keepassx fully supports key files. You can provide a key file
through the -k/--key-file argument or the KP_KEY_FILE
environment variable. A key file can be used either as an alternative to a
password or in combination with a password. By using both a key file and
a password to secure your password database, you will require both something
you know (your password) and something you have (your keyfile) in order to
access the entries in the password database. For more information on key
files, see the keepass docs.
Instead of specifying the -d/--db-file and the -k/--keyfile everytime
you can instead put these values in a config file. The config file is
located at ~/.kpconfig. and is a yaml file with the following format:
db_file: /path/to/dbfile.kdb
key_file: /path/to/keyfile.key
Below is a summary of the options you have available for providing your db/key file:
| Config Option | Command Line Argument | Environment Variable | Config File Name |
|---|---|---|---|
| DB File | -d/--db-file foo.kdb |
KP_DB_FILE=foo.kdb |
db_file: foo.kdb |
| Key File | -k/--key-file foo.key |
KP_KEY_FILE=foo.key |
key_file: foo.key |
In the table above, the precedence is from left to right. So, for example,
the -d option will trump the KP_DB_FILE option, and the KP_DB_FILE
option will trump the db_file: value in the ~/.kpconfig config file.