Print OTP from a KeePassXC entry in the Terminal
KeePassXC is a popular open-source password manager that supports storing and generating OTPs (One-Time Passwords).
Introduction
In this post, we will explore how to generate OTPs directly from a KeePassXC database using both Python scripts and the KeePassXC CLI tool. This can be particularly useful for automating logins and enhancing convenience while maintaining a good level of security.
I know that storing passwords and OTPs in the same location is not recommended, but for some users, it can be convenient to have everything in one place. Also, having OTPs for less important accounts stored in KeePassXC can be a good compromise between security and convenience.
I have some scripts that auto-login myself to some services, and I wanted to generate the OTP directly from the .kbdx
file, and I was quite successful in doing so using with some python scripts and the amazing pykeepass module. Although it’s pretty trivial, and the code goes something like this:
from pykeepass import PyKeePass
kp = PyKeePass("db_path.kdbx", password="password")
@dataclass
class Creds:
username: str
password: str
otp: str
def get_creds(entry_name: str) -> Creds:
entry = kp.find_entries(title=entry_name)[0]
pin = pyotp.parse_uri(entry.otp).now()
return Creds(entry.username, entry.password, pin)
this still requires python environment, packages installed, and running a script that is quite slow. As this is running on the desktop, I wanted to have a faster way to generate the OTPs, considering I already have the KeePassXC installed.
Until recently, I had no idea that it has a CLI tool available by default, called keepassxc-cli.exe
(on Windows).
To generate the OTP from the command line, you can use the following command:
keepassxc-cli.exe show -q -t path/to/database.kdbx "entry/path_and/name"
which will ask for the password and print the OTP to the console. Pay attention to quotes when either path to database, or path to entry inside the database (or both) have spaces! This is a great way to generate OTPs quickly and without the need to write any code at all! The only annoying thing is that it asks for the password every time, but I guess it’s a good security feature.
To automate this out completely, you can use the following command:
echo "password" | keepassxc-cli.exe show -q -t path/to/database.kdbx "entry/path_and/name"
where password is in cleartext. This is not recommended, but if you are the only one using the computer, it’s a good compromise between security and convenience.
Note, that this works perfectly in powershell on Windows, and you can use the same command in the terminal on Linux and MacOS.
In general, KeePassXC is a great tool, and I’m happy to see that it has a CLI tool available by default. It’s a great way to generate OTPs quickly and without the need to write any code at all! In addition to that, using CLI is way speedier than launching a python script, there is none of that few seconds annoying delay when you run the script, OTP just pops up instantly.
Conclusion
By leveraging the KeePassXC CLI tool, you can efficiently generate OTPs without the need for additional scripts or software. This method provides a quick and secure way to access your OTPs, making it an excellent choice for users who already have KeePassXC installed. Whether you choose to use Python scripts or the CLI tool, KeePassXC offers versatile solutions to meet your needs.
To contact me, send an email anytime or leave a comment below.