kdbxtool.security.keyfile¶

KeePass keyfile creation and parsing.

This module provides support for all KeePass keyfile formats: - XML v2.0: Recommended format with hex-encoded key and SHA-256 hash verification - XML v1.0: Legacy format with base64-encoded key - RAW_32: Raw 32-byte binary key - HEX_64: 64-character hex string

Example

from kdbxtool import create_keyfile, KeyFileVersion

# Create recommended XML v2.0 keyfile create_keyfile(“my.keyx”, version=KeyFileVersion.XML_V2)

# Create raw 32-byte keyfile create_keyfile(“my.key”, version=KeyFileVersion.RAW_32)

Functions

`create_keyfile`(path[, version])	Create a new keyfile at the specified path.
`create_keyfile_bytes`([version])	Create a new keyfile and return its contents as bytes.
`parse_keyfile`(keyfile_data)	Parse keyfile data and extract the 32-byte key.

Classes

KeyFileVersion(*values)

Supported KeePass keyfile formats.

class kdbxtool.security.keyfile.KeyFileVersion(*values)[source]¶

Bases: StrEnum

Supported KeePass keyfile formats.

XML_V2¶: XML format v2.0 with hex-encoded key and SHA-256 hash verification. This is the recommended format for new keyfiles. Uses .keyx extension.

XML_V1¶: Legacy XML format v1.0 with base64-encoded key. Supported for compatibility. Uses .key extension.

RAW_32¶: Raw 32-byte binary key. Simple but no integrity verification.

HEX_64¶: 64-character hex string (32 bytes encoded as hex).

XML_V2 = 'xml_v2'¶

XML_V1 = 'xml_v1'¶

RAW_32 = 'raw_32'¶

HEX_64 = 'hex_64'¶

kdbxtool.security.keyfile.create_keyfile_bytes(version=KeyFileVersion.XML_V2)[source]¶

Create a new keyfile and return its contents as bytes.

Generates a cryptographically secure 32-byte random key and encodes it in the specified format.

Parameters:: version (KeyFileVersion) – Keyfile format to use. Defaults to XML_V2 (recommended).
Returns:: Keyfile contents as bytes, ready to write to a file.
Return type:: bytes

Example

keyfile_data = create_keyfile_bytes(KeyFileVersion.XML_V2) with open(“my.keyx”, “wb”) as f:

f.write(keyfile_data)

kdbxtool.security.keyfile.create_keyfile(path, version=KeyFileVersion.XML_V2)[source]¶

Create a new keyfile at the specified path.

Generates a cryptographically secure 32-byte random key and saves it in the specified format.

Parameters:

path (str | Path) – Path where the keyfile will be created.
version (KeyFileVersion) – Keyfile format to use. Defaults to XML_V2 (recommended).

Raises:

OSError – If the file cannot be written.

Return type:

None

Example

# Create XML v2.0 keyfile (recommended) create_keyfile(“vault.keyx”)

# Create raw binary keyfile create_keyfile(“vault.key”, version=KeyFileVersion.RAW_32)

kdbxtool.security.keyfile.parse_keyfile(keyfile_data)[source]¶

Parse keyfile data and extract the 32-byte key.

KeePass supports several keyfile formats: 1. XML keyfile (v1.0 or v2.0) - key is base64/hex encoded in XML 2. 32-byte raw binary - used directly 3. 64-byte hex string - decoded from hex 4. Any other size - SHA-256 hashed

Parameters:: keyfile_data (bytes) – Raw keyfile contents.
Returns:: 32-byte key derived from keyfile.
Raises:: InvalidKeyFileError – If keyfile format is invalid or hash verification fails.
Return type:: bytes