keeenv - populate env vars from KeePass

keeenv - populate env vars from KeePass

I created keeenv so that I can conveniently populate environment variables directly from KeePassXC and run tools that use them from the command line, without resorting to the fairly common, but seems wildly insecure, practice of placing the credentials and API keys in plain text configuration and dotenv files, or pasting them directly into the console.

Using keeenv credentials remain securely encrypted within the KeePass database, only extracted when needed. Potential issues of accidentally checking in credentials files to source control, or saving them on insecure shared storage are avoided. An added advantage is the credentials are stored just once in a single source of truth, and fetched dynamically so if a password or api key changes the new value is set on the next run.

keeenv works by creating a .keeenv file in the local directory that describes where and how to get the required credentials from a KeePass database, using an interpolication syntax to reference the source entry and attribute. This can work alongside or replace existing .env and config files, the .keeenv file can also include non secret environment variable declarations. 

[keepass]
database=/path/to/secrets.kdbx
keyfile=/path/to/keyfile

[env]
SECRET_API_KEY = ${"My Secret"."API Key"}
NOT_SECRET_URL = "https://example.com/api"

Then run the desired command using keeenv run

keeenv run curl \
  -H "Authorization: Bearer $SECRET_API_KEY" \
  https://api.example.com/api

keeenv will prompt for you to provide the password to open the KeePass database, if you also use a keyfile (optional) make sure that is declared in the .keeenv file

Alternatively, instead of using keeenv run each time, you can populate the environment variables into the local shell

eval "$(keeenv eval)"

A number of utility commands are also provided to aid with credential management

  • keeenv init - create and populated a new .keeenv configuration
  • keeenv add - adds a new credential the KeePass database and populates a corresponding reference in the .keeenv file.
  • keeenv list - list the configured environment variable names (but not their values)

For more details see the command line help or the project README

Resources

GitHub - scross01/keeenv: Like dotenv, but securely populate environment variables from a Keepass database
Like dotenv, but securely populate environment variables from a Keepass database - scross01/keeenv
GitHubscross01
KeePassXC Password Manager
KeePassXC Password Manager
KeePassXC Team