CLI to manage passwords
Warning
Mimosa is no longer maintained. The reason behind is that the maintenance cost was not worth the value it brought. MacOS and Windows already expose a CLI, and GNOME users already have secret-tool exposed. The only true usage was for users using Linux but not GNOME, or for testing purpose (keyutils). There is enough CLIs available out there, no need another one!
- D-Bus Secret Service support on Linux / FreeBSD
- Z-Bus Secret Service support on Linux / FreeBSD
- Linux kernel keyutils support on Linux (in-memory, non-persistent across reboots)
- Apple Keychain support on macOS
- Windows Credential Manager support on Windows
- TOML configuration with multi-store support
- JSON output via
--json
Tip
Mimosa is written in Rust and uses cargo features to gate keyring backend support. The default feature set is declared in Cargo.toml.
Mimosa can be installed with the installer:
As root:
curl -sSL https://raw.githubusercontent.com/pimalaya/mimosa/master/install.sh | sudo sh
As a regular user:
curl -sSL https://raw.githubusercontent.com/pimalaya/mimosa/master/install.sh | PREFIX=~/.local sh
These commands install the latest binary from the GitHub releases section.
For a more up-to-date version than the latest release, check out the releases GitHub workflow and look for the Artifacts section. These pre-built binaries are built from the master branch.
Note
Such binaries are built with the default cargo features. If you need specific features, please use another installation method.
cargo install --locked --git https://github.com/pimalaya/mimosa.git
With only Linux keyutils support:
cargo install --locked --git https://github.com/pimalaya/mimosa.git \
--no-default-features \
--features keyutils
If you have the Flakes feature enabled:
nix profile install github:pimalaya/mimosa
Or run without installing:
nix run github:pimalaya/mimosa
git clone https://github.com/pimalaya/mimosa
cd mimosa
nix run
Copy config.sample.toml into one of the canonical paths below and edit it by hand.
A configuration is loaded from the first valid path among:
$XDG_CONFIG_HOME/mimosa/config.toml$HOME/.config/mimosa/config.toml$HOME/.mimosarc
Override the path with -c <PATH> or MIMOSA_CONFIG=<PATH>; multiple paths can be passed at once, separated by :. The first one is the base and the rest are deep-merged on top.
Every password subcommand takes a store name as its first positional argument; the name must match a [stores.<name>] block in the configuration file.
mimosa password write <STORE> [PASSWORD]
PASSWORD is interpreted as:
- a literal secret if it is a non-empty string and is not a path to an existing file,
- the contents of the file (trailing newline / carriage return stripped) when the argument resolves to one,
- the bytes read from stdin if the argument is omitted (supports both piping and shell redirection).
mimosa password write example my-secret
mimosa password write example /path/to/secret
mimosa password write example < /path/to/secret
echo my-secret | mimosa password write example
mimosa password read <STORE>
The raw secret is printed to stdout, making it easy to pipe into other commands. With --json, the output becomes {"password":"..."}.
mimosa password remove <STORE>
Returns Password successfully removed from <STORE> when an entry was deleted, or No password found in <STORE>, nothing was removed otherwise.
The --log-level <LEVEL> flag controls log verbosity (off, error, warn, info, debug, trace). When omitted, RUST_LOG is consulted; it supports per-target filters (see the env_logger docs). RUST_BACKTRACE=1 enables the full error backtrace.
Logs go to stderr by default; redirect them with --log-file <PATH> or shell redirection:
mimosa password read example --log-level debug --log-file /tmp/mimosa.log
mimosa password read example --log-level trace 2>/tmp/mimosa.log
- Chat on Matrix
- News on Mastodon or RSS
- Mail at pimalaya.org@posteo.net
Special thanks to the NLnet foundation and the European Commission that have been financially supporting the project for years:
- 2022 → 2023: NGI Assure
- 2023 → 2024: NGI Zero Entrust
- 2024 → 2026: NGI Zero Core
- 2027 in preparation…
If you appreciate the project, feel free to donate using one of the following providers:
