kelvin

kelvin

a terminal password manager

Strong passwords, generated straight to your clipboard. Encrypted locally with AES-256-GCM — one master password, no cloud, no GPG agent, no leaving your machine.

$ cargo install --path .
Install guide →
Built in Rust MIT licensed AES-256-GCM v0.1.1

what is it

A password vault that lives in your terminal

kelvin is a command-line password manager. It generates strong passwords on demand and copies them straight to your clipboard — nothing printed to screen.

Passwords are saved as decks, organized by domain. Use namespaces like prod/db or staging/api to keep server credentials tidy. Each deck can carry notes — hostname, port, username — so one command tells you everything you need to connect.

The vault is a single encrypted file on your machine, locked with AES-256-GCM and a key derived from your master password via Argon2id. One prompt per session. No agent, no subprocess, no cloud.

in action

It's all a few keystrokes away

~/ — kelvin
$ kelvin create-admin
New vault. Choose a master password: ••••••••••
Enter admin username: kekeli
Admin created.
 
$ kelvin deck
Master password: ••••••••••
Enter domain: prod/db
Enter notes: host: db.prod.example.com, port: 5432
Deck saved.
 
$ kelvin list
prod/db host: db.prod.example.com, port: 5432
 
$ kelvin open-sesame
Enter domain: prod/db
Notes: host: db.prod.example.com, port: 5432
Clearing clipboard in 30 seconds...
 
$

reference

Commands

Run kelvin [COMMAND]. Every part of the workflow has a command — from generating passwords to exporting them into shell scripts.

kelvin generate

Generate a strong random password and copy it to your clipboard. Pass -l to set the length.

kelvin create-admin

Set up your vault and admin account. Prompts for a master password on first run — one prompt from then on.

kelvin deck

Add a password to the vault. Prompts for domain, password, and optional notes (hostname, port, user).

kelvin list

List every stored domain with its notes inline.

kelvin open-sesame

Retrieve a stored password to your clipboard. Notes are shown inline.--stdout to pipe into scripts instead.

kelvin env

Output a password as export VAR=value — use with eval $(kelvin env) to drop credentials into your shell.

kelvin update

Change the password for a stored domain without touching its notes.

kelvin delete

Remove a single entry from the vault by domain name.

kelvin reset

Wipe the vault entirely.

how it keeps secrets

Local by default

AES-256-GCM encrypted

The vault is a single .vault.enc file locked with AES-256-GCM. The key is derived from your master password using Argon2id — one prompt per session.

Stays on your machine

No cloud sync, no remote servers, no accounts. Every password lives locally. Nothing leaves your machine.

Clipboard-first

Passwords land on your clipboard and are cleared after 30 seconds. Nothing is ever printed to the terminal in plaintext.

get started

Install kelvin

Two ways to install — download a pre-built binary or build from source with Cargo.

option 1 — pre-built binary (macOS x86_64)

Download the binary from the latest release

$ curl -L https://github.com/db-keli/kelvin/releases/latest/download/kelvin-macos-x86_64 -o kelvin
$ chmod +x kelvin
$ mv kelvin /usr/local/bin/kelvin

option 2 — build from source

Requires git and the Rust toolchain (cargo).

Clone and install

$ git clone https://github.com/db-keli/kelvin.git
$ cd kelvin
$ cargo install --path .

Create your vault

$ kelvin create-admin
# choose a master password and set your admin login
# then run `kelvin deck` to add your first entry

Still building — come help out

kelvin is open source and welcoming contributions. Check the contributing guide or open an issue on GitHub.

View on GitHub Contributing guide →