kdbxtool.parsing.kdbx3

KDBX3 payload encryption and decryption.

This module handles the cryptographic operations for KDBX3 files: - Master key derivation from credentials (AES-KDF) - Payload decryption and encryption - Content hashed block verification - Synthetic inner header creation from outer header

KDBX3 structure: 1. Outer header (plaintext, with 2-byte length fields) 2. Encrypted payload (content hashed blocks format)

  • Stream start bytes (32 bytes, for verification)

  • Compressed/uncompressed XML database content

Key differences from KDBX4: - No header hash or HMAC verification - Protected stream key is in outer header (not inner) - Uses content hashed blocks instead of HMAC block stream - No inner header inside the encrypted payload

Functions

read_kdbx3(data[, password, keyfile_data, ...])

Read and decrypt a KDBX3 database.

Classes

Kdbx3Reader(data)

Reader for KDBX3 format databases.
class kdbxtool.parsing.kdbx3.Kdbx3Reader(data)[source]

Bases: object

Reader for KDBX3 format databases.

KDBX3 uses AES-KDF for key derivation and content hashed blocks for payload integrity verification.

Parameters:

data (bytes)

__init__(data)[source]

Initialize reader with KDBX3 file data.

Parameters:

data (bytes) – Complete KDBX3 file contents

Return type:

None

decrypt(password=None, keyfile_data=None, transformed_key=None)[source]

Decrypt the KDBX3 file.

Parameters:

  • password (str | None) – Optional password

  • keyfile_data (bytes | None) – Optional keyfile contents

  • transformed_key (bytes | None) – Optional pre-computed transformed key (skips KDF)

Returns:

DecryptedPayload with header, synthetic inner header, and XML

Raises:
Return type:

DecryptedPayload

kdbxtool.parsing.kdbx3.read_kdbx3(data, password=None, keyfile_data=None, transformed_key=None)[source]

Read and decrypt a KDBX3 database.

Parameters:

  • data (bytes) – Complete KDBX3 file contents

  • password (str | None) – Optional password

  • keyfile_data (bytes | None) – Optional keyfile contents

  • transformed_key (bytes | None) – Optional pre-computed transformed key (skips KDF)

Returns:

DecryptedPayload containing header, inner header, and XML data

Raises:
Return type:

DecryptedPayload