KeePass configuration provider implementation for Microsoft.Extensions.Configuration allows you to connect a KeePass .kdbx database file into your configuration providers for .NET Core, keeping sensitive information in your application secure.
Each entry inside a KeePass database corresponds to a configuration entry. The grouping hierarchy and title of an entry determines the key while the value is the password field by default. You can change these default mappings by specifying a resolveKey() or resolveValue() function or limiting the number of entries loaded into the configuration by specifying a filterEntries() function. More details are provided in the Advanced Configuration section below.
You can add a KeePass database file by simply passing the path to the database file if there is no authentication mechanisms required (like a password or master key file):
builder.AddKeePass("Path/To/KeePass.kdbx");Adding a KeePass database file requiring a password is as simple as specifying it as the second parameter:
builder.AddKeePass("Path/To/KeePass.kdbx", "MyPassword");If you used Windows account-based authentication to setup your database file, you will want to set useCurrentWindowsAccount: true to use the currently running Windows account at runtime.
builder.AddKeePass("Path/To/KeePass.kdbx", useCurrentWindowsAccount: true);Suppose you have a database called KeePassTestDatabase.kdbx containing the following three groups and eight entries along with a master password of 1234:
The available keys are based on the resolveKey and resolveValue delegate functions. See the Advanced Configuration section for ways to customize the key/value mappings of entries to configuration.
Based on the default key and value resolvers, the following keys are available once the configuration provider is built:
| Key | Value |
|---|---|
| KeePassTestDatabase:Sample Entry:Sammy34 | DayOldEggs458 |
| KeePassTestDatabase:Sample Entry:Michael321 | 12345 |
| KeePassTestDatabase:Internet:Facebook:Takent33 | jaehai0Ush |
| KeePassTestDatabase:Internet:Twitter:Nottlespiche | zouQuo3ia |
| KeePassTestDatabase:Internet:npm:FrancesRBenjamin@teleworm.us | ooch5Eeroi |
| KeePassTestDatabase:Duplicate Entries:Duplicate Entry:BaconRules | WU1uiERyRsWtv5sDDl1e |
| KeePassTestDatabase:Duplicate Entries:Duplicate Entry:BaconRules`1 | WU1uiERyRsWtv5sDDl1e |
| KeePassTestDatabase:Duplicate Entries:Duplicate Entry:BaconRules`2 | WU1uiERyRsWtv5sDDl1e |
For security reasons, maybe you don't want to load all of the entries in a KeePass database into the configuration provider. You can specify an optional filter function to limit the entries to only the ones matching a specified condition.
In the follow example, we are only allowing password entries containing "Used by web app" in the notes of the entry:
builder.AddKeePass("Path/To/KeePass.kdbx",
filterEntries: database =>
database.RootGroup.GetEntries(true)
.Where(entry => entry.Strings.ReadSafe("Notes").Contains("Used by web app")));By default, keys are resolved to be colon separated based on the group hierarchy and title of the entry while values is the value stored in the password field of the entry.
You can override one or both of the ways a key and value are resolved if there are other fields that make more sense for you. In the following example, we are overriding both the key to only be the title of the entry and the value to be the notes field.
builder.AddKeePass("Path/To/KeePass.kdbx",
resolveKey: entry => entry.Strings.ReadSafe("Title"),
resolveValue: (key, entry) => entry.Strings.ReadSafe("Notes")
);This library is published under the Apache 2.0 license.