Jump to content
support

New import KeePass Powershell script 2018

Recommended Posts

If you need to import all of your data from KeePass into Passwordstate, this is the preferred process due to the below Powershell script keeping the correct format of your KeePass database.  We'd like to thank one of our customers Fabian Näf from Switzerland for writing this script for us.  He did a great job and it's helped out many of our customers.

 

This import process will create a Folder with the same name as the XML file you export from KeePass, and it will then replicate the KeePass structure beneath this.

 

For customers not familiar with Passwordstate, the equivalent of a "Group" in KeePass is a "Password List" in Passwordstate. We also have the concept of "Folders" which allow you to logically group Password Lists together. If you follow the process below, it should create a Folder with the same name as the XML file you export from KeePass, and it will then replicate the KeePass group structure beneath this.

 

Process Start:

  1. In Passwordstate, identify and note down your System Wide API key from Administration-> System Settings -> API and you will find it under “Anonymous API Settings & Key.  Ensure you save this page after you generate the new key.
  2. Create a Password List Template under the Passwords Menu -> Password List Templates.  On this template please set the following options and then save the template:
    1. Disable the option to prevent the saving of password records if they are found to be a “Bad Password” (screenshot 1 below)
    2. Uncheck the option so the Password field is not required, and enable the URL field (screenshot 2 below)
  3. Identify and note down the TemplateID by toggling the column visibility (screenshot 3 below)
  4. In KeePass, open your database and export the contents to a XML file.  This can be executed from File -> Export -> KeePass XML (2.x)
  5. Download the script from:  https://www.clickstudios.com.au/downloads/import-keepass-xml.zip
  6. Extract this zip file and open with Powershell ISE or the straight Powershell shell, if you prefer
  7. You will be prompted to answer 5 pieces of information:
    1. The username of an existing Passwordstate user you wish to give Admin rights to all Passwords imported during this process.  Generally you would just enter your own Passwordstate UserID here as you can modify permissions later and and example format for this is halox\lsand
    2. Your Passwordstate URL
    3. Your System Wide API key
    4. The FolderID you wish to create your KeePass structure under.  Enter '0' to create this in the root of Passwords Home, otherwise find the Folder ID of any Folder you like and use this when running the script
    5. Your PasswordList Template ID
    6. It will ask you to browse to your Exported XML file

 

That’s it, the script will now run through and automatically read all of the information out of the XML file, and import it into Passwordstate.  From here, there are a few other things you might want to consider doing after the script has run successfully:

 

  1. You may want to rearrange your folder structure.  Ie possibly you might want to create some new folders for each of your teams, and then drag and drop existing Password Lists/Folders inside of them
  2. Once you are happy with your Folder structure, you should start applying permissions to either Password Lists or Folders using the following video as a guide: https://www.youtube.com/watch?v=QBJE_xD185U
  3. Best practices are to use Security Groups to apply permissions, instead of individual users, if possible

 

Screenshot 1:

SNAGHTML14bffe9b.png

 

Screenshot 2:

2018-06-21_9-41-43.png

 

Screenshot 3:

SNAGHTML14c04009.png

 

Regards,

Support

 

 

Share this post


Link to post
Share on other sites

Hey there!

 

Here's my updated version with some new features

  • Fixes: UTF8, Check for Folder, htmlsafe notes, a litttle bit errorhandling
  • New: Importing additional KeePass Fields with customized mapping
  • New: Adding not handled additional fields to the Notes field
  • New: Support for File-Attachments
  • New: Support for enabled rights propagation and Linked Templates (not setting rights to an admin)

Due to the increased number of options you are not longer prompted for them, instead fill in all options at the top of the config file (see also below)

 

Thanks to Fabian for the initial version.

 

Kind Regards

 

Folke

 


The configuration section looks like this 
 

Quote

 

##################### CONFIGURATION

# File to Import (Exported KeePass XML-File)
$KeePassFile = "xxx.xml"

 

# URL of your PasswordState Server 
# Sample: "https://passwordstate.domain.com:9119"


$global:PasswordstateURL = "https://passwordstateurl:9119"
# Your API Key - Copy Paste from Administration->System Settings->API->Anonymous API Settings & Key
$global:PasswordStateSystemWideAPIKey = ""


# The ID of the Folder to Import into
$global:PasswordstateImportFolderID = ""


# The ID of the PaswordTemplate to use
$global:PasswordstateTemplateID = ""


# Should the Template be copied or linked
# Use "true" or "false" (not $true/$false !)
$global:PasswordstateLinkTemplate = "true"


# Grant Admin Privileges to the Password Links to the following User
# You must leave Blank if the ImportFolder has RightsPropagation Enabled
$global:UserToPermit = ""  


# set to $true if Notes should be mapped to Description
# Otherwise the KeePass field "notes" goes into notes
$global:PasswordstateNotesToDescription = $false

 

# KeePass has no description field.
# Set this parameter to a RegExp to fill Passwordstats description field
# sample: "^(desc|description|string2)$"
$global:PasswordstateDescriptionMapping = "^(desc|description|string2)$"

 

# field mapping 
# here you can map additional keepass fields to the GenericValues 1 - 10 
# use regular expressions
# If there are more Matches the Lines are concatenated
# Sample:
# Fill GenericField 1 with the value of fields with IP-Adress, IP-Addresse oder IP
# and Fill GenericField 2 with Hostname/FQDN or Host
# $global:PasswordstateGenericMapping = @{
#  1 = "^(IP-Address|IP-Adresse|IP)$"
#  2 = "^(Hostname|FQDN|Host)$"
#  3 = "^EMail$"
#  4 = ""
#  5 = ""
#  6 = ""
#  7 = ""
#  8 = ""
#  9 = ""
#  10 = ""
# }
$global:PasswordstateGenericMapping = @{
    1 = "^(IP-Address|IP-Adresse|IP|FQDN|Host)$"
    2 = ""
    3 = ""
    4 = ""
    5 = ""
    6 = ""
    7 = ""
    8 = ""
    9 = ""
    10 = ""
}

# what to do with strings if after the field mapping still some fields not handled
# set to "Notes" to Append to the Notes-Field.
# or set to "Description" to add to the Description Field 
# Or set to "GenericField1" .. "GenericField10" to
# append to such generic field - you should set this one to multiline
$global:PasswordstateUndhandledStrings = "Description"


$global:PasswordstateFoldersToFoldersListName = ""


$global:PasswordstateSkipFirstFolder = $true


# TestMode? (Setting to $true does not really adds anything)
$global:PasswordstateWhatIf = $false

##################### END OF CONFIGURATION

 

 

Import-KeePass-XML-2018-08-14.ps1

Share this post


Link to post
Share on other sites

Excellent, also from us, thanks for sharing too:)  We have quite a few people using this script now and it's making it very easy for users to come across from Keepass to us.

 

We appreciate it.

 

Support,

Click Studios.

Share this post


Link to post
Share on other sites

Hi everyone;

 

Im having a problem with the results of the script in passwordstate.

 

I can see all the folders but i cant see the passwords.

 

This is the message im receiving.

 

"It appears a data integrity issue has been detected for the database table 'PasswordListsACL'.

This issue can caused by your session on the Passwordstate web site prematurely ending (which may indicate an issue on your web server), or possibly by modifications being made directly to the Passwordstate database (outside of the Passwordstate application). 

Debug Information:
Method = QueryPasswords
Table = PasswordListsACL
Field = PasswordListACLID
FieldID = 259
 
Please contact a Security Administrator of Passwordstate, or a support team member of Click Studios to investigate.
 
Please Note: Your session on Passwordstate has been deliberately ended, and any further activity will cause errors to be displayed on the screen."
 

We apologise for the inconvenience.

 

Thank you in advance. 

Share this post


Link to post
Share on other sites

Hi Pablo,

 

I wonder if there was some special type of character that might be in a different language, inside your KeePass export that caused this?  Or maybe something like Antivirus corrupted some data on the way tot he database?

 

What I would first suggest trying, is to completely delete the imported data, but this time disable antivirus on the web server, if you have any.  Then try re-importing the data again.  To quickly delete the data, go to Administration -> Password Folders and delete from here:

 

2018-09-07_13-56-57.png

 

If you try running the script again now, does it work on the second import attempt?  If not, can you try looking through your XML file for any special characters and remove them?  

 

Does this help at all?

 

Regards,

Support

 

 

Share this post


Link to post
Share on other sites

i've used this process before successfully, but i'm getting the same error as the above user now on build 8491:

 

Debug Information:
Method = QueryPasswords
Table = PasswordListsACL
Field = PasswordListACLID
FieldID = 496

 

(The newer version posted by the other user above gives me the same issue)

(I tried disabling antivirus)

Share this post


Link to post
Share on other sites

Hi Khurram

 

Do you get any errors from the PowerShell script itself? Could you post them?

Do you use the version with the WinAPI or the Version which uses the API with the Systemwide API Key?

Could you try to run the script with another user or try to import to a different folder?

 

Best regards,

 

Fabian

 

Share this post


Link to post
Share on other sites

TLDR version: I tried importing with a different user account (the service account we use for Passwordstate). That user account gets the same error on all imported password lists, but once I converted the permissions model of the import folder and added my user account with inheritance to all password lists, my user account is able to see all the passwords. So I guess this is a win of sorts but i'm not sure if i should continue or if these password lists are still broken in some way behind the scenes.

(The imported user account still gets the same errors on all lists except blank ones

)

 

In response to your questions :

I don't get any errors from the powershell script (unless it writes a log or something i'm not aware of), except the original version posted does give an error for one entry which has a blank title, which i've been ignoring as I was going to fix that later. I tried without that entry with no difference

 

I'm not sure how to determine what API version i'm running, but i'm using the anonymous API key when prompted (or in the config file for Folke's version above). I'm pretty certain the process was pretty much identical when i imported a different keepass xml file previously, that would have been around July/August but i've re-imaged since then so i don't have a copy of that script i ran.

I also tried Folke's version which seems to imply you can just inherit permissions instead of supplying an account, but that doesn’t seem to work at all, i get an Object reference not set to object error as below.

 

Connection and APIKey OK, got 25 Folders
Found folder \Import
Folder "/Password Register" will be created
Folder "/Password Register/Databases DBA" will be created
Invoke-Restmethod : [{"errors":[{"message":"Invalid API Call"},{"phrase":"Error = Object reference not set to an instance of an object."}]}]
At C:\temp\pw2\Import-KeePass-XML-2018-08-14.ps1:185 char:23
+ ...   $result = Invoke-Restmethod -Method POST -Uri $PasswordstateURLFull ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
    + FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand
Error creaing PasswordList. Check $global:PasswordstateImportFolderID

 

I tried deleting and recreating the folder i'm importing into as well.

I tried three different browsers (firefox, chrome and IE 11)

I tried the import from my workstation (Windows 10 1703) and the server (2012 R2)

Share this post


Link to post
Share on other sites

Hi Fabian,

Not sure if Khurram's issue is the same as your other post, as it looks like he is using the version with API keys, yet your other forum comment refers to the use of the WinAPI.

We'll do some more testing with your scripts when we have the chance, to see if there is some sort of conflict here causing these issues - personally we couldn't fault your script which uses the API Keys, but we don't recall doing much testing with your WinAPI version.

Regards

Click Studios

Share this post


Link to post
Share on other sites

I've had a quick read of the other issue, but i have to admit API usage isn't my strong suit so i'm not sure how related it is.

 

I've got a not very urgent requirement to migrate some more Keepass passwords into our Passwordstate; Is the recommendation to hold off for now or is there another, known working way that you are recommending?

 

Khurram

Share this post


Link to post
Share on other sites

Hi Khurram

You could try to import to a different folder.

Or you also could try to use the WinAPI version, but this one creates private passwordlists. You would need to convert them or change the script to create shared passwordlists.

Best regards,

Fabian

Share this post


Link to post
Share on other sites

Hello Khurram,

 

With your API script, do you know if you were adding passwords into a Password List that was for a Remote Site Location other than Internal? If so, build 8519 released today might fix this issue for you.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Sorry, just got back to this, we dont have any sites other than Internal.

I think my problem is slightly different, in that the import works fine, its just whichever user account i use for the import always gets the error. other users, once their permissions are assigned, are able to see the password lists fine.

 

I tried again with the latest version, 8519, same result.

 

It appears a data integrity issue has been detected for the database table 'PasswordListsACL'.

This issue can caused by your session on the Passwordstate web site prematurely ending (which may indicate an issue on your web server), or possibly by modifications being made directly to the Passwordstate database (outside of the Passwordstate application).

 

Debug Information:
Method = QueryPasswords
Table = PasswordListsACL
Field = PasswordListACLID
FieldID = 1105

Share this post


Link to post
Share on other sites

Hello Khurram,

Can you confirm if the UserID specified at the beginning of this script is correct i.e. is it in the format of Domain\UserID?

Also, using the following article as a guide, can you email us a copy of the data in the PasswordListsACL table to have a look at - https://www.clickstudios.com.au/documentation/query-data.aspx. We won't be able to see the contents of any encrypted data, but we might be able to see if some AV software has caused data corruption somehow.

 

And, from the screen Administration -> Password Lists, can you view the permissions of the Password List here, and see if some of the permissions are wrong - from the Admin area, it should bypass this check you are seeing above.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Username is in DOMAIN\username format. I've tried different user names with the same result.

 

I can see the password lists from the Administration > Password Lists, but not from the normal section.

 

I tried disabling all Antivirus's previously with no effect. I'm pretty certain i've got the exclusions correct on our AV in general.

 

I've emailed a copy of the table as requested to support email address.

 

Thanks,

Khurram

Share this post


Link to post
Share on other sites

Hi Everyone,

 

We figured out what the issue was here - Khurram was specifying his domain Netbios name in uppercase, and this was causing this issue.

This was not Khurram's fault, and we will change the API in the next release to ensure we enforce lowercase here, so it matches what is in the UserAccounts table.

Regards

Click Studios

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×