A Console Based Password Management Program

go get



A Console Based Password Management Program

LatchBox is created by Vi Grey ( and is licensed under the BSD 2-Clause License. Read LICENSE for more license text.


LatchBox is a CLI based password manager that saves account information in an AES256-GCM encrypted file that can securely be accessed and stored by the user. The encrypted password file is locked using a master passphrase and/or a keyfile.


  • BSD
  • GNU/Linux
  • OS X

Build Dependencies:

  • gb
  • Go >= 1.1.1

Optional Dependencies:

  • xclip (For BSD and GNU/Linux)
  • shred (For GNU/Linux)
  • gshred (For BSD)


$ make
$ sudo make install


$ sudo make uninstall


$ latchbox -h
Usage: latchbox [ OPTIONS ]...

  -h, --help       Print Help (this message) and exit
      --version    Print version information and exit


You can import .csv files made from LastPass or KeePass to your password file in LatchBox.

Expected csv labels (case insensitive) for the different entries are:

  • name or account for NAME
  • username or login name for USERNAME
  • password for PASSWORD
  • url or web site for URL
  • grouping or group for GROUP
  • extra or comments for COMMENT

These labels can be in any order and some can be excluded as long as name or account is included. Quotation marks are allowed every csv field as well.

To convert from other formats (Mostly LastPass and KeePass) and prevent conflicts, the NAME entries will replace / symbols with \ symbols and the GROUP entries will swap both / symbols and \ symbols.


Before you export a csv file of your password data, you will need to input your passphrase/keyfile combination. After that, a csv file will be made in the chosen path with the csv labels in the order of:


where grouping is the group and extra is the comment. This is the exact same layout LastPass uses, so if you want to export to KeePass, it is recommended that you import as a LastPass .csv file.

Just like importing, NAME entries will replace / symbols with \ symbols and GROUP entries will swap both the / symbols and the \ symbols. This is to make sure groups are separated by \ symbols like hello\world, which LastPass and KeePass understand, rather than hello/world, which is LatchBox syntax.

Config File:

After starting LatchBox, a config file and latchbox folder will be created. That folder will be at $HOME/.latchbox/. The folder will contain a file called config. You can edit the config file by changing the contents inside of the quotes.

To make a backup file of your password files in the backup folder inside of the latchbox folder when your password file updates for the first time after opening the password file, make sure makeBackups is set to "true" (case-insensitive).

To set the default password file location, edit defaultPasswordFile. The default password file must be empty or not exist in order to use it as the default NEW password file, otherwise if it follows what is expected of an encrypted password file, it will be the default OPEN password file.


LatchBox uses AES256-GCM to encrypt the password file [see LatchBox File Specifications]. The AES256-GCM key is created by using a HMAC-SHA256 based PBKDF2 hash of the LatchBox file passphrase. If a key file is included, a SHA512 hash of the file content will be appended to the passphrase before doing the HMAC-SHA256 based PBKDF2 of the passphrase.

LatchBox File Specification:

LatchBox File protocol specifications can be found in docs/latchbox-spec.txt.