Mass import of passwords into vault

Hi,
me and a small team have some a lot of passwords on keepass and we want to mass import them into vault. I have had a look online and aside from a few github solutions, I haven’t found an way to put them into vault. The file formats that keepass support for export are not json so not sure what to do now.

Thanks

I think the best way to do it is with this Python script GitHub - pschmitt/vault-keepass-import: Python script to import secrets from a KeePass 2X database to hashicorp vault

Thats how I did it for 1000+ passwords

I tried this method but it wasn’t working for me, for reference I have got vault installed on a centOS machine.

can you give more details?
Whats vault’s backend?

Its using raft storage, on a centOS VM joined to the companys domain.

Maybe if you were a bit more specific what “it wasn’t working for me” meant … like

  • What’s your exact environment? (CentOS version)
  • Which Python version?
  • How did you call the script?
  • Was there an error message (and if so, what did it say)?
1 Like

Hey Guys,

Sorry to hijack this thread but I’m seeking for help on this mass import from KeePass to vault. I’m running on WSL2 (Ubuntu 20.4 & Python 3.8.10) and already had issues to install the package itself: Installation fails (failed building wheel for cffi) (#9) · Issues · singuliere / vault-keepass-import (I guess it’s some python 3.8 incompatibility because my colleague with 3.7 was able to install it just fine.)

I went on to install it on my own. cloned the above repo and run: sudo python3 setup.py install.

I created my own keepass db, with key file and password. But my dry run after failed because of list and str concatenation, which I found weird:

❯ vault-keepass-import /mnt/c/keepass/carlos-test.kdbx -f /mnt/c/keepass/carlos.keyx --dry-run
KeePass password:
Traceback (most recent call last):
File “/usr/local/bin/vault-keepass-import”, line 10, in
sys.exit(main())
File “/usr/local/lib/python3.8/dist-packages/vault_keepass_import/main.py”, line 221, in main
importer.export_to_vault(
File “/usr/local/lib/python3.8/dist-packages/vault_keepass_import/main.py”, line 142, in export_to_vault
entries = self.export_entries(force_lowercase)
File “/usr/local/lib/python3.8/dist-packages/vault_keepass_import/main.py”, line 59, in export_entries
k = self.get_path(self.prefix, entry)
File “/usr/local/lib/python3.8/dist-packages/vault_keepass_import/main.py”, line 52, in get_path
path = prefix + path + ‘/’ + entry.title
TypeError: can only concatenate str (not “list”) to str
❯ vi /usr/local/lib/python3.8/dist-packages/vault_keepass_import/main.py

I fixed the code “str(path)” without knowing what consequences that might have.
So after another dry run it all seemed to work. When I then try to run it without dry run I got following (which I think the OP also encountered):

Traceback (most recent call last):
File “/usr/local/bin/vault-keepass-import”, line 10, in
sys.exit(main())
File “/usr/local/lib/python3.8/dist-packages/vault_keepass_import/main.py”, line 221, in main
importer.export_to_vault(
File “/usr/local/lib/python3.8/dist-packages/vault_keepass_import/main.py”, line 152, in export_to_vault
self.kv.create_or_update_secret(path, entry, cas=None)
File “/usr/local/lib/python3.8/dist-packages/hvac_cli/kv.py”, line 191, in create_or_update_secret
self.kv.create_or_update_secret(path, entry, cas=cas, mount_point=self.mount_point)
File “/usr/local/lib/python3.8/dist-packages/hvac/api/secrets_engines/kv_v2.py”, line 120, in create_or_update_secret
response = self._adapter.post(
File “/usr/local/lib/python3.8/dist-packages/hvac/adapters.py”, line 106, in post
return self.request(‘post’, url, **kwargs)
File “/usr/local/lib/python3.8/dist-packages/hvac/adapters.py”, line 262, in request
response = self.session.request(
File “/usr/local/lib/python3.8/dist-packages/requests/sessions.py”, line 519, in request
prep = self.prepare_request(req)
File “/usr/local/lib/python3.8/dist-packages/requests/sessions.py”, line 452, in prepare_request
p.prepare(
File “/usr/local/lib/python3.8/dist-packages/requests/models.py”, line 316, in prepare
self.prepare_body(data, files, json)
File “/usr/local/lib/python3.8/dist-packages/requests/models.py”, line 466, in prepare_body
body = complexjson.dumps(json)
File “/usr/lib/python3/dist-packages/simplejson/init.py”, line 382, in dumps
return _default_encoder.encode(obj)
File “/usr/lib/python3/dist-packages/simplejson/encoder.py”, line 296, in encode
chunks = self.iterencode(o, _one_shot=True)
File “/usr/lib/python3/dist-packages/simplejson/encoder.py”, line 378, in iterencode
return _iterencode(o, 0)
File “/usr/lib/python3/dist-packages/simplejson/encoder.py”, line 272, in default
raise TypeError(‘Object of type %s is not JSON serializable’ %
TypeError: Object of type UUID is not JSON serializable

Bit lost here, so any help would be much appreciated!

Anyone, please? @fhemberger @kristiant19 @MiraHml :-/

It looks like libkeepass (which is used by vault-keepass-import) does not support Keepass v4 databases as indicated here: https://github.com/libkeepass/libkeepass#libkeepass

Are you using a v4 database (Keepass 2.x)? If so you may want to downgrade the database for migration purposes to see if that works.

Thanks for your feedback! Appreciated! It was indeed v4 (my test db).
If anyone’s interested how to find out what version your DB runs under: https://www.reddit.com/r/KeePass/comments/fgelfe/how_can_you_tell_which_database_version_you_have/fk46s0q?utm_source=share&utm_medium=web2x&context=3
Unfortunately even after putting it down to v3.1 I’m getting the same issue as mentioned above.