Can not open KDBX with key file encryption
KeePass Command Line Interface
Brought to you by:
hightowe,
perlsaiyan
Menu
▾
▴
#16 Can not open KDBX with key file encryption
In kpcli 2.7, attempting to open a KDBX file which is encrypted using a key file (or a combination of password and key file) results in an error:
Couldn't load the file test.kdbx: The database key appears invalid or else the database is corrupt.
I tried the syntax mentioned in the documentation (both files were located in the working directory):
open test.kdbx test.key
Looks like key files are only supported for the older KDB format (unless I'm doing something wrong here).
Best regards,
Martin
TICKET CLOSING COMMENT:
This problem is due to a feature change in recent KeePass2. It should be fixed in File::KeePass, not kpcli. There is an open bug with File::KeePass: https://rt.cpan.org/Public/Bug/Display.html?id=97055
Could you please add the output of the "vers" command for your environment?
Thanks,
Lester
Sure, there you go:
VERSIONS
* kpcli: 2.7
* Perl: v5.18.2
* File::KeePass: 2.03
* Term::ShellUI: 0.92
* Term::ReadKey: 2.31
* Term::ReadLine: 1.12
* Capture::Tiny: 0.24
* Data::Password: 1.08
* Term::ReadLine::Gnu: 1.20
* Clipboard: not installed (optional)
ReadLine being used: Term::ReadLine::Gnu
Operating system: linux ("Ubuntu 14.04.1 LTS")
If it is of any help, I can also provide the KDBX and key file I used for testing.
I can't replicate your problem in my environment, which is very similar (at least where it matters):
root@zion:~/bin/kpcli.d# ./kpcli-2.7.pl
KeePass CLI (kpcli-2.7) v2.7 is ready for operation.
Type 'help' for a description of available commands.
Type 'help
kpcli-2.7:/> vers
VERSIONS
* kpcli: 2.7
* Perl: v5.14.2
* File::KeePass: 2.03
* Term::ShellUI: 0.92
* Term::ReadKey: 2.30
* Term::ReadLine: 1.07
* Capture::Tiny: 0.22
* Data::Password: 1.07
* Term::ReadLine::Gnu: 1.20
* Clipboard: not installed (optional)
ReadLine being used: Term::ReadLine::Gnu
Operating system: linux ("Linux Mint 16 Petra")
kpcli-2.7:/> open test2.kdbx test2.key
Please provide the master password: *******
kpcli-2.7:/> ls
=== Groups ===
foo/
test/
Recycle Bin/
kpcli-2.7:/>
Indeed, the environment looks quite similar. Maybe this is somehow related to the database/key files from my test setup (which is why I attached them here). I created them with the "official" KeePass2 client (running under Mono), but also KeePassX 2 Alpha 6 is able to open the DB without complaining.
Password is test123.
If you can access this file on your machine, you have convinced me that the problem lies on my end...
Thank you for your quick responses by the way!
I believe that I see the problem. Your key file is an XML file, and it seems that it is to be parsed and the <data> segment used as the key. I've not seen that before, and it appears that File::KeePass does not support it. I've only seen, and File::KeePass only supports, using the entire contents of the key file as the key. Please test and let me know if you agree with my speculation. If so, you may want to file a bug report with the File::KeePass author. Although I maybe can, I would really rather not try to work around this File::KeePass limitation in kpcli.</data>
You can create a key file with kpcli (use saveas), or just make one on your own filled with random gibberish, and the other programs will properly use it since it will not be XML. I tested that with KeePass 2.20 under mono, and I speculate that it will hold true for KeePassX2 as well.
For now, closing this bug as "won't fix" because the support would most appropriately be added to File::KeePass, not kpcli, and also because the workaround is solid and easy.
I can confirm your suspicion. If I put the Base64 encoded data string from the XML into a binary file, kpcli (or rather File::KeePass) is able to decode the password DB.
I am not sure why KeePass prefers to generate an XML file which merely encapsulates a binary key, instead of simply creating a binary file in the first place (easier editing/readability/indexing is not really a valid point in this context, or is it?). However, this XML appraoch seems to be the "standard" way of dealing with generated key files, and is supported by other KeePass clients as well. Which is why I hope to see this working in kpcli at some point.
For now, I can live with the workaround. Thank you, Lester, for your time and work!
EDIT: It appears this bug (or rather missing feature) of File::KeePass was already reported a few weeks back, and a patch was proposed at the same time. So it is probably only a matter of patience.
https://rt.cpan.org/Public/Bug/Display.html?id=97055
Last edit: Martin Hiller 2014-08-05
Martin,
I went to file a bug with the File::KeePass author and found one for this issue, filed four weeks ago, complete with a patch: https://rt.cpan.org/Public/Bug/Display.html?id=97055
I've not tested that patch and a cursory review gave me a little concern that it may have broken the original behavior (which works), but FYI.
Sincerely,
Lester
Diff:
Thanks helped me understand the issue, however trying to convert it to base64 didnt change the error message. any help with a demo of the key file? I tried converting it on the web, so maybe I did something wrong like not declaring the base64 block.
Thanks.