CLI Password manager for stored and generated passwords.

Usage no npm install needed!

<script type="module">
  import nodekey from '';


NodeKEY - Node.js Key Encryption and Yank

License Version Downloads


npm install -g nodekey

Run nodekey --help to get usage instructions regarding program arguments.

Run nodekey without arguments to define a master key and enter interactive mode. Use the interactive command help to show the available commands.


Main Features:

  • Keep your keys (passwords) organized with a file-system-alike hierarchy
  • Each application (directory-alike) may contain a schema with details on key (file-alike) generation
  • Configure an application once, generate any amount of keys for it
  • Keys can also be stored encrypted if you don't want to generate a pseudo-random one
  • Easy to use interactive mode with clipboard utilization



On first startup you are asked for an encryption password for the profile data (e.g. application schemas, meta data, ...). This password will also be used as default master key for key generation and encryption. You will be asked for this password on every startup with the same profile path ($HOME/.config/NodeKEY/ by default).

If needed, the su command can be used for a different master key for key generation and encryption.


You may adjust any settings within the newly created settings file (<profile-path>/settings.json by default). However the default settings should suffice in general.

Applications and Keys

Use the mkapp command (see help mkapp for details) to create your applications (use -S option for directories that won't directly contain generated keys). Now you can create keys for those applications with the key command (see help key for details).

With the cat and fetch commands the key contents can be displayed or put into the system clipboard respectively.


Generated keys

NodeKEY uses scrypt for primary hashing. This provides high computational and memory difficulties for possible attacks. In addition -- if supported by the system -- SHA512 or SHA256 (fallback) is used, just in case scrypt has any design flaw.

Stored keys

Stored keys use the same hashing methods as generated keys, to generate a passphrase that is then used for the encryption algorithm. NodeKEY already considers it impossible for an attacker to reconstruct the master key from a hash. In conclusion it ought to be impossible to reconstruct the master key from a stored key as well.

For encryption, NodeKEY uses aes-256-cbc and bf-cbc as available on the system.

As the entropy of a generated key is as high as it gets (NodeKEY might have slight entropy losses, but nothing critical) with the defined schema, generated keys are still preferred over custom stored ones. Keep in mind that you probably never need to type in the password by hand.


Using the clipboard is one weakness of password managers. An infected system may spy the clipboard and thus get access to the application keys. However since such malware probably would also spy on typed keys, this weakness is no more critical than typing passwords by hand.


Make sure to log out (Ctrl+D/exit) whenever you leave your computer unwatched. Nobody would be able to get access to the master key, but the application keys are vulnerable to simple computer access while logged in.