APM Documentation¶

APM (Advanced Password Manager) is a professional-grade, zero-knowledge command-line password manager built in Go. It provides encrypted-at-rest vault storage, multi-cloud synchronization, AI-agent integration via MCP, a Windows autofill daemon, a manifest-based plugin system, and organizational team support — all driven from a single CLI binary.

Why APM?¶

Zero-Knowledge Architecture — Your master password never leaves your machine. The vault is encrypted with Argon2id plus an AEAD cipher (AES-256-GCM or XChaCha20-Poly1305) and protected by HMAC-SHA256 integrity signatures.
25+ Secret Types — Passwords, TOTP, API keys, SSH keys, certificates, banking, medical records, legal contracts, documents with file attachments, and more — each with a structured schema.
Multi-Cloud Sync — Native support for Google Drive, GitHub, and Dropbox. Your vault is uploaded as an encrypted blob; providers never see plaintext.
AI-Agent Integration — Built-in MCP (Model Context Protocol) server lets AI assistants like Claude, Cursor, and Windsurf read and manage vault entries with permission-scoped, token-based access.
Windows Autofill — A local daemon that detects credential forms and injects keystrokes via hotkey — no browser extension required.
Face ID Unlock (Optional) — Biometric unlock powered by local face recognition. Available when built with the faceid build tag.
Plugin Ecosystem — Manifest-based plugins with 100+ granular permissions, a marketplace, and hook-based lifecycle integration.
Team Edition — Multi-user credential sharing with RBAC, departments, and approval workflows.

Quick Install¶

macOS / LinuxWindows PowerShellBuild from Source

curl -sSL https://raw.githubusercontent.com/aaravmaloo/apm/master/scripts/install.sh | bash

Set-ExecutionPolicy Bypass -Scope Process -Force
iwr https://raw.githubusercontent.com/aaravmaloo/apm/master/scripts/install.ps1 -UseBasicParsing | iex

git clone https://github.com/aaravmaloo/apm.git
cd apm
go build -o pm main.go

For full installation details, see Installation.

Quickstart¶

# 1. Run the guided setup flow
pm setup

# 2. Unlock the vault to start a session
pm unlock

# 3. Add your first entry
pm add

# 4. Search and retrieve entries
pm get github

# 5. Generate a strong password
pm gen

# 6. Lock when done
pm lock

For a detailed walkthrough, see First Steps.

How the Documentation Is Organized¶

Getting Started ¶

Installation, first steps, and a feature overview to get productive quickly.

Guides ¶

Practical how-to guides for day-to-day tasks:

Managing your vault — Adding, searching, editing, and organizing entries
Cloud synchronization — Setting up GDrive, GitHub, and Dropbox sync
Using .apmignore — Controlling what gets uploaded to cloud providers
Autofill on Windows — The autofill daemon and hotkey injection
Generating TOTP codes — 2FA management and autofill linking
Managing sessions — Unlock, lock, ephemeral sessions, and delegation
Using plugins — Installing, managing, and creating plugins
MCP integration — Connecting AI assistants to your vault
Team edition — Organizational credential sharing
Importing and exporting — JSON, CSV, and TXT import/export

Concepts ¶

Deep technical explanations of how APM works:

Architecture — The four-layer design
Encryption — Argon2id, AES-GCM, XChaCha20-Poly1305, HMAC-SHA256
Vault format — The V4 binary format specification
Secret types — All 25+ structured entry types
Security profiles — Standard, Hardened, Paranoid, Legacy
Policy engine — YAML-based password and rotation policies
Sessions — Shell-scoped and ephemeral delegated sessions
Cloud synchronization — Provider comparison and sync mechanics
Plugins — Plugin architecture and permission model
MCP server — Model Context Protocol server internals
Recovery — Multi-factor recovery, quorum shares, passkeys

Reference ¶

Precise technical specifications:

CLI reference — Every command, subcommand, and flag
.apmignore reference — Format specification
Storage reference — File locations and data layout
Environment variables — All supported env vars
Plugin API — Manifest schema and permissions catalog
MCP tools — Tool schemas and permission requirements
Policies — YAML policy schema and examples

Team ¶

Team edition documentation for organizational deployments:

Threat Model¶

Vector	Status	Mitigation
Offline Brute-Force	Protected	Argon2id high-cost derivation (up to 512 MB, 6 iterations)
Vault Tampering	Protected	HMAC-SHA256 integrity signature across all metadata
Credential Theft	Protected	Cloud tokens are encrypted inside the vault
Identity Spoofing	Protected	Multi-factor recovery (Email → Recovery Key → OTP → Optional 2nd factor)
Session Hijacking	Protected	Shell-scoped sessions (`APM_SESSION_ID`) and inactivity timeouts
Weak Passwords	Controlled	Enforceable password policies via YAML Policy Engine
Compromised Host	Not Protected	Outside security boundary (keyloggers, malware)

Contact & Support¶

Primary Maintainer: Aarav Maloo
Security Alerts: aaravmaloo06@gmail.com
GitHub Issues: aaravmaloo/apm/issues