First, create an XML export using KeePass for Windows—not KeePassX, the export format is completely different.
Then add a line like:
<?xml-stylesheet href="keepass_xml.xsl" type="text/xsl"?>
to the exported KeePass .xml
file, right below the line that looks
like:
<?xml version="1.0" encoding="utf-8" standalone="yes"?>
In other words, make <?xml-stylesheet ... ?>
the second line in the file.
As for which stylesheet you can choose, there are two options:
-
keepass_xml.xsl
(recommended)- prints password entries in roughly the same order as they appear in the graphical "tree" control in KeePass
-
keepass_xml-alpha_sort.xsl
(work-in-progress)- sorts entries alphabetically; this one may lag behind the non-alpha version in terms of appearance and completeness
Save the exported .xml
file, then open that file in a web browser.
You must "securely erase" the .xml
file when you're done!
If you save your KeePass database in a cloud storage service, disable the sync client first, or work on a copy in some other (offline) directory, because versions of deleted files are stored on the provider's servers. Safest bet is to work out of a temporary encrypted volume that you delete afterwards (see below).
If you have no idea what any of this means, then ask someone who does!
Any copies of the PLAIN TEXT, UNENCRYPTED .xml
file left lying around will
compromise ALL of the accounts that were contained in the original database.
PLEASE, PLEASE, take this into consideration before exporting and printing the
.xml
file. EVEN THE OFFICE PRINTER will be keeping copies of this
unencrypted file on its internal hard drive!
- For Linux
-
Use the
shred
utility with the-u
(unlink) option. - For macOS
-
Use
rm -P
(overwrites three times with rotating bit patterns) - For Windows
- Use Eraser - http://eraser.heidi.ie
The default settings are sufficient to scrub all traces from magnetic media, at least sufficiently that they cannot be recovered except with crazy-expensive equipment that petty thieves (personal enemies, etc.) are not likely to have access to. Even state actors like three-letter security agencies will have a hard time of it.
As a precaution against creating insecure temp files elsewhere on the filesystem, you can create a temporary encrypted container volume (using something like VeraCrypt, Cryptomator, or macOS's Disk Utility), then mount that volume and work on the XML files there.
Pro Tip: You can also use this volume to export and diff XML dumps of the KeePass database when cloud storage conflicts occur (as they often do when one sync client is detached from the network for a period of time, and meanwhile makes changes to the KeePass database.
- Figure out how to indent the resulting HTML file so that the subgroups' left margin reflects the appropriate nesting.
-
http://www.joelsklar.com/xslt.htm#example1
- which is not well-formed XML until you change
<? xml ...
to<?xml ...
(i.e., remove the extra space)!
- which is not well-formed XML until you change