https://github.com/hansmi/vault-keepassxc-client

Read Ansible Vault passwords from KeePassXC
https://github.com/hansmi/vault-keepassxc-client

ansible-vault ansible-vault-client cli keepassxc password-manager password-safety password-store python

Last synced: 12 months ago
JSON representation

Read Ansible Vault passwords from KeePassXC

• Host: GitHub
• URL: https://github.com/hansmi/vault-keepassxc-client
• Owner: hansmi
• License: bsd-3-clause
• Created: 2025-05-30T20:54:07.000Z (about 1 year ago)
• Default Branch: main
• Last Pushed: 2025-05-31T19:18:08.000Z (about 1 year ago)
• Last Synced: 2025-06-08T11:39:32.199Z (about 1 year ago)
• Topics: ansible-vault, ansible-vault-client, cli, keepassxc, password-manager, password-safety, password-store, python
• Language: Python
• Homepage:
• Size: 79.1 KB
• Stars: 0
• Watchers: 0
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
# Ansible Vault client for KeePassXC

`vault-keepassxc-client` is a [client script for Ansible

Vault][ansible-vault-client-scripts] t work with

[KeePassXC][keepassxc]

([keepassxreboot/keepassxc][keepassxc-github]).

Passwords for vaults are retrieved from the password manager.

To remain a tiny tool [F. Zhang's `git-credential-keepassxc`

program][git-credential-keepassxc] is used. It uses KeePassXC's socket

protocol, originally written for web browser extensions.

## Usage

The client can be registered for individual vault IDs in `ansible.cfg`:

```ini

[defaults]

vault_identity_list = test1@/usr/local/bin/vault-keepassxc-client

```

The Git credential client needs to be configured

([documentation][git-credential-keepassxc-config]; caller limitations are left

as an exercise to the reader):

```shell

git-credential-keepassxc configure

```

Password entries in KeePassXC are recognized via URLs of the form

`ansible-vault:///`. They need to be in a group named `Ansible`. Such

entries can be configured manually or via the command line. Without

`--generate-random` the user is prompted for the password.

Example:

```shell

$ vault-keepassxc-client --vault-id test1 --generate-random --set

```

Read the password back:

```shell

$ vault-keepassxc-client --vault-id test1 --get

AbXy[…]1234

```



[ansible-vault-client-scripts]: https://docs.ansible.com/ansible/latest/vault_guide/vault_managing_passwords.html#storing-passwords-in-third-party-tools-with-vault-password-client-scripts

[keepassxc]: https://keepassxc.org/

[keepassxc-github]: https://github.com/keepassxreboot/keepassxc

[keepassxc-protocol]: https://github.com/keepassxreboot/keepassxc-browser/blob/develop/keepassxc-protocol.md

[git-credential-keepassxc]: https://github.com/Frederick888/git-credential-keepassxc

[git-credential-keepassxc-config]: https://github.com/Frederick888/git-credential-keepassxc?tab=readme-ov-file#configuration