Password manager encrypted with Trezor hardware
Clone or download
hiviah Merge pull request #4 from prusnak/master
Use newly added iv field in encrypt_keyvalue/decrypt_keyvalue calls. Warning: incompatible change with existing password databases!
Latest commit 0f2ebd5 Jan 4, 2016

TrezorPass hardware-backed password manager

A PyQt-based password manager that uses Trezor hardware token to do encryption of passwords. Similar to KeepassX or kwalletmanager in function.

Password database is stored in encrypted form on computer. This allows unlimited count of password entries to be stored and enables possibility of recovery if original Trezor is misplaced (mnemonic and passphrase are required to recover).

Note that this is alpha software.

Trezor must be already set up to use passphrase.

A few stored passwords

Security features

  • symmetric password encryption key never leaves the Trezor
  • button confirmation on Trezor is required to activate decryption of a password
  • upon requesting password decryption, user sees on Trezor's display decryption of which password group is requested before confirmation
  • backup/export of passwords possible, also requires explicit button confirmation
  • if Trezor is lost, recovery from seed on a new Trezor and using the same password will also recover encrypted password database (in theory recovery can be done without Trezor, but such script is not yet written)

Runtime requirements


Even though the whole code is in Python, there are few Qt .ui form files that need to be transformed into Python files. There's Makefile, you just need to run


Build requirements

PyQt4 development tools are necessary, namely pyuic4 (look for packages named like pyqt4-dev-tools or PyQt4-devel).




How backup works

Each password is encrypted and stored twice. Once with symmetric AES-CBC function of Trezor that always requires button confirmation on device to decrypt. Second encryption is done to public RSA key, whose private counterpart is encrypted with Trezor. Backup requires private RSA to be decrypted and then used to decrypt the passwords.