Jump to content

New import KeePass Powershell script 2018

Recommended Posts

If you need to import all of your data from KeePass into Passwordstate, this is the preferred process due to the below Powershell script keeping the correct format of your KeePass database.  We'd like to thank one of our customers Fabian Näf from Switzerland for writing this script for us.  He did a great job and it's helped out many of our customers.


This import process will create a Folder with the same name as the XML file you export from KeePass, and it will then replicate the KeePass structure beneath this.


For customers not familiar with Passwordstate, the equivalent of a "Group" in KeePass is a "Password List" in Passwordstate. We also have the concept of "Folders" which allow you to logically group Password Lists together. If you follow the process below, it should create a Folder with the same name as the XML file you export from KeePass, and it will then replicate the KeePass group structure beneath this.


Process Start:

  1. In Passwordstate, identify and note down your System Wide API key from Administration-> System Settings -> API and you will find it under “Anonymous API Settings & Key.  Ensure you save this page after you generate the new key.
  2. Create a Password List Template under the Passwords Menu -> Password List Templates.  On this template please set the following options and then save the template:
    1. Disable the option to prevent the saving of password records if they are found to be a “Bad Password” (screenshot 1 below)
    2. Uncheck the option so the Password field is not required, and enable the URL field (screenshot 2 below)
  3. Identify and note down the TemplateID by toggling the column visibility (screenshot 3 below)
  4. In KeePass, open your database and export the contents to a XML file.  This can be executed from File -> Export -> KeePass XML (2.x)
  5. Download the script from:  https://www.clickstudios.com.au/downloads/import-keepass-xml.zip
  6. Extract this zip file and open with Powershell ISE or the straight Powershell shell, if you prefer
  7. You will be prompted to answer 5 pieces of information:
    1. The username of an existing Passwordstate user you wish to give Admin rights to all Passwords imported during this process.  Generally you would just enter your own Passwordstate UserID here as you can modify permissions later and and example format for this is halox\lsand
    2. Your Passwordstate URL
    3. Your System Wide API key
    4. The FolderID you wish to create your KeePass structure under.  Enter '0' to create this in the root of Passwords Home, otherwise find the Folder ID of any Folder you like and use this when running the script
    5. Your PasswordList Template ID
    6. It will ask you to browse to your Exported XML file


That’s it, the script will now run through and automatically read all of the information out of the XML file, and import it into Passwordstate.  From here, there are a few other things you might want to consider doing after the script has run successfully:


  1. You may want to rearrange your folder structure.  Ie possibly you might want to create some new folders for each of your teams, and then drag and drop existing Password Lists/Folders inside of them
  2. Once you are happy with your Folder structure, you should start applying permissions to either Password Lists or Folders using the following video as a guide: https://www.youtube.com/watch?v=QBJE_xD185U
  3. Best practices are to use Security Groups to apply permissions, instead of individual users, if possible


Screenshot 1:



Screenshot 2:



Screenshot 3:







Share this post

Link to post
Share on other sites

Hey there!


Here's my updated version with some new features

  • Fixes: UTF8, Check for Folder, htmlsafe notes, a litttle bit errorhandling
  • New: Importing additional KeePass Fields with customized mapping
  • New: Adding not handled additional fields to the Notes field
  • New: Support for File-Attachments
  • New: Support for enabled rights propagation and Linked Templates (not setting rights to an admin)

Due to the increased number of options you are not longer prompted for them, instead fill in all options at the top of the config file (see also below)


Thanks to Fabian for the initial version.


Kind Regards




The configuration section looks like this 



##################### CONFIGURATION

# File to Import (Exported KeePass XML-File)
$KeePassFile = "xxx.xml"


# URL of your PasswordState Server 
# Sample: "https://passwordstate.domain.com:9119"

$global:PasswordstateURL = "https://passwordstateurl:9119"
# Your API Key - Copy Paste from Administration->System Settings->API->Anonymous API Settings & Key
$global:PasswordStateSystemWideAPIKey = ""

# The ID of the Folder to Import into
$global:PasswordstateImportFolderID = ""

# The ID of the PaswordTemplate to use
$global:PasswordstateTemplateID = ""

# Should the Template be copied or linked
# Use "true" or "false" (not $true/$false !)
$global:PasswordstateLinkTemplate = "true"

# Grant Admin Privileges to the Password Links to the following User
# You must leave Blank if the ImportFolder has RightsPropagation Enabled
$global:UserToPermit = ""  

# set to $true if Notes should be mapped to Description
# Otherwise the KeePass field "notes" goes into notes
$global:PasswordstateNotesToDescription = $false


# KeePass has no description field.
# Set this parameter to a RegExp to fill Passwordstats description field
# sample: "^(desc|description|string2)$"
$global:PasswordstateDescriptionMapping = "^(desc|description|string2)$"


# field mapping 
# here you can map additional keepass fields to the GenericValues 1 - 10 
# use regular expressions
# If there are more Matches the Lines are concatenated
# Sample:
# Fill GenericField 1 with the value of fields with IP-Adress, IP-Addresse oder IP
# and Fill GenericField 2 with Hostname/FQDN or Host
# $global:PasswordstateGenericMapping = @{
#  1 = "^(IP-Address|IP-Adresse|IP)$"
#  2 = "^(Hostname|FQDN|Host)$"
#  3 = "^EMail$"
#  4 = ""
#  5 = ""
#  6 = ""
#  7 = ""
#  8 = ""
#  9 = ""
#  10 = ""
# }
$global:PasswordstateGenericMapping = @{
    1 = "^(IP-Address|IP-Adresse|IP|FQDN|Host)$"
    2 = ""
    3 = ""
    4 = ""
    5 = ""
    6 = ""
    7 = ""
    8 = ""
    9 = ""
    10 = ""

# what to do with strings if after the field mapping still some fields not handled
# set to "Notes" to Append to the Notes-Field.
# or set to "Description" to add to the Description Field 
# Or set to "GenericField1" .. "GenericField10" to
# append to such generic field - you should set this one to multiline
$global:PasswordstateUndhandledStrings = "Description"

$global:PasswordstateFoldersToFoldersListName = ""

$global:PasswordstateSkipFirstFolder = $true

# TestMode? (Setting to $true does not really adds anything)
$global:PasswordstateWhatIf = $false

##################### END OF CONFIGURATION




Share this post

Link to post
Share on other sites

Excellent, also from us, thanks for sharing too:)  We have quite a few people using this script now and it's making it very easy for users to come across from Keepass to us.


We appreciate it.



Click Studios.

Share this post

Link to post
Share on other sites

Hi everyone;


Im having a problem with the results of the script in passwordstate.


I can see all the folders but i cant see the passwords.


This is the message im receiving.


"It appears a data integrity issue has been detected for the database table 'PasswordListsACL'.

This issue can caused by your session on the Passwordstate web site prematurely ending (which may indicate an issue on your web server), or possibly by modifications being made directly to the Passwordstate database (outside of the Passwordstate application). 

Debug Information:
Method = QueryPasswords
Table = PasswordListsACL
Field = PasswordListACLID
FieldID = 259
Please contact a Security Administrator of Passwordstate, or a support team member of Click Studios to investigate.
Please Note: Your session on Passwordstate has been deliberately ended, and any further activity will cause errors to be displayed on the screen."

We apologise for the inconvenience.


Thank you in advance. 

Share this post

Link to post
Share on other sites

Hi Pablo,


I wonder if there was some special type of character that might be in a different language, inside your KeePass export that caused this?  Or maybe something like Antivirus corrupted some data on the way tot he database?


What I would first suggest trying, is to completely delete the imported data, but this time disable antivirus on the web server, if you have any.  Then try re-importing the data again.  To quickly delete the data, go to Administration -> Password Folders and delete from here:




If you try running the script again now, does it work on the second import attempt?  If not, can you try looking through your XML file for any special characters and remove them?  


Does this help at all?






Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now