CLI password manager written in Rust.
Vault encrypted with AES-256-GCM, key derivation via Argon2id, temporary session, TOTP, audit, and import/export.
cargo install --path .Or from the repository:
cargo build --release
# binary: target/release/rpassCLI messages default to English.
# French UI for this process
export RPASS_LANG=fr
rpass status
# Or persist in config
rpass config set language frRPASS_LANG overrides config.language. Values: en / english, fr / french / français.
# Create the vault (sets the master password)
rpass init
# Unlock for a session (configurable timeout, default 15 min)
rpass unlock
# Add an entry (password generated automatically)
rpass add github -u me@email.com --tag dev --favorite
# List / search
rpass list
rpass list --tag dev --sort-by date
rpass search github
# Get a password (clipboard copy)
rpass get github
rpass get github --show
# Generate a password
rpass generate --length 24
rpass generate --passphrase --words 6
rpass generate --pronounceable --length 16
# Security audit
rpass audit
rpass check-breach --service github
rpass check-breach --all
# TOTP / 2FA
rpass add-totp github JBSWY3DPEHPK3PXP
rpass totp github
# Backup / export
rpass backup
rpass export --format json -o vault-export.json
rpass import --from chrome-export.csv
# Configuration
rpass config set password_length 24
rpass config set session_timeout 600
rpass config show
# Interactive REPL
rpass interactive
# Lock
rpass lock| Module | Role |
|---|---|
cli |
clap parsing, command handlers, REPL |
crypto |
Argon2id, AES-GCM, password generation, TOTP, HIBP, strength |
vault |
In-memory CRUD, audit, import/export |
storage |
File persistence, sessions, backups |
models |
Entry, VaultData, EncryptedVault, MasterKey (zeroize) |
config |
TOML config + environment variables |
error |
thiserror error types |
master password + salt (16 B)
│
▼
Argon2id (64 MiB, 3 iter)
│
▼
AES-256 key ──► AES-GCM(unique nonce, VaultData JSON)
│
▼
.vault file: { salt, nonce, ciphertext+tag, written_at }
After every mutation: re-encrypt + atomic write (tmp + rename).
The key in RAM uses zeroize::ZeroizeOnDrop.
rpass init pro
rpass --vault pro add corporate-vpn
rpass config set vault.pro /custom/path/pro.vault| Variable | Description |
|---|---|
RPASS_VAULT |
Default vault name |
RPASS_VAULT_PATH |
Vault file path |
RPASS_DATA_DIR |
Data directory |
RPASS_CONFIG |
Path to config.toml |
RPASS_TIMEOUT |
Session timeout (seconds) |
RPASS_PASSWORD_LENGTH |
Default generated password length |
RPASS_LANG |
CLI language: en (default) or fr |
RPASS_RUNTIME_DIR |
Session wrap-key directory (else XDG_RUNTIME_DIR/rpass) |
RPASS_CLIPBOARD_WAIT |
1 = wait for clipboard clear on get |
NO_COLOR |
Disable terminal colors |
# bash
source <(rpass completions bash)
# zsh
rpass completions zsh > "${fpath[1]}/_rpass" && compinit
# fish
rpass completions fish > ~/.config/fish/completions/rpass.fishcargo test- Argon2id to resist GPU/ASIC brute force
- AES-256-GCM (authenticated encryption) — fresh random nonce on every write
- Mode
0600on vault / session / export files - Session: sealed master key + separate wrap key (
XDG_RUNTIME_DIR) - Write lock (
.vault.lock) against concurrent writers - Clipboard: best-effort clear; set
RPASS_CLIPBOARD_WAIT=1to force wait - HIBP k-anonymity: only a SHA-1 prefix (5 chars) leaves the machine
- JSON/CSV exports are plaintext — protect them carefully
MIT