VuuPass, a basic local password manager. Written in C and GTK3.
This is as simple as it gets, brute simple tiny app with a nice plain interface, easy to use.
It uses Libsodium for solid 256 bit encryption, and a local encrypted text database, so
there's almost no dependencies, no sqlite or other DB library.
The app doesn't do autofill or connect to the internet, everything is manual, you will
have to enter or copy/paste your info into the main pane. There's no fields in the main
pane, this is just basically an encrypted text-editor. So when using it you'll need to
copy/paste your login data from the app into your browser window for whatever site you
are logging in to.
The first time you open the app after install, it checks for the existence of the VuuPass
directory and the vuupass.vault file, if they don't exist then the first-run dialog will
appear for you to create your new master password, after you do that it creates the
directory and drops a new generic vuupass.vault file in there, then opens the GUI. On
subsequent openings of the app you will get a simple password-entry dialog.
The directory for the vault is: ~/.local/share/VuuPass/vuupass.vault, and it stores the
vault file and a backup from the last time you saved.
Usage is simple, to make a new entry, make sure the "New Site" entry at the top is highlighted,
then add your content in the main pane, and enter name of the new site (or whatever title you want)
in the bottom "Site:" field and then hit save. To edit an entry simply highlight it in the left
pane and edit as desired, then use the save button, when editing an existing entry there will
be a confirmation dialog first to make sure you want to overwrite the existing info.
Note if you modify the name/title/site field, whether changing the main content or not, it will
create a new entry with your new title rather than overwrite the existing one, this is just
another little safety net, so if you make a mistake on the new one, you still have the old copy,
if not needed just highlight it and use the delete button. The delete button will delete any
entry but the "New Site" placeholder for entry creation, and it also has a confirmation dialog
before deletion occurs.
The search bar at the top searches sites/titles, and narrows down choices as you type, when done
just hit the "Clear" button at the upper right to clear the search field and restore the full
list of entries.
Security notes
--------------------------
The master key is derived using Argon2id with parameters tuned for high security.
The salt is a fixed 16-byte value (all hex literals for maximum entropy) embedded
directly in the compiled binary (not stored in the encrypted vault file).
This means:
- The salt is NOT visible by just opening vuupass.vault in a text or hex editor.
- An attacker with only the vault file can't derive/test passwords without also analyzing the binary.
- Advanced users compiling from source can customize the salt for extra uniqueness:
1. Open vuupass.c
2. Find the `VUUPASS_SALT` array (16 bytes)
3. Change any or all bytes (e.g. to random values you generate securely)
4. Recompile the binary
Your derived keys will now be incompatible with the stock binary, adding a personal "pepper" layer.
Note: Keep a record of your custom salt — if you lose the source/binary with your changes,
you'll need it to rebuild identically.
Here's the pertinent section you're looking for:
// Argon2id key derivation - salt must be 16 bytes
static const unsigned char VUUPASS_SALT[crypto_pwhash_SALTBYTES] = {
0x56, 0x75, 0x75, 0x50, 0x61, 0x73, 0x73, 0x4C, // V u u P a s s L
0x6F, 0x63, 0x61, 0x6C, 0x31, 0xE2, 0x9F, 0xA5 // o c a l 1 + 3 random bytes - this is the salt
To quickly generate a random string of bytes you can use "openssl rand -hex 16" in terminal,
that will generate 32 characters (16 pairs), just copy the output and format as 0x pairs.
To compile the binary, you will need to have the usual compiling packages, GCC and pkg-config
and such, and you also need the libgtk-3-dev and libsodium-dev packages. Here's the compile command:
gcc -o vuupass vuupass.c `pkg-config --cflags --libs gtk+-3.0` -lsodium
You can (and should) save your modded source/binary separate from the original source, as opposed
to overwriting the stock source/binary, so if your mods don't work out you can always start over.
Just rename the source before you compile it and change the command to match, "vuupass1.c" or similar.
This is not a replacement for a strong master password, use a long, unique passphrase!
4 to 6 words is what's recommended for a strong passphrase. The app does not force you
to mix upper and lower case letters, symbols, numerals etc. (though it's good policy if you do),
but it does have a minimum 8-character limit. Remember, every character you add makes it
exponentially harder to crack.
Download Latest Version
Devuan-Mate-Mini-6-20260209_1743.iso (1.5 GB)
