Jump to content

API for export all KeePass encrypted zip


tburke

Recommended Posts

As one of my programmatic secondary backup plan I wanted to use the API to dump the passwords periodically for save keeping.  I'm reading up on the api call to do the export all and it's pretty easy to get the data using a simple powershell command as described in the documentation.

 

Quote

 # PowerShell Request
 $PasswordstateUrl = 'https://passwordstate/api/passwords/?QueryAll&PreventAuditing=<value>'
 Invoke-Restmethod -Method GET -Uri $PasswordstateUrl -Header @{ "APIKey" = "<apikey>" }

 

Then you can just export that into a CSV by piping it into "Export-CSV".  Easy enough, but I really like the in UI where I can export as KeePass encrypted zip.  Before I try and write this myself, is this already available  as a sample or API parameter? 

Link to comment
Share on other sites

Hi Tburke,

 

We generally recommend High Availability for disaster recoveries, as exporting all passwords does not export Private password lists. 

 

Unfortunately, we do not have an options in the UI to zip a file or password protect it sorry, so a custom script would be the best way to achieve this:)

 

Regards,

Support.

Link to comment
Share on other sites

  • 2 weeks later...

So I've decided to just use the winapi and I can mostly get what I want to get things kind of looking like that KeePass output.  I've added the "TreePath" just for reference where things where organized.  Using the PasswordState instructions to import a CSV back into KeePass seemed to work well enough.  The question I have now is that I'm trying to figure out what "QueryAll" really means.  It appears it means only that user running the winapi can only get all passwords it has permissions to view.  That sort of makes sense.  As other employees are making shared passwords lists over time, this isn't going to really get ALL of dump of all the shared list passwords from what I can see unless I add this account to those password lists.  I just wanted to make sure that was the case or if I was missing something.  The only reason I'm dumping them periodically is to make everyone feel warm and fuzzy in case everything goes sideways with the DB (which of course we have backups).

 

$PasswordstateUrl = 'https://passwordstate/winapi/passwords/?QueryAll&PreventAuditing=<value>'
$results = Invoke-Restmethod -Method GET -UseDefaultCredentials -Uri $PasswordstateUrl }

$results | Select-Object TreePath,PasswordList,Title,UserName,Description,AccountType,URL,ExpiryDate,Password,Notes,GenericField1,GenericField2,GenericField3,GenericField4,GenericField5,GenericField6,GenericField7,GenericField8,GenericField9,GenericField10 | Export-csv -Path api_export_keepass.csv

  
7z a -pPassword password_dump.7z api_export_keepass.csv

 

Link to comment
Share on other sites

I might have found the answer.  It does appear by using the normal API using the "Anonymous API"  using the " System Wide API Key " specifically gets those passwordlists without having to be a viewer of those lists. I was hoping to restrict who could export those passwords by user and I was hoping by IP as well just to lock it down further.  When using the System Wide API, I haven't found how to restrict that like you can the individual password lists.

 

I've got an idea, maybe put the system wide key in a passwordlist, restrict the list to my one user and IP to get the API key.  Sort of mixing both the winapi and normal api there but feels a bit of a hack but might work.  It feels like that system wide api shouldn't be left on so maybe I'm not realizing the correct way to accomplish this?

Link to comment
Share on other sites

Hi tburke,

 

If you are wanting to export all Shared Password Lists, then the System Wide API Key is the only option for this, when using the Anonymous API - this is by design. You can certainly restrict which IP Addresses are allowed to make calls via this API, either at the Password List Level, or also on the System Settings screen. But what you've queried above about putting the System Wide API key into a Password List is not how the system is designed to work sorry.

Regards

Click Studios

Link to comment
Share on other sites

That part was a bit confusing to me on the Administration tab, in the "System Settings" in the "API Allowed IP Ranges"...when I add say one IP address to this list, the one machine I want to be able to allow "Anonymous API" key, does that mean I have to white list every password list API to include other machines access to those passwordlists?

 

From a passwordlist "api key & settings"...it sounds like from "note 3" that if I limit that "Anonymous API" key access I limit all of my passwordlists to those addresses specified in the system settings.  There isn't a specific way to not allow the "Anonymous API" then...is there?  It's just that " ?QueryAll" that scares me and I don't want any machine to have access to that particular Anonymous api key.  Or, does Note 3 mean only if the "System Wide API Key" is being used, if normal API key for the list or winapi for that passwordlist will work just fine.  I'm hoping it's that but just wanted to be sure.

 

Note 1: You can specify ranges in the format of 192.168.1.*, 192.168.*.*, 192.*.*.*, 192.168.1.1-192.168.2.254, or you can specify individual IP Addresses such as 192.168.1.50
Note 2: Specify one IP Address or range per line
Note 3: If making a call which retrieves data from multiple Password Lists (System Wide API Key), no data will be returned for this Password List if the IP Address is invalid
Note 4: You can also set Allowed IP Ranges for all Password Lists from the screen Administration -> Passwordstate Administration -> System Settings -> Allowed IP Ranges tab

Link to comment
Share on other sites

Hi tburke,

 

Allowed IP Ranges can be configured in two places:

  • On the Administration -> System Settings -> Allowed IP Ranges tab -> API Allowed IP Ranges. This will apply to all Password Lists in the system
  • Or, you can set this at a per Password List as well, to only limit certain Password Lists and not all - simply edit the properties of a Password List, and make the change

So it sounds like you might want the System Wide settings here. But these restrictions are for any API Keys - either System Wide, or the individual Password List API Keys.

 

Regards

Click Studios

Link to comment
Share on other sites

1 hour ago, support said:

So it sounds like you might want the System Wide settings here. But these restrictions are for any API Keys - either System Wide, or the individual Password List API Keys.

 

Ok, so all API keys throughout PasswordState at the system wide settings take priority....but again, no way to reduce the exposure to just the "System Wide API Key"  alone.  I'd love for that to be added to a future release if possible.  It's the one key that has access to everything it should be limited access by default.

Link to comment
Share on other sites

Hello tburke,

 

No, there is no way to limit the use of the System Wide API Key unfortunately, apart from you not sharing it with other users - but this means you also need to restrict access to where your scripts are running.

 

As mentioned, we recommend our HA module over this method, as this is not a proper backup of all your passwords, or settings/permissions/etc.

Regards

Click Studios

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...