npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@varlock/keepass-plugin

v0.0.2

Published

Varlock plugin to load secrets from KeePass databases (KDBX 4.0) and KeePassXC desktop app

Downloads

138

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

philmillmanphilmillmantheotheo

Keywords

varlockpluginvarlock-pluginkeepasskeepassxckdbxpassword-managersecretssecret-managementenv.envdotenvenvironment variablesenv varsconfig

Readme

@varlock/keepass-plugin

npm version GitHub stars license

This package is a Varlock plugin that enables loading secrets from KeePass / KeePassXC databases (KDBX 4.0) into your configuration.

Features

  • KDBX 4.0 support — reads KeePass database files directly via kdbxweb with pure WASM argon2
  • KeePassXC CLI integration — use keepassxc-cli for development workflows
  • Key file support — authenticate with password + optional key file
  • Custom attributes — read any entry field via #attribute syntax
  • Bulk loading with kpBulk() via @setValuesBulk to load all entries in a group
  • Custom attributes object — load all custom fields from a single entry via customAttributesObj=true
  • Multiple instances for accessing different databases

Installation

If you are in a JavaScript based project and have a package.json file, you can either install the plugin explicitly:

npm install @varlock/keepass-plugin

And then register the plugin without any version number:

# @plugin(@varlock/keepass-plugin)
# ---

Otherwise just set the explicit version number when you register it:

# @plugin(@varlock/[email protected])
# ---

See our Plugin Guide for more details.

Modes of operation

File mode (default)

In file mode, the plugin opens and reads .kdbx files directly using kdbxweb. No external CLI is needed.

# @plugin(@varlock/keepass-plugin)
# @initKeePass(dbPath="./secrets.kdbx", password=$KP_PASSWORD)
# ---

CLI mode

When useCli=true, the plugin uses keepassxc-cli to read entries. This is useful during development when you want to leverage KeePassXC's system integration (e.g., YubiKey, Windows Hello). The useCli option can be dynamic — for example, useCli=forEnv(dev) to only use the CLI in development.

# @plugin(@varlock/keepass-plugin)
# @initKeePass(dbPath="./secrets.kdbx", password=$KP_PASSWORD, useCli=true)
# ---

Prerequisites for CLI mode

You must have KeePassXC installed, which includes keepassxc-cli:

# macOS
brew install --cask keepassxc

# Ubuntu/Debian
sudo apt install keepassxc

# Fedora/RHEL
sudo dnf install keepassxc

# Arch
pacman -S keepassxc

See KeePassXC downloads for more options.

Setup

After registering the plugin, initialize it with the @initKeePass root decorator.

Basic setup

# @plugin(@varlock/keepass-plugin)
# @initKeePass(dbPath="./secrets.kdbx", password=$KP_PASSWORD)
# ---

# @type=kdbxPassword @sensitive
KP_PASSWORD=

With key file

# @plugin(@varlock/keepass-plugin)
# @initKeePass(dbPath="./secrets.kdbx", password=$KP_PASSWORD, keyFile="./secrets.keyx")
# ---

Multiple databases

# @plugin(@varlock/keepass-plugin)
# @initKeePass(id=prod, dbPath="./prod.kdbx", password=$KP_PROD_PASSWORD)
# @initKeePass(id=dev, dbPath="./dev.kdbx", password=$KP_DEV_PASSWORD)
# ---

PROD_DB_PASS=kp(prod, "Database/production")
DEV_DB_PASS=kp(dev, "Database/development")

Loading secrets

Once initialized, use the kp() resolver to fetch secrets.

Basic usage

# Fetch password (default attribute) from an entry
DB_PASSWORD=kp("Database/production")

# Fetch a different attribute using #attribute syntax
DB_USER=kp("Database/production#UserName")
DB_URL=kp("Database/production#URL")

# Read a custom string field
API_KEY=kp("Services/stripe#SecretKey")

Inferring entry name from key

When the env var key matches a KeePass entry title, you can omit the entry path:

# Looks up entry titled "DB_PASSWORD", reads the Password field
DB_PASSWORD=kp()

# Looks up entry titled "DB_USER", reads the UserName field
DB_USER=kp("#UserName")

Named attribute param

You can also use the attribute named param as an alternative to #attribute:

DB_USER=kp("Database/production", attribute=UserName)

Entry paths

Entry paths use forward slashes to separate groups from the entry title:

Group/SubGroup/EntryTitle

For example, if your KeePass database has:

  • Root
    • Database
      • production (entry with Password, UserName fields)
    • Services
      • stripe (entry with a custom "SecretKey" field)

You would reference them as "Database/production" and "Services/stripe".

Custom attributes object

Use customAttributesObj=true to load all custom (non-standard) fields from a single entry as a JSON object. This is useful with @setValuesBulk to expand custom fields into env vars:

# Given an entry "Database/production" with custom fields: HOST, PORT, DB_NAME
# @setValuesBulk(kp("Database/production", customAttributesObj=true), createMissing=true)
# ---
HOST=
PORT=
DB_NAME=

Standard fields (Title, Password, UserName, URL, Notes) are excluded — only custom fields are included.

Bulk loading secrets

Use kpBulk() with @setValuesBulk to fetch the Password field from all entries under a group:

# @plugin(@varlock/keepass-plugin)
# @initKeePass(dbPath="./secrets.kdbx", password=$KP_PASSWORD)
# @setValuesBulk(kpBulk(Production), createMissing=true)
# ---

# These will be populated from entries under the "Production" group
DB_PASSWORD=
API_KEY=
# Load all entries from the database root
# @setValuesBulk(kpBulk())

# Load from a specific group
# @setValuesBulk(kpBulk("Services/APIs"))

# With a named instance
# @setValuesBulk(kpBulk(prod, Production))

Entry paths in the JSON output are sanitized to valid env var names (uppercased, non-alphanumeric characters replaced with underscores).

Reference

Root decorators

@initKeePass()

Initialize a KeePass plugin instance.

| Parameter | Type | Required | Description | |-----------|------|----------|-------------| | dbPath | string | yes | Path to the .kdbx database file | | password | string | yes | Master password (typically from an env var like $KP_PASSWORD) | | keyFile | string | no | Path to a key file for additional authentication | | useCli | boolean | no | Use keepassxc-cli instead of reading the file directly (default: false). Can be dynamic, e.g. useCli=forEnv(dev) | | id | string | no | Instance identifier for multiple databases (defaults to _default) |

Data types

kdbxPassword

A sensitive string type for KeePass database master passwords. Validates that the value is a non-empty string.

Resolver functions

kp()

Fetch a single entry field from a KeePass database.

Signatures:

  • kp() — infer entry name from key, read Password field
  • kp(entryPath) — read Password field
  • kp("entryPath#Attribute") — read a specific attribute
  • kp("#Attribute") — infer entry name from key, read a specific attribute
  • kp(entryPath, attribute=X) — read a specific attribute (named param)
  • kp(instanceId, entryPath) — read from a named database instance
  • kp(entryPath, customAttributesObj=true) — return all custom fields as a JSON object

Returns: The field value as a string, or a JSON object string when customAttributesObj=true.

kpBulk()

Fetch the Password field from all entries under a group as a JSON map. Intended for use with @setValuesBulk.

Signatures:

  • kpBulk() — load all entries from the database root
  • kpBulk(groupPath) — load entries under a specific group
  • kpBulk(instanceId, groupPath) — load from a named instance

Returns: JSON string of { "ENTRY_NAME": "password", ... } pairs. Entry paths are sanitized to valid env var names.

Troubleshooting

Invalid credentials

  • Check that the database password is correct
  • If using a key file, verify the path is correct and the file matches the database

Entry not found

  • Entry paths are case-sensitive
  • Use forward slashes to separate groups: "Group/SubGroup/Entry"
  • In CLI mode, list entries with: keepassxc-cli ls <database.kdbx>

keepassxc-cli not found (CLI mode only)

  • Install KeePassXC which includes the CLI (see Prerequisites)
  • Ensure keepassxc-cli is in your PATH

Database file not found

  • Check the dbPath value — it's resolved relative to the working directory
  • Use an absolute path if needed

Resources

  • KeePassXC — cross-platform KeePass-compatible password manager
  • KeePass — original KeePass Password Safe
  • KDBX format — KeePass database format specification
  • kdbxweb — JavaScript KDBX reader library