Features
Vault is packed with features to keep your passwords secure and accessible.
Security
🔐 Zero-Knowledge Architecture
Your passwords are encrypted on your device before being sent to the server. The server only stores encrypted blobs and can never see your plaintext data.
- Master password never transmitted
- Client-side encryption/decryption
- Server stores only encrypted data
🔑 Passkey Authentication
No more passwords to remember. Authenticate using:
- Face ID (iPhone, Mac)
- Touch ID (Mac)
- Windows Hello
- Security Keys (YubiKey, etc.)
🔒 Military-Grade Encryption
- AES-256-GCM for vault encryption
- PBKDF2 with 600,000 iterations for key derivation
- 128-bit random salt per vault
- 96-bit random IV per encryption operation
👥 Secure Sharing
Share vaults with team members using ECDH key exchange:
- No secrets in invitation URLs
- Perfect forward secrecy with ephemeral keys
- Role-based access (read, write, admin)
- Revokable access anytime
Entry Types
Store more than just passwords:
| Type | Fields |
|---|---|
| Login | Name, username, password, URL, notes, tags |
| Secure Note | Name, content, tags |
| Credit Card | Name, number, expiry, CVV, cardholder, notes |
| Identity | Name, email, phone, address, notes |
Organization
🏷️ Tags
Organize entries with custom tags:
# Filter by tag in CLI
pwm entry list --tag work
pwm entry list --tag finance --type card⭐ Favorites
Mark frequently used entries as favorites for quick access. Favorites appear at the top of lists.
📁 Multiple Vaults
Create separate vaults for different purposes:
- Personal vault
- Work vault
- Shared team vault
Import & Export
📥 Import Wizard
Import from popular password managers:
- NordPass CSV
- Chrome CSV export
- 1Password CSV export
Features:
- Automatic format detection
- Duplicate detection
- Preview before import
- Field mapping
📤 Export
Export your vault in multiple formats:
# JSON export
pwm entry export --format json
# Environment file export
pwm entry export --format env --tag awsPlatforms
🌐 Web App (PWA)
Full-featured Progressive Web App:
- Works offline with cached vault
- Installable on any device
- Background sync when online
- Keyboard-first navigation
💻 CLI
Powerful command-line interface:
- Touch ID integration on macOS
- Secret injection for CI/CD
- Scriptable for automation
- JSON output for tooling
📱 Mobile (Beta)
React Native app with Expo:
- Face ID / Touch ID unlock
- Native iOS and Android
- Offline-capable
- Sharing support
Productivity
⌨️ Keyboard Shortcuts
Navigate entirely by keyboard:
| Shortcut | Action |
|---|---|
↑ ↓ | Navigate list |
↵ | Select item |
⌘K | Actions menu |
⌘N | New entry |
⌘G | Password generator |
⌘I | Import |
⌘E | Export |
? | Show all shortcuts |
🔄 Sync
Your vault syncs automatically across all devices:
- Real-time updates
- Conflict resolution
- Version history
- Offline queue
🎲 Password Generator
Generate secure passwords and passphrases:
# Random password (20 chars)
pwm generate
# Long password with strength indicator
pwm generate --length 32 --strength
# Passphrase (4 words)
pwm generate --passphrase
# Custom passphrase
pwm generate --passphrase --words 6 --separator "-"Developer Features
🔧 Secret Injection
Inject vault secrets as environment variables:
# Run command with secrets
pwm use production npm start
# Filter by tag
pwm use dev --tag aws npm run deploy
# Dry run
pwm use staging --dry-run echo "test"📡 API Access
Full REST API for integrations:
- WebAuthn authentication
- Vault CRUD operations
- Sharing management
- TypeScript SDK
🎬 Demo Mode
Record CLI demos with mock data:
export PWM_DEMO_MODE=true
pwm entry list # Uses mock Touch ID and data