Reference Guide

DB Object

class keepassx.db.Database(contents, password=None, key_file_contents=None)

Database representing a KDB file.


Find an entry by exact title.


Find an entry by uuid.

fuzzy_search_by_title(title, ignore_groups=None)

Find an entry by by fuzzy match.

This will check things such as:

  • case insensitive matching
  • typo checks
  • prefix matches

If the ignore_groups argument is provided, then any matching entries in the ignore_groups list will not be returned. This argument can be used to filter out groups you are not interested in.

Returns a list of matches (an empty list is returned if no matches are found).

class keepassx.db.Entry

A password entry in a KDB file.

class keepassx.db.Group

The group associated with an entry.

class keepassx.db.Header(contents)

Header information for the keepass database.

From the KeePass doc:

Database header: [DBHDR]

[ 4 bytes] DWORD    dwSignature1  = 0x9AA2D903
[ 4 bytes] DWORD    dwSignature2  = 0xB54BFB65
[ 4 bytes] DWORD    dwFlags
[ 4 bytes] DWORD    dwVersion       { Ve.Ve.Mj.Mj:Mn.Mn.Bl.Bl }
[16 bytes] BYTE{16} aMasterSeed
[16 bytes] BYTE{16} aEncryptionIV
[ 4 bytes] DWORD    dwGroups        Number of groups in database
[ 4 bytes] DWORD    dwEntries       Number of entries in database
[32 bytes] BYTE{32} aContentsHash   SHA-256 of the plain contents
[32 bytes] BYTE{32} aMasterSeed2    Used for the dwKeyEncRounds AES
                                    master key transformations
[ 4 bytes] DWORD    dwKeyEncRounds  See above; number of transformations


- dwFlags is a bitmap, which can include:
  * PWM_FLAG_SHA2     (1) for SHA-2.
  * PWM_FLAG_RIJNDAEL (2) for AES (Rijndael).
  * PWM_FLAG_ARCFOUR  (4) for ARC4.
  * PWM_FLAG_TWOFISH  (8) for Twofish.
- aMasterSeed is a salt that gets hashed with the transformed user master
  key to form the final database data encryption/decryption key.
  * FinalKey = SHA-256(aMasterSeed, TransformedUserMasterKey)
- aEncryptionIV is the initialization vector used by AES/Twofish for
  encrypting/decrypting the database data.
- aContentsHash: "plain contents" refers to the database file, minus the
  database header, decrypted by FinalKey.
  * PlainContents = Decrypt_with_FinalKey(DatabaseFile - DatabaseHeader)