Show protected tags (strings) and allow protecting tags
KeePass Command Line Interface
Brought to you by:
hightowe,
perlsaiyan
I was astonished that kpcli shows the otp strings (which contains secret info.) even though I didn't use -f flag for show command. When I opened the keepass database using another app (KeePassDroid), it showed that the otp string was indeed protected.
Last edit: Ahmed El-Mahmoudy 2025-01-01
It seems that I am not understanding something in this. Unless -f is given to the show command, the otp string is hidden as red on red text, just like the password is, as seen in the attached image.
That's not what happens with me. I am using a 3.x KDBX file, and I use the otp string (instead of 2FA-TOTP field in Notes) to put the otpauth:// url, and it is displayed without being redacted as in your screenshot.
Also, I need to add some sensitive info in string fields, such as recovery codes, yet there is no way to protect such info using kpcli
Last edit: Ahmed El-Mahmoudy 2025-01-04
The screenshot from my prior reply was from a 3.x KDBX file and an entry that had its OTP added by KeePassXC. If that behaves the way that you expect, then I am not sure what issue you are running into. What version of kpcli are you using (run the vers command)? What software added the OTP strings to the kdbx file's entries?
I understand the other request that you described (you've made two requests in one ticket). I am presently focused on understanding the OTP issue, which seems to not behave for you as I would expect it to, before moving on to the feature request.
For a couple of entries, I added the otp string using an old version of kpcli (3.1 to 3.7, I don't recall). One entry was created by kpcli 4.1.2, I opened the database using KeepassDroid, and it showed that the otp string wasn't protected for all those entries, even the one created by kpcli 4.1.2
I just tried to protect the otp field of an entry using KeepassDroid, and open the file using kpcli 4.1.2, it still displayed the otp string without red on red
Because I am unable to replicate this problem, would you please create a small kdbx file that has one or more entries within it that exhibits the concerning behavior and upload it to a reply here? Thanks.
Database password: test
Entry: Internet/Groogle
I don't know if this matters: I don't have File::KDBX on my system
Last edit: Ahmed El-Mahmoudy 2025-01-06
I managed to install File::KDBX and opened a KDBX 4.1 file that was created by KeePassVault, and the otp entry was redacted indeed.
I opened my KDBX 3.0 file again, it still wasn't redacted. The stats says that File::KeePass was used for that file.
I fixed the KDBXv3 protected strings display bug reported here. It is part of this commit: https://sourceforge.net/p/kpcli/code/66/tree//trunk/kpcli-DEVELOPMENT.pl?diff=6570cda74363ae34c51814f1:65
Note that the bug.kdbx file that you sent did not have the otp string protected in the entry, but the attached file does, in one of the two entries, as shown in the screenshot.
Splendid ! Thanks.
Awaiting the protect tag feature
That worked. Thanks.
This feature was added in SVN commit r67 on the head of the trunk and will be in the next release. https://sourceforge.net/p/kpcli/code/67/