Show HN: Keepr – A Secure and Offline Open Source CLI Password Manager

17•bsamarji•2mo ago

Hi HN,

I made Keepr, a simple offline CLI password manager for developers who prefer keeping secrets local and working entirely in the terminal.

Everything is stored in an encrypted SQLCipher database, protected by a master password. A time-limited session keeps the vault unlocked while you work, so you don’t need to re-enter the password constantly. Keepr never touches the network.

It includes commands to add, view, search, update, and delete entries, plus a secure password generator and clipboard support.

Technical details:

- AES-256 via SQLCipher

- PBKDF2-HMAC-SHA256 (1.2M iterations) for deriving the KEK

- KEK decrypts a stored PEK, which encrypts the vault

- Session file holds the PEK until expiry

GitHub: https://github.com/bsamarji/Keepr

PyPI: https://pypi.org/project/Keepr/

I would love some feedback, criticism or any questions, especially on UX or security!

Thanks for looking!

Comments

johng•2mo ago

Looks neat, will give it a shot!

bsamarji•2mo ago

Awesome, hope you like it! Let me know how you get on and if there is any feature you'd like adding! I'm always open to people contributing as well!

kseistrup•2mo ago

This looks neat.

Is there a way to change the password length? It seems PASSWORD_LENGTH is set to 20 in config.py, but if keepr is installed by the sysadmin, users won't be able to change this.

And about security: Even if the database is encrypted, it would be nice if keepr set the umask to at least 0027 (possibly even 0077) at startup so that everything is only readable by the user.

Cheers.

johng•2mo ago

on MacOS at least I was able to use a password that was 9 characters in length. Installed via pipx, not sure if that makes a difference.

kseistrup•2mo ago

Right, I should have been more explicit: Pre-existing passwords can have any length, but the "keepr add -g" command will always generate a password of length 20, and there is no obvious way to change that, save for editing the config.py file -- something that may not always be possible (or desirable).

bsamarji•2mo ago

Hi, thanks for your feedback! Yes at the moment you can only change the password length via updating the config.py. This can only be done if you clone the repo and update the config.py yourself, not through installing off of PyPI. One of my first goals on the roadmap is to make configuration accessible to the user through the CLI, so they can change the generated password length, session time and colour scheme of the output. If you'd like I'd very much welcome a pull request if you want to help contribute to the project! Otherwise, I'll work on getting user configuration setup as a priority for the next release.

bsamarji•2mo ago

You're correct, generated password length is fixed to 20 characters at the moment. I've got a priority task to make user config the next release which will enable the user to configure generated password length, colour scheme and session length. With regards to security, the way the database is encrypted is using your master password on intial setup. I'm not sure if there is a way to make the database readable, even setting it to readable to the user, since the database file itself is encrypted. This is for security purposes, and when I was desinging the app, I had trade-offs to make between security and user experience. Security was a top priority as I hadn't seen another password manager with this level of security before. I have a feature planned to enable export and import of data from the database to .csv/.json, so this might help with user experience. Thanks for the feedback, really appreciated. I hope you enjoy using the app!

kseistrup•2mo ago

Great, thanks! :)

bsamarji•2mo ago

I've just released v1.1.0 which now has user configuration for password generator settings, color scheme and session duration! I've updated the README on the main project page which now includes instructions for user configuration. Hope you enjoy the new feature!

kseistrup•2mo ago

Thanks for the notification! :)

bsamarji•2mo ago

No problem! :)

adadu2•2mo ago

Does it work with python 3.12?

bsamarji•2mo ago

It should do! There is nothing specific from Python 3.13 that I used, so it should work on Python 3.12

adadu2•2mo ago

cool, thanks!

bsamarji•2mo ago

No problem, I hope you like it! Let me know how you get on, I'm open to feedback to try and make the project as best as possible.

hcaz•2mo ago

Looks cool, but I think the name is very similar to Keeper (https://www.keepersecurity.com/en_GB/enterprise.html)

bsamarji•2mo ago

Thanks for the feedback, I hope you check out the app! Yes I know it is similar, I actually went through several different names. I started with PassMaster and then PassMan. PassMan was already taken on PyPI, and PassMaster was also quite long to use for a cli command. I liked Keepr as it is short to type out and I like the connotations it has to keys, secrets and security!

Brute Force Colors (2022)

Google Translate apparently vulnerable to prompt injection

(Bsky thread) "This turns the maintainer into an unwitting vibe coder"

Software development is undergoing a Renaissance in front of our eyes

Can you beat ensloppification? I made a quiz for Wikipedia's Signs of AI Writing

Spec-Driven Design with Kiro: Lessons from Seddle

Agents need good developer experience too

The Dark Factory

Free data transfer out to internet when moving out of AWS (2024)

Interop 2025: A Year of Convergence

Prejudice Against Leprosy

Slint: Cross Platform UI Library

AI and Education: Generative AI and the Future of Critical Thinking

Maple Mono: Smooth your coding flow

Moltbook isn't real but it can still hurt you

Take Back the Em Dash–and Your Voice

Show HN: 289x speedup over MLP using Spectral Graphs

Teaching Mathematics

3D Printed Microfluidic Multiplexing [video]

Abstractions Are in the Eye of the Beholder

Show HN: Routed Attention – 75-99% savings by routing between O(N) and O(N²)

We didn't ask for this internet – Ezra Klein show [video]

The Real AI Talent War Is for Plumbers and Electricians

Show HN: MimiClaw, OpenClaw(Clawdbot)on $5 Chips

I Maintain My Blog in the Age of Agents

The Fall of the Nerds

Show HN: I'm 15 and built a free tool for reading ancient texts.

How close is AI to taking my job?

You are the reason I am not reviewing this PR

Show HN: FamilyMemories.video – Turn static old photos into 5s AI videos

Brute Force Colors (2022)

Google Translate apparently vulnerable to prompt injection

(Bsky thread) "This turns the maintainer into an unwitting vibe coder"

Software development is undergoing a Renaissance in front of our eyes

Can you beat ensloppification? I made a quiz for Wikipedia's Signs of AI Writing

Spec-Driven Design with Kiro: Lessons from Seddle

Agents need good developer experience too

The Dark Factory

Free data transfer out to internet when moving out of AWS (2024)

Interop 2025: A Year of Convergence

Prejudice Against Leprosy

Slint: Cross Platform UI Library

AI and Education: Generative AI and the Future of Critical Thinking

Maple Mono: Smooth your coding flow

Moltbook isn't real but it can still hurt you

Take Back the Em Dash–and Your Voice

Show HN: 289x speedup over MLP using Spectral Graphs

Teaching Mathematics

3D Printed Microfluidic Multiplexing [video]

Abstractions Are in the Eye of the Beholder

Show HN: Routed Attention – 75-99% savings by routing between O(N) and O(N²)

We didn't ask for this internet – Ezra Klein show [video]

The Real AI Talent War Is for Plumbers and Electricians

Show HN: MimiClaw, OpenClaw(Clawdbot)on $5 Chips

I Maintain My Blog in the Age of Agents

The Fall of the Nerds

Show HN: I'm 15 and built a free tool for reading ancient texts.

How close is AI to taking my job?

You are the reason I am not reviewing this PR

Show HN: FamilyMemories.video – Turn static old photos into 5s AI videos

Show HN: Keepr – A Secure and Offline Open Source CLI Password Manager

Comments