This Rubygem gives you ways to handle KeePass databases using the KPScript KeePass plugin.
Other Rubygems handling KeePass databases usually handle the databases format themselves and can get obsolete if not kept up-to-date with the new file specifications.
keepass_kpscript uses the official KPScript plugin installed with a KeePass installation to handle databases, so that the risk of specifications' obsolescence is low (unless KPScript changes its command-line interface). However the cons of this approach is that keepass_kpscript needs a local installation of KeePass and KPScript to run.
Works for both Windows and Linux installations of KPScript.
Via gem command line:
gem install keepass_kpscript
If using bundler, add this in your Gemfile:
gem 'keepass_kpscript'
Basically you just need to tell keepass_kpscript the KPScript command-line to be used (with KeepassKpscript.use), and the API will give you access to KPScript API to handle KeePass databases.
require 'keepass_kpscript'
# Let's use the system KeePass (under Windows, enclose it within "" for paths containing spaces like 'Program Files')
kpscript = KeepassKpscript.use('"C:\Program Files\KeePass\KPScript.exe"')
# Open a database with a simple password
database = kpscript.open('C:\Data\MyDatabase.kdbx', password: 'MyP4$sW0rD')
# Read a password for an entry
google_password = database.password_for 'Google Account'
puts "Password for 'Google Account' is #{google_password}"
Now that you get the basic usage, you can see the following sections for more features.
The Kpscript#open method accepts the following parameters while opening a database:
password: The password to be used.password_enc: The encrypted password to be used (can be used in place of the password). You can use the Kpscript#encrypt_password method to generates an encrypted password from a password.key_file: Path to the key file to be used.Example: open a database protected both by a password and a key file, and use an encrypted version of the password to open it.
encrypted_password = kpscript.encrypt_password('MyP4$sW0rD')
# This will not use the real password on KPScript command-line, which is better security wise.
database = kpscript.open('C:\Data\MyDatabase.kdbx', password_enc: encrypted_password, key_file: 'C:\Data\Database.key')
The most versatile method to read database content is Database#entries_string, which maps directly the GetEntryString KPScript method.
It uses chainable selectors to select the entries to be read, based on field names, uuids...
Example: read the URL field of all entries tagged production belonging to the group Azure
database.entries_string(kpscript.select.tags('production').group('Azure'), 'URL').each do |url|
puts "Found URL: #{url}"
end
A more secure way to read secrets from a database is by using Database#with_entries_string that works with a code block and the same parameters as Database#entries_string. The benefits are:
SecretString instead of a String, that will guard the secret from being revealed in common Ruby operations (logging, screen output...), unless the to_unprotected method is used on it. Better way to control accessibility of your secrets!Example: read all the passwords of entries belonging to Google's URL, and make sure those passwords are removed from memory after usage (and even try to leak the password in memory_)
# Try to leak the password (simulating a security vulnerability here)
leaked_password = nil
database.with_entries_string(kpscript.select.fields(URL: '//google.com//'), 'Password').each do |password|
puts "Displayed password: #{password}"
# => Displayed password: XXXXX
puts "Now we REALLY want to display the password: #{password.to_unprotected}"
# => Now we REALLY want to display the password: MyP4$sW0rD
leaked_password = password
end
# Now that we are out of the code block, let's try to use the password again, hehe }:->
puts "Displayed leaked password: #{leaked_password.to_unprotected}"
# => Displayed leaked password:
To know more:
Kpscript#select call are methods defined in the Select class.Database#edit_entries can be used to edit entries. It maps the EditEntry KPScript method functionality.
The API uses the same selectors' logic as Database#entries_string.
Example: add notes and set the icon index 5 to all entries having a Google URL
database.edit_entries(
kpscript.select.fields(URL: '//google.com//'),
fields: { Notes: 'It\'s for Google' },
icon_idx: 5
)
Database#export maps the Export KPScript method to export databases.
database.export('KeePass XML (2.x)', 'my_export.xml')
Database#detach_bins maps the DetachBins KPScript method to extract files from databases.
Be careful that by default this method modifies your database by removing the attached files from it and writing them next to it.
If you want to keep your database intact, you can use the copy_to_dir option and it will extract files without removing them to antoher directory.
# Extract all files from database into the ./my_files sub-folder.
database.detach_bins(copy_to_dir: 'my_files')
# Extract and remove all files from database next to the database file.
database.detach_bins
Please see CHANGELOG for more information on what has changed recently.
Automated tests are done using rspec.
To execute them, first install development dependencies:
bundle install
Then execute rspec
bundle exec rspec
Any contribution is welcome:
The BSD License. Please see License File for more information.
FAQs
Unknown package
We found that keepass_kpscript demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.