Kagikanri is a modern, secure, self-hosted password manager that provides a beautiful web interface for the battle-tested pass
password store, with optional passkey support for enhanced security.
pass
password store┌─────────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ Svelte 5 UI │───▶│ Rust Backend │───▶│ Pass CLI + GPG │
│ + Tailwind │ │ (Axum + API) │ │ Password Store │
└─────────────────┘ └──────────────────┘ └─────────────────┘
│
▼
┌─────────────────┐
│ SQLCipher DB │
│ (Passkey Store) │
└─────────────────┘
pass
CLI tool installedClone the repository
git clone <your-repo-url>
cd kagikanri
Build the frontend
cd frontend
pnpm install
pnpm build
cd ..
Set up environment variables
export GIT_REPO_URL="https://github.com/user/password-store.git"
export GIT_ACCESS_TOKEN="your-github-token"
export DATABASE_ENCRYPTION_KEY="$(openssl rand -hex 32)"
export PASSWORD_STORE_DIR="/path/to/your/pass/store"
Run the backend
cd backend
cargo run
Access the web interface Open http://localhost:8080 in your browser
# Build the Docker image
docker build -t kagikanri:latest .
# Run with environment variables
docker run -d \
--name kagikanri \
-p 8080:8080 \
-e GIT_REPO_URL="https://github.com/user/password-store.git" \
-e GIT_ACCESS_TOKEN="your-token" \
-e DATABASE_ENCRYPTION_KEY="$(openssl rand -hex 32)" \
-v /path/to/gpg:/home/app/.gnupg:ro \
-v kagikanri-data:/data \
kagikanri:latest
Variable | Required | Default | Description |
---|---|---|---|
GIT_REPO_URL |
✅ | - | Git repository URL for password store |
GIT_ACCESS_TOKEN |
✅ | - | Git access token for private repos |
DATABASE_ENCRYPTION_KEY |
✅ | - | 32-byte hex key for passkey database |
MASTER_PASSWORD_PATH |
❌ | kagikanri/master-password |
Path to master password in pass store |
TOTP_PATH |
❌ | kagikanri/totp |
Path to TOTP secret in pass store |
PORT |
❌ | 8080 |
Server port |
PASSWORD_STORE_DIR |
❌ | /data/password-store |
Pass store directory |
DATABASE_URL |
❌ | sqlite:///data/passkeys.db |
Passkey database URL |
SYNC_INTERVAL_MINUTES |
❌ | 5 |
Git sync interval |
Initialize pass store (if not already done)
pass init <your-gpg-key-id>
Set up Kagikanri credentials
# Master password for web UI login
pass insert kagikanri/master-password
# TOTP secret for 2FA (base32 encoded)
pass otp insert kagikanri/totp
Initialize Git repository
pass git init
pass git remote add origin <your-repo-url>
pass git push -u origin master
The backend provides a REST API:
POST /api/auth/login
- Authenticate with master password + TOTPGET /api/passwords
- List all passwordsGET /api/passwords/*path
- Get specific passwordPOST /api/passwords/*path
- Create/update passwordGET /api/otp/*path
- Get TOTP codePOST /api/sync
- Trigger Git syncGET /api/health
- Health checkkagikanri/
├── backend/ # Rust backend (Axum + API)
│ ├── src/
│ │ ├── auth.rs # Authentication logic
│ │ ├── pass.rs # Pass CLI integration
│ │ ├── git.rs # Git synchronization
│ │ └── ...
│ └── Cargo.toml
├── frontend/ # Svelte 5 + TypeScript frontend
│ ├── src/
│ │ ├── routes/ # SvelteKit routes
│ │ ├── lib/ # Components and stores
│ │ └── ...
│ └── package.json
├── k8s/ # Kubernetes manifests
├── docs/ # Documentation
└── Dockerfile # Multi-stage Docker build
Backend:
Frontend:
Frontend not loading: Ensure pnpm build
was run in the frontend directory
Pass commands failing: Check GPG key setup and PASSWORD_STORE_DIR
Git sync errors: Verify GIT_ACCESS_TOKEN and repository permissions
TOTP authentication failing: Ensure TOTP secret is properly base32 encoded
Enable debug logging:
export RUST_LOG=kagikanri=debug,tower_http=debug
MIT License - see LICENSE file for details