Provided by: keepassxc_2.7.4+dfsg.1-2_amd64 
NAME
keepassxc-cli - command line interface for the KeePassXC password manager
SYNOPSIS
keepassxc-cli command [options]
DESCRIPTION
keepassxc-cli is the command line interface for the KeePassXC password manager. It
provides the ability to query and modify the entries of a KeePass database, directly from
the command line.
COMMANDS
add [options] <database> <entry>
Adds a new entry to a database. A password can be generated (-g option), or a prompt
can be displayed to input the password (-p option). The same password generation
options as documented for the generate command can be used when the -g option is set.
analyze [options] <database>
Analyzes passwords in a database for weaknesses using offline HIBP SHA-1 hash lookup.
attachment-export [options] <database> <entry> <attachment_name> <export_file>
Exports the content of an attachment to a specified file. Use --stdout option to
instead output the contents of the attachment to stdout.
attachment-import [options] <database> <entry> <attachment_name> <import_file>
Imports the attachment into an entry. An existing attachment with the same name may be
overwritten if the -f option is specified.
attachment-rm <database> <entry> <attachment_name>
Removes the named attachment from an entry.
clip [options] <database> <entry> [timeout]
Copies an attribute or the current TOTP (if the -t option is specified) of a database
entry to the clipboard. If no attribute name is specified using the -a option, the
password is copied. If multiple entries with the same name exist in different groups,
only the attribute for the first one is copied. For copying the attribute of an entry
in a specific group, the group path to the entry should be specified as well, instead
of just the name. Optionally, a timeout in seconds can be specified to automatically
clear the clipboard, the default timeout is 10 seconds, set to 0 to disable.
close
In interactive mode, closes the currently opened database (see open).
db-create [options] <database>
Creates a new database with a password and/or a key file. The key file will be created
if the file that is referred to does not exist. If both the key file and password are
empty, no database will be created.
db-edit [options] <database>
Edits a database. When setting a key file, the key file will be created if the file
that is referred to does not exist.
db-info [options] <database>
Show a database’s information.
diceware [options]
Generates a random diceware passphrase.
edit [options] <database> <entry>
Edits a database entry. A password can be generated (-g option), or a prompt can be
displayed to input the password (-p option). The same password generation options as
documented for the generate command can be used when the -g option is set.
estimate [options] [password]
Estimates the entropy of a password. The password to estimate can be provided as a
positional argument, or using the standard input.
exit
Exits interactive mode. Synonymous with quit.
export [options] <database>
Exports the content of a database to standard output in the specified format (defaults
to XML).
generate [options]
Generates a random password.
help [command]
Displays a list of available commands, or detailed information about the specified
command.
import [options] <xml> <database>
Imports the contents of an XML exported database to a new created database with a
password and/or key file. The key file will be created if the file that is referred to
does not exist. If both the key file and password are empty, no database will be
created. The new database will be in kdbx 4 format.
ls [options] <database> [group]
Lists the contents of a group in a database. If no group is specified, it will default
to the root group.
merge [options] <database1> <database2>
Merges two databases together. The first database file is going to be replaced by the
result of the merge, for that reason it is advisable to keep a backup of the two
database files before attempting a merge. In the case that both databases make use of
the same credentials, the --same-credentials or -s option can be used.
mkdir [options] <database> <group>
Adds a new group to a database.
mv [options] <database> <entry> <group>
Moves an entry to a new group.
open [options] <database>
Opens the given database in a shell-style interactive mode. This is useful for
performing multiple operations on a single database (e.g. ls followed by show).
quit
Exits interactive mode. Synonymous with exit.
rm [options] <database> <entry>
Removes an entry from a database. If the database has a recycle bin, the entry will be
moved there. If the entry is already in the recycle bin, it will be removed
permanently.
rmdir [options] <database> <group>
Removes a group from a database. If the database has a recycle bin, the group will be
moved there. If the group is already in the recycle bin, it will be removed
permanently.
search [options] <database> <term>
Searches all entries that match a specific search term in a database.
show [options] <database> <entry>
Shows the title, username, password, URL and notes of a database entry. Can also show
the current TOTP. Regarding the occurrence of multiple entries with the same name in
different groups, everything stated in the clip command section also applies here.
OPTIONS
General options
--debug-info
Displays debugging information.
-k, --key-file <path>
Specifies a path to a key file for unlocking the database. In a merge operation this
option, is used to specify the key file path for the first database.
--no-password
Deactivates the password key for the database.
-y, --yubikey <slot[:serial]>
Specifies a yubikey slot for unlocking the database. In a merge operation this option
is used to specify the YubiKey slot for the first database.
-q, --quiet <path>
Silences password prompt and other secondary outputs.
-h, --help
Displays help information.
-v, --version
Displays the program version.
Merge options
-d, --dry-run <path>
Prints the changes detected by the merge operation without making any changes to the
database.
--key-file-from <path>
Sets the path of the key file for the second database.
--no-password-from
Deactivates password key for the database to merge from.
--yubikey-from <slot[:serial]>
YubiKey slot for the second database.
-s, --same-credentials
Uses the same credentials for unlocking both databases.
Add and edit options
The same password generation options as documented for the generate command can be used
with those 2 commands when the -g option is set.
-u, --username <username>
Specifies the username of the entry.
--url <url>
Specifies the URL of the entry.
--notes <notes>
Specifies the notes of the entry.
-p, --password-prompt
Uses a password prompt for the entry’s password.
-g, --generate
Generates a new password for the entry.
Edit options
-t, --title <title>
Specifies the title of the entry.
Estimate options
-a, --advanced
Performs advanced analysis on the password.
Analyze options
-H, --hibp <filename>
Checks if any passwords have been publicly leaked, by comparing against the given list
of password SHA-1 hashes, which must be in "Have I Been Pwned" format. Such files are
available from https://haveibeenpwned.com/Passwords; note that they are large, and so
this operation typically takes some time (minutes up to an hour or so).
--okon <okon-cli path>
Use the specified okon-cli program to perform offline breach checks. You can obtain
okon-cli from https://github.com/stryku/okon. When using this option, -H, --hibp must
point to a post-processed okon file (e.g. file.okon).
Clip options
-a, --attribute
Copies the specified attribute to the clipboard. If no attribute is specified, the
password attribute is the default. For example, "-a username" would copy the username
to the clipboard. [Default: password]
-t, --totp
Copies the current TOTP instead of the specified attribute to the clipboard. Will
report an error if no TOTP is configured for the entry.
-b, --best
Try to find and copy to clipboard a unique entry matching the input If a unique
matching entry is found it will be copied to the clipboard. If multiple entries are
found they will be listed to refine the search. (no clip performed)
Db-create, Db-edit and Import options
--set-key-file <path>
Set the key file for the database.
-p, --set-password
Set a password for the database.
Db-create, Import options
-t, --decryption-time <time>
Target decryption time in MS for the database.
Db-edit options
--unset-password <path>
Removes the password for the database.
--unset-key-file <path>
Removes the key file for the database.
Show options
-a, --attributes <attribute>...
Shows the named attributes. This option can be specified more than once, with each
attribute shown one-per-line in the given order. If no attributes are specified and -t
is not specified, a summary of the default attributes is given. Protected attributes
will be displayed in clear text if specified explicitly by this option.
--all
Show all the attributes of the entry.
-s, --show-protected
Shows the protected attributes in clear text.
--show-attachments
Shows the attachment names along with the size of the attachments.
-t, --totp
Also shows the current TOTP, reporting an error if no TOTP is configured for the
entry.
Diceware options
-W, --words <count>
Sets the desired number of words for the generated passphrase. [Default: 7]
-w, --word-list <path>
Sets the Path of the wordlist for the diceware generator. The wordlist must have >
1000 words, otherwise the program will fail. If the wordlist has < 4000 words a
warning will be printed to STDERR. Any diceware-compatible wordlist can be used. Note
however that KeePassXC will NOT verify the PGP signature of signed wordlists.
Export options
-f, --format
Format to use when exporting. Available choices are xml or csv. Defaults to xml.
List options
-R, --recursive
Recursively lists the elements of the group.
-f, --flatten
Flattens the output to single lines. When this option is enabled, subgroups and
subentries will be displayed with a relative group path instead of indentation.
Generate options
-L, --length <length>
Sets the desired length for the generated password. [Default: 16]
-l, --lower
Uses lowercase characters for the generated password. [Default: Enabled]
-U, --upper
Uses uppercase characters for the generated password. [Default: Enabled]
-n, --numeric
Uses numbers characters for the generated password. [Default: Enabled]
-s, --special
Uses special characters for the generated password. [Default: Disabled]
-e, --extended
Uses extended ASCII characters for the generated password. [Default: Disabled]
-x, --exclude <chars>
Comma-separated list of characters to exclude from the generated password. None is
excluded by default.
--exclude-similar
Exclude similar looking characters. [Default: Disabled]
--every-group
Include characters from every selected group. [Default: Disabled]
NOTES
Project homepage
https://keepassxc.org
QuickStart Guide
https://keepassxc.org/docs/KeePassXC_GettingStarted.html
User Guide
https://keepassxc.org/docs/KeePassXC_UserGuide.html
Git repository
https://github.com/keepassxreboot/keepassxc.git
AUTHOR
This manual page was originally written by Manolis Agkopian m.agkopian@gmail.com.
REPORTING BUGS
Bugs and feature requests can be reported on GitHub at
https://github.com/keepassxreboot/keepassxc/issues.
COPYRIGHT
Copyright (C) 2016-2020 KeePassXC Team team@keepassxc.org
This program is free software: you can redistribute it and/or modify it under the terms of
the GNU General Public License, either version 2 or version 3. There is NO WARRANTY, to
the extent permitted by law.
SEE ALSO
keepassxc(1)
AUTHOR
KeePassXC Team