KeePassXC Integration

[angoll]

Hello, 

I created a workflow that allows to list the entries of a KeePassXC database and retrieve the password for an entry. 

You can find it here: https://github.com/Angoll/KPass

 

I've been using Alfred for a while, basic functions without entering into the workflows world, but recently I'm switching to KeePassXC to store my passwords and I created the workflow to help with the change. I saw that there is some demand of a workflow that this one but no one created it.

 

It uses the keepassxc-cli to access password database and Keychain to secure store the password for the keychain.
All code is written in bash and AppleSript (JS) for the configuration setup.

 

Keychain Tip: if you create a new keychain and enable the auto-lock after X time, it will prompt for the password. Or modify the Access Control of the KPass_AlfredWorkflow to ask for key always.

 

Any feedback is welcome ☺️

 

 

- Dependencies:

Apart from Alfred and KeePassXC no external dependencies are required.

 

- Regarding Security:

Security is a big concert for all, so all code of this workflow is plain text, you are welcome to check it. Feel free to reach me if you improve it.

 

- Screenshots:

 

Example of listing entries of a database

 

 

KPass Configuration Script, this will prompt to select the database, keychain and password to configure the integration.

Edited April 5, 2020 by angoll
Improvement information

[woodyc79]

Hello!

 

Great stuff, thank you for your effort!

Unfortunately I'm not able to select any kdbx file.. they are greyed out in Catalina...

 

Kind regards,
Chris

[angoll]

14 hours ago, woodyc79 said:

Hello!

 

Great stuff, thank you for your effort!

Unfortunately I'm not able to select any kdbx file.. they are greyed out in Catalina...

 

Kind regards,
Chris

Hi Chris, thanks for the feedback,

As a quick fix you can modify the script of the workflow (/usr/bin/osascript) and remove the line: 
  ofType: ["dyn.ah62d4rv4ge8003dcta"] //.kdbx extension type identifier

This won't filter by file type, I checked with two macs and they provide me with the same identifier

 

Let me know how it works, later I will try to upload a version without the check

[deanishe]

50 minutes ago, angoll said:

I checked with two macs and they provide me with the same identifier

Dynamic UTIs aren't random. They're encoded in base 32 (IIRC) and say "extension == .xyz". So an unknown file with the extension ".kdbx" will always be given the same dyn.* UTI.

[Denis The Menace]

On 4/5/2020 at 12:52 AM, angoll said:

Hello, 

I created a workflow that allows to list the entries of a KeePassXC database and retrieve the password for an entry. 

...

 

Hey, @angoll!

 

Thanks for heavy lifting. I was looking for such integration for quite some time. There was no time to create it by myself from scratch.

However, I changed a few things and now it suits me better. I did not create pull request because I am not sure my functionality is in accordance of your workflow.

 

My KeePass database is big and contains hundreds of entries. Thus, I cannot afford list all entries. Instead, I change it to use "locate" command instead of "ls" for keepassxc-cli. Also, added some bells and whistles:

• fixed issue with spaces in entry names
• filtered out Recycle bin entries
• removed leading slash for display clarity
• replaced slashes with arrows to show folder names more clearly

Here's how it looks for me now:

Here's modified script:

query="{query}"
IFS=$'\n'

export PATH='/usr/local/bin/:/usr/bin'

if [[ -z ${database} ]] || [[ -z ${keychain} ]];
then
    echo "{\"items\": [{\"title\":\"Not configured, please run: kpassinit\"}]}";
else
    keys=( $(security find-generic-password -a $(id -un) -c 'kpas' -C 'kpas' -s "AlfredWorkflow" -w "${keychain}" |\
           keepassxc-cli locate -q "$database" "$query" | grep -Ev "\/Recycle Bin\/") )

    if [ $? -eq 0 ]; then
        echo -n '{"items": ['
        first=
        for entry in ${keys[@]}; do
            if [ $first ] ; then echo -n ","; fi
            title=${entry/\//}
            title=${title//\// ➜ }
            echo -n "{\"uid\":\"${entry}\",\"title\":\"${title}\",\"arg\":\"${entry}\",\"autocomplete\":\"${entry}\",\"icon\":{\"type\":\"png\",\"path\":\"${PWD}/icon.png\"}}";
            first=false
        done
        echo ']}'

    else
        echo -n "{\"items\": [{\"title\":\"Error listing database, please check config\"}]}"
    fi
fi

 

And there are still two issues:

• keepassxc-cli was not on PATH and I created symlink to /usr/local/bin folder for it to be visible
• workflow fails if I enter nothing for time out period or search result is empty. Will try to deal with this later

Edited August 19, 2020 by Denis The Menace

[deanishe]

2 hours ago, Denis The Menace said:

I change it to use "locate" command instead of "ls" for keepassxc-cli

 

mdfind might be a better choice than locate (if it finds the files). The locate database isn’t on by default on macOS, and it only updates once a day, so it won’t find recently-created entries.

The optimal way is to run ls or find in a background process and cache the results, then use the cache in your workflow.

[Denis The Menace]

32 minutes ago, deanishe said:

mdfind might be a better choice than locate (if it finds the files). The locate database isn’t on by default on macOS, and it only updates once a day, so it won’t find recently-created entries.

The optimal way is to run ls or find in a background process and cache the results, then use the cache in your workflow.

 

I'm using KeepassXC v.2.6.0 and there are neither mdfind nor find commands available. I did nothing to enable locate. It worked out of the box.

[deanishe]

10 minutes ago, Denis The Menace said:

I'm using KeepassXC v.2.6.0 and there are neither mdfind nor find commands available. I did nothing to enable locate. It worked out of the box.

 

Ignore me: I'm being stupid. I thought you were talking about the system commands `ls` and `locate`, not Keypass commands.

[arkain]

Anyone try this with a key? I keep having issues when the DB uses a key.

Debug shows:

{"items": [{"title":"Error listing database, please check config: Error: Enter password to unlock /Users/me/Downloads/tmp/test.kdbx: Failed to load key file \"/Users/me/Downloads/tmp/testing.key\": No such file or directory"}]}

 

I tried spitting out the command this workflow generates to run it myself in a terminal and it works fine. I get a list of KeePass entries.

I know the key is the issue because if I remove the key, the workflow works as intended.

 

Any ideas?

[Floating.Point]

Hey guys, I tried using this today but there is a HUGE delay between evoking the command and returning any results. It sits there with "KpassLoader - Please loading database…" for about 10 seconds before showing anything, should I expect it to be faster?

[tastatur]

Love this workflow and it works perfectly fine for me, but is there a way to modify it so I can retrieve the username (for example by using cmd+enter) alongside the normal command of getting the password? I use a lot of different throwaway addresses and usernames for a bunch of sites, so right now I can only really use this for the sites where I'm already 100% certain i use my "actual" personal email as a username (so I don't have to look up the username in my database manually).