Are you an LLM? Read llms.txt for a summary of the docs, or llms-full.txt for the full context.
Skip to content

Touch ID

The Vault CLI supports Touch ID on macOS for quick vault access.

How It Works

  1. First Access: You enter your master password
  2. Keychain Storage: Password stored in macOS Keychain
  3. Subsequent Access: Touch ID unlocks keychain
  4. Fallback: Password prompt if Touch ID fails

Setup

Touch ID is configured automatically on first vault access:

# First time - prompts for master password
pwm entry list
# Enter master password: ********
# ✓ Master password saved to keychain
 
# Next time - Touch ID prompt
pwm entry list
# 🔐 Touch ID: PWM wants to access your vault
# ✓ Authenticated

Requirements

  • macOS with Touch ID sensor
  • macos-touchid Node.js package (included)
  • Keychain access permission

Disable Touch ID

Use the --password flag to bypass Touch ID:

pwm entry list --password

Or remove the stored password:

# Remove from keychain
security delete-generic-password -s "pwm-vault"

Security

  • Master password is stored in the macOS Secure Enclave
  • Accessible only with your biometric
  • Never transmitted over the network
  • Protected by macOS security model

Troubleshooting

Touch ID Not Working

  1. Check Touch ID is enabled in System Preferences
  2. Ensure terminal has Keychain access
  3. Try --password flag to bypass

Permission Denied

Grant terminal access in System Preferences > Security & Privacy > Privacy > Accessibility

Reset Touch ID

# Delete stored credential
security delete-generic-password -s "pwm-vault"
 
# Next vault access will prompt for password
pwm entry list