Skip to content


Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
A simple password manager
branch: master
Failed to load latest commit information.
bin oops... no X for webclient!
conf capacity to serve some "static" (i.e. non-template) files => external…
data improvements: random seed, master password management
debian hunting strange Makefile bug
src fix tests & secure. No more http-only (seems not to be given back to …
.gitignore ignore exe
.travis.yml yet another try!! :-(
Makefile Vault is used by both server and webclient, make it an external depen… Development doc enhanced CI yet another try!! :-( The "is" keyword is obsolete. capacity to serve some "static" (i.e. non-template) files => external… ok, removing the added dot because reprepro refuses the new packages …

Build Status

General description

pwd is a small and simple password manager utility.

Typical use is through dmenu (

An administration console is also provided.


  • enter a pass key, the actual password is copied in X clipboard
  • vault encrypted via openssl (Blowfish Cipher) using a master key
  • vault merge
  • vault up/download


  • xclip (mandatory)
  • openssl (mandatory)
  • zenity, yad, or any program that allows password entry (mandatory)
  • less (almost mandatory, for the list command and all kinds of help)
  • either curl or scp (optional, but useful if you want to keep your vault in the cloud)
  • dmenu (optional, but useful if you don't want to use the console for nominal use case -- you may also use zenity, yad, or any other program that allows to choose an item in a list)
  • xterm (optional, but useful to let the console open itself in graphical environments)

Typical use

For a per-user install:

  • bind <super>k to $HOME/.local/bin/pwd_menu
  • bind <super><shift>k to $HOME/.local/bin/pwd_console


The configuration file is usually found in your home directory: $HOME/.pwd/config.rc

A system-wide configuration file may be found at /etc/pwd.rc.

Some sample files are available in the documentation section of your package (the default install places those files in /usr/local/share/doc/pwd/). Look at the sample-*.rc files.

Those files are auto-documented. Just open them and read the comments to find how to modify them.

Features details

Password management

Passwords are kept in a single file, known as the vault. This file is encrypted by a "master pass phrase". It is the only pass you'll need to know!

The passwords are referenced by a unique key. They are never displayed in clear text.

The server

The server is responsible for keeping the vault open using a pass phrase you'll need to type only once.

To close the vault, just type stop in the administration console (see below). It will stop the server.

The menu

The menu is a very quick and efficient way of getting a password. Just enter the key of the password you need; the password is made available in the X clipboard, just type ctrl-V or click the middle button of your mouse to paste it in a password form.

The most typical use is all the web login sites (google, facebook, banks...) Never have duplicate passwords anymore!

The administration console

The administration console allows more operations on the vault. The most useful is ceraintly the add command, that will add a new vault entry using the provided key.

For instance, add foo will generate a unique random password and store it in the vault using the key foo. The password is also made available to the X clipboard for pasting in the form of the new account you are just creating :-)

You may also specify a recipe for the password generation; for instance, type add foo generate 6n to generate a 6 figures password. The recipe grammar is:

recipe     <- mix ('+' mix)*         # all the ingredients will be mixed
mix        <- quantity ingredient+   # n times the ingredients
quantity   <- [0-9]*                 # default 1
ingredient <- 'a'                    # alphabetic
            / 'n'                    # numeric
            / 's'                    # symbols

Another usage is add foo prompt. In that case, the password is not generated, but you will need to enter it in the dialog that pops up. The password is then stored in the vault and also made available in the X clipboard. This usage is not recommended except for already-known passwords (to fill up your vault), or for sites that have ugly (and usually weak) password policies.

For other commands, just type help.

Remoting and merging

OK, now you have a vault at home in your desktop, another on your laptop, a third one at work. How do you merge them?

First, you must define a central location where your vault is to be kept. Preferably a cloud space you own.

Fill in the corresponding fields in the configuration file.

When those fields are correctly set, the administration console provides a few useful commands:

  • save saves your local vault up to the cloud
  • load loads the vault from the cloud (it overwrites your local one!)
  • merge attempts to merge both the local cloud and the one in the vault, saving the result back up to the cloud.

Let's focus on that last operation, which should be the most common. The merge should work as expected. Added keys are added, removed keys are removed.

The only difficult case arise if a key is updated in both vaults. In that case, the one with the greatest number of changes wins; if equal, then the local version wins.

Note that, to help merge take decisions in the latter case, keys are never really deleted from the vault. They are simply marked as being removed.

Proxy support

Proxies are supported when using the curl protocol: the console installs the ALL_PROXY variable using the following keys in the [proxy] section of the configuration file:

  • protocol specifies the proxy protocol
  • host is the only mandatory key; it contains the name of the proxy host
  • port specifies a port, if different from the default (e.g. 8080)
  • user gives a user name, if the proxy needs authentication
  • pass gives a password key, to be retrieved from the vault

Important note

pwd is a local password manager. As such, it needs to provide passwords in cleartext to other processes (mainly the X clipboard).

It is important to understand that, under such circumstances, there is no reason to make pwd overly secure. It can be subject to many local exploits (reading its environment variables, its memory sections etc. may provide cleartext passwords).

On the other hand, there should be no remote exploits, because the vault load/save protocol only sends and receives encrypted vault streams.

Just take the needed steps to ensure that your machine is not remotely exploitable.


There are several distinct ways of installing pwd.

From source

To install pwd from source, you need to first install Liberty Eiffel, the fresher the better.

Install locally by calling ./ bootstrap && cd target/bootstrap && ./; the exe path is $HOME/.local/bin.


The bootstrap package provides a C source generated by Liberty Eiffel. It helps stand-alone install for specific hardware without needing Liberty Eiffel which is pretty much resource-hungry.

The package also provides an script for user-local installation (in $HOME/.local and $HOME/.config).

Linux binary

Just launch the provided script.

Linux "on-key" binary

Useful for installation on USB keys or any removable media.

Debian packages

The Debian package is named pwd.

deb unstable main

deb-src unstable main

Currently available for the architectures: amd64 and armhf.


After having called ./ bootstrap once, usually just building the exes using make is enough.

Something went wrong with that request. Please try again.