distributed password manager

Introducing passveil

passveil is a command line-based password manager heavily inspired by pass. We have developed it to address our needs when it comes to password managers and decided to share it with the world as an open source project.


passveil uses gpg to encrypt sensitive information in an on-disk key-value store. Additionally it hashes store keys using SHA256 to prevent accidental disclosure of confidential keys such as undisclosed project names.


Manage and share your data with colleagues using darcs a powerful version control system with sophisticated merging capabilities.


Sharing sensitive information between trusted parties can be quite the hassle. passveil offers a trust mechanism, which prevents transfer of sensitive data over insecure channels.


Getting Help

passveil comes with an integrated help system based on optparse-applicative as well as completion for the friendly interactive shell (fish) for improved discoverability.

Each subcommand also offers a help option documenting options for each of the subcommands.

Runtime requirements

passveil needs the following programs to be installed:
$ passveil --help
Usage: passveil [--store DIRECTORY] COMMAND
  passveil - distributed password manager

Available options:
  --store DIRECTORY        Specify an alternate store
  --version                Show version and exit
  -h,--help                Show this help text

Key management:
  insert                   Insert a new password into the store
  delete                   Delete a password from the store
  edit                     Edit an existing password in the store
  move                     Move a password to another path

Query operations:
  show                     Show password of a path
  list                     List all passwords below a path
  search                   List passwords matching a regular expression
  info                     Show key information

Trust management:
  allow                    Allow password to be shared with others
  deny                     Deny password to be shared with others
  distrust                 List potentially compromised passwords

Storage management:
  init                     Initialize a new store
  sync                     Synchronize store
  undo                     Undo local changes

Passveil in 5 Minutes

$ passveil init

To initialize a new passveil we simply issue passveil init and identify the gpg we want to use for encryption.

$ passveil insert --generate 16 --batch this/is/a/test
$ passveil show this/is/a/test

We want to create a new entry this/is/a/test in our passveil store. The generate flag specifies that we want to create a 16 character password while batch will prevent passveil from starting up a text editor that would allow us to manually change the generated password before inserting it into the store. Use show to retrieve the stored password.

$ passveil list
$ passveil list --tree
`-- this
  `-- is
    `-- a
      `-- test

The list subcommand displays all available keys in the store. By specifying the tree flag passveil will unfold all paths and display them in tree format coloring nodes that contain encrypted information.

$ passveil info this/is/a/test
 Tue Mar  2 09:57:03  2021
     raichoo <>

 Tue Mar  2 09:57:03  2021
     raichoo <>

 Tue Mar  2 09:57:03  2021
     raichoo <>

 Tue Mar  2 09:57:03  2021
     raichoo <>

 Tue Mar  2 09:57:03  2021
     raichoo <>
 + 271AC087DB698C642BA839E51636E5B1C54C281F
     raichoo <>

passveil keeps track of a lot of additional metadata for each entry in the store which can be accesessed using the info subcommand.

  • created: Date of creation and key that was used
  • issued: Last change of metadata
  • trusted: Who has access to the secret
  • insiders: Who had access since the last change
  • log: Keeps track of trust changes

Most of this information is used by other operations like distrust which utilizes insiders to find secrets a key had once access to and which has not been changed since. This can be used to identify potentially compromised secrets in case a key gets stolen otherwise untrustworthy.

Installation and contributing

passveil is currently developed and hosted on darcshub. Since it is written in Haskell , cabal is required for the build process. Apart from that it requires GnuPG and darcs to be present in PATH.
$ darcs clone --lazy
$ cd passveil
$ cabal install