Building a Secure Local Password Manager with Python and Typer
These articles are AI-generated summaries. Please check the original sources for full details.
a Local CLI Password Manager in Python
Mohit Kumar Kushwaha developed PMCLI, a local password manager designed for terminal-based credential retrieval. The tool utilizes the Fernet symmetric encryption scheme and PBKDF2 for key derivation to secure data locally at ~/.pmcli/vault.json.
Why This Matters
In technical reality, tying encryption keys directly to a user’s master password creates a rigid system where any password change renders existing data unreadable. PMCLI addresses this by decoupling the master password, used for access control, from a stable encryption phrase used for data persistence, ensuring vault continuity during security updates while maintaining local isolation.
Key Insights
- Encryption implementation using Fernet symmetric encryption and PBKDF2 for key derivation (2026).
- Decoupled security architecture where the master password controls access while a separate encryption phrase handles data decryption.
- Local data persistence using a structured JSON vault located at ~/.pmcli/vault.json.
- Security-first CLI design that utilizes pyperclip to copy credentials to the clipboard instead of printing secrets to stdout.
- Modular Python structure using Typer for CLI routing and separate modules for crypto and storage logic.
Working Examples
Basic CLI usage for managing credentials
pmcli add github.com
pmcli list
pmcli get github.com
pmcli reveal github.comModular project structure for PMCLI
pmcli/
├── main.py
├── crypto.py
├── storage.py
├── commands/
│ ├── add.py
│ ├── get.py
│ ├── reveal.py
│ ├── list_cmd.py
│ └── config.py
└── README.mdEncrypted JSON vault storage format
{
"github.com": {
"username": "[email protected]",
"password": "gAAAAAB..."
}
}Practical Applications
- Use case: Local credential management using reveal to copy passwords to the clipboard, preventing terminal history leaks. Pitfall: Hardcoding encryption phrases in source code instead of using .env files, leading to credential exposure in version control.
- Use case: Decoupling master passwords from encryption keys to allow password rotation without re-encrypting the entire vault. Pitfall: Using the master password directly for encryption, causing total data loss if the user changes the original key.
References:
Continue reading
Next article
PreviewDrop Scales for Teams with Environment Variables and Auto-Preview Controls
Related Content
Secure AI Agents: Implementing Permission-Gated Tool Calling via Python Decorators
Secure autonomous AI agents using a Python decorator-based permission gate to intercept high-risk tool calls for human-in-the-loop approval.
Secure Your Node.js Workflow Against Shai-Hulud Worms with np-audit
Secure your dev environment from Shai-Hulud worms that compromised 700+ npm packages and 14,000 secrets in 48 hours using np-audit.
Node.js Secret Management: Implementing Vault, AWS Secrets Manager, and Zero-Leakage Patterns
Secure Node.js production environments using AWS Secrets Manager and HashiCorp Vault to eliminate plaintext .env vulnerabilities and implement automated secret rotation.