate shared folders, if available
to the (enterprise or premium) user. The userls, useradd, usermod, and userdel subcommands may be used to
query and modify membership of the shared folder, while the create and rm share subcommands may be used
to add new, or delete existing shared folders. The normal generate and edit commands may be used to edit
accounts within the shared folder.
The share limit command may be used to manipulate account access lists on the share for a specific user.
Running with no arguments will display the current access levels for a user. The --add, --rm, and --clear
options may be used to add to, remove from, or reset the list. Passing --allow or --deny will make the
list a whitelist or blacklist, respectively.
Clipboard
Commands that take a -c or --clip option will copy the output to the clipboard, using xclip(1) or xsel(1)
on X11-based systems, pbcopy(1) on OSX, or putclip on Cygwin. The command to be used can be overridden by
specifying the LPASS_CLIPBOARD_COMMAND environment variable.
Color Output
The --color option controls colored output to the terminal. By default, commands will use --color=auto,
in which color output is used unless the output is not a tty (for example, when passed to a pipe or
file). If always is used, colors are produced regardless of the output detection. If never is used, no
color escape sequences are emitted.
Configuration
lpass stores configuration in the following locations, in descending order of precedence:
• The directory $LPASS_HOME, if set
• $XDG_CONFIG_HOME/lpass, $XDG_DATA_HOME/lpass, and $XDG_RUNTIME_DIR/lpass (or equivalent defaults), if
at least $XDG_RUNTIME_DIR is set
• $HOME/.lpass
All configuration may be specified via environment variables. Alternatively, a set of environment
variable overrides may be specified in $LPASS_HOME/env in the form of:
VARIABLE1=VALUE1
VARIABLE2=VALUE2
...
ENVIRONMENT VARIABLES
The following environment variables may be used for configuration as described in the section above:
• LPASS_HOME
• LPASS_AUTO_SYNC_TIME
• LPASS_AGENT_TIMEOUT
• LPASS_AGENT_DISABLE
• LPASS_DISABLE_PINENTRY
• LPASS_ASKPASS
• LPASS_CLIPBOARD_COMMAND
EXAMPLES
$ lpass login user@example.com $ lpass generate work/email 20 G</Czo4*c;A+g;KIHkO- $ lpass ls work work email [id: 140613939481239829] $ lpass show -p email G</Czo4*c;A+g;KIHkO- $ lpass add --note-type=ssn work/my-ssn