Order now


Want to read more?
Take a look!
Pave Documentation

Found a bug?

Let us know!
Report bug

 Email us

Get in touch with us,
We want to hear from you!

Give us a call

Monday – Friday
8:00 – 17:00 (CET/CEST)
+43 316 21 800 37


How secure is PAVE?

Very. By utilising the latest encryption standards (X25519 and Chacha20 – safer, faster and more modern than the more commonly used AES encryption) we ensure that your data will always be safe, whether in transit or stored. And since all data storage is under your control, and not some foreign cloud service, even these encrypted data will be hard to steal – and impossible to crack.

What operating systems are supported?

macOS, Windows  and Linux (Debian and derivatives) are fully supported. Support for mobile operating systems will be added in future (see above) and Linux packages for RHEL and derivatives provided shortly.

Where can I find documentation?

A full manual can be found on https://docs.pave.software/, additionally, our blog articles have in-depth information on specific technical aspect of PAVE.

How do I add a password?


You can open the password form either with the + Add button in the upper right corner, or by pressing ⌘+N/Ctrl+N.

A title/short description is needed for all passwords, the other fields are optional. If you want to generate a password, either press the Generate button, or use the (⌘/Ctrl)+1/2/3 shortcuts.

By clicking “Save password”, the password is encrypted, stored and (in case of Team PAVE) synchronised with all groups you shared it with.

What happens to my passwords if TAO Digital stops developing PAVE?

Nothing at all – we store no data (except those necessary for billing), all passwords reside on your computers. You can keep using PAVE indefinitely.

How do I generate secure passwords?

You are recommended to use our, or any other cryptographically secure password generator to make up passwords – the human brain is too easy tricked into using predictable patterns.

If you want to generate passwords that are easily memorized, we recommend XKCD style passwords:


But even for this method, please make sure you are using a cryptographically secure generatorUsing song lyrics, or book contents, or similar pseudo-random sources leads to trivially cracked passwords

How does the password generator work?

PAVE’s password generator works similar to other generators: We utilize the operating system’s CSPRNG (/dev/random on macOS/Linux and CryptGenRandom on Windows) to generate true random data, and then convert it to a string of random letters, digits and (on the highest setting) punctation marks. With this, the generator’s weak, medium and strong settings achieve (roughly) 56, 88 and 192 bit equivalent entropy.

Wherever possible, strong passwords should be generated, the weaker settings are intended for memorized passwords and for services that disallow long passwords, and should be rotated regularly.

(Adding XKCD-style passwords to the password generator is planned, with a strengths of 64 and 96 bits, resulting in four and six word passphrases.)

Can I import passwords from Lastpass/1password/Keepass/other services?

Not yet. An importer is planned, and will be provided in the near future.

Where can I submit bug reports and suggestions?

Please write an e-mail to digital@tao.at. An issue tracker will be set up soon™.

How many passwords can I manage inside PAVE?

There is no limit on either the Free or any of the Team versions. Database sizes in the order of a few thousands of passwords work reasonably well even on several years old laptops, bigger databases might need faster hardware to be searched quickly. Additional performance improvements are planned with subsequent versions.

How do I uninstall PAVE?


Delete the PAVE entry in your Applications folder to uninstall the app.

To remove cached and other temporary data, delete the folder ~/Library/Application Support/FreePAVE (or TeamPAVE).

If you also want to delete your user data (including all FreePAVE passwords and TeamPAVE private keys), delete the folder ~/.config/pave as well.


Uninstall the PAVE entry in Control Panel\Programs and Features to uninstall the application.

To remove cached and other temporary data, delete the folder %APPDATA%\FreePAVE (or TeamPAVE).

If you also want to delete your user data (including all FreePAVE passwords and TeamPAVE private keys), delete the folder%APPDATA%/pave as well.


  • Remove the package
  • Remove ~/.config/FreePAVE (or TeamPAVE) to remove cached and other temporary data
  • Remove ~/.config/pave to delete your user data (including all FreePAVE passwords and TeamPAVE private keys)
If I delete a password is there a way to recover it?

Without backups there is no way to restore deleted data.

How do I back up my data?

The PAVE folder contains all private keys, and in case of Free PAVE also the password database.

On OSX and Linux, it can be found in ~/.config/pave, on Windows in %APPDATA%\pave.

For Team PAVE, the server’s database also needs to be backed up. Please refer to your database engine’s documentation for best practices.

What are the system requirements to install PAVE?

Free PAVE and Team PAVE client

  • At least 200 MiB free disk space
  • 256 MiB free RAM
  • The faster the CPU the better, obviously, but for normal-sized databases (about a thousand passwords), any Core2 or Core i3 CPU will suffice.

Team PAVE server

  • At least 16 MiB free disk space
  • At least 32 MiB free RAM
  • MySQL or PostgreSQL database server, or an additional 4 MiB disk space per thousand passwords for SQLite
  • 2 or more (virtual) CPU cores recommended
Which encryption algorithms does PAVE support/use?

PAVE uses encryption in several areas:

  • Communication between servers (update, sync, keys) and clients: PAVE uses regular TLS 1.2, supporting all algorithms supported by NodeJS and Go.
  • Storing Free PAVE databases and Team PAVE keys: This uses XSalsa20 for encryption, Poly1305 for authentication (via libsodium’s secret box API), and scrypt as key derivation function to derive the key (via libsodium’s pwhash API).
  • Encrypting Team PAVE passwords: Here, X25519 is used as key exchange algorithm, combined again with XSalsa20 and Poly1305 (via libsodium’s box API).
What data does TAO see?

For Team PAVE accounts, we obviously need to see your billing data, and we retain e-mail addresses of all registered users.

Other than that, we have absolutely zero insight into what you do with PAVE. As there’s neither cloud hosting nor -backups, we do not have any access to your data, not even encrypted. Everything remains on your local network.

What languages does PAVE support?

Currently we have English and German translations available. Further can be provided on demand.

What’s the difference between using the PAVE password manager and the password safe included in some browsers?
  • Improved security: By default, browser key rings are not encrypted (unless you set a “master password”). This makes it easier for malware to steal your passwords without you noticing.
  • Password sharing: It’s hard to get passwords out of most browsers’ key rings, so re-using them inside other programs is hard (e.g., you want to use your GMail password inside your mail app, too), so is sharing them with others.
  • Password synchronization: While some browsers support syncing passwords, they only do so to cloud vendors, giving them access to all your passwords. PAVE keeps your passwords safe, and still allows syncing not only between your own computers, but also with others in your team.


I’ve lost the master password – what now?

Your passwords are gone. Master passwords are designed to be almost impossible to brute force (using scrypt with sensitive preset as KDF), and as such, there is no way to get your passwords back without knowing (or guessing) the password.

How do I download and install PAVE?

After registering with your e-mail address, you will be redirected to the download site. On it, you will find downloads for all supported platforms.

For macOS: After downloading, click the .dmg file to open it; drag and drop the Pave icon into the Applications folder.

For Windows: After downloading, double-click the .exe file to start the installer, it will install PAVE and create a desktop shortcut.

For Linux: A repository is provided for common distributions to allow automated updates, please follow the instructions on the download site to configure it. Alternatively, you can download a deb/pacman package and install it manually, please refer to your distribution’s documentation for further information.

How do I get updates for PAVE?

In macOS and Windows, updates are automatically downloaded and you will be prompted to quit PAVE for installing the upgrade. You can postpone this for as long as you like, but we recommend installing patches quickly.

Linux users can either set up a repository during installation, to receive automated updates, or update manually, by downloading and installing the new version on top of the old.

How do I upgrade to Team PAVE?

Single and Team PAVE are independent, you can use both in parallel if you wish to. In future, we will provide a data migration tool so you can transfer passwords between them. Imported passwords will be private by default, but can be shared with others.

Do I need an internet connection?

Not necessarily. An internet connection is obviously needed to download and install security patches and other updates, but otherwise, you can use PAVE entirely off-line.

Can I use PAVE on multiple computers?

Yes. While the free tier has no built-in sync, you can manually copy the database file between computers to access your passwords on all of them.

Can I use Free PAVE for commercial purposes?
How do I receive updates?

Updates are downloaded automatically once available and will trigger a notification asking you to restart PAVE. During the restart, the update will be installed in background.

On major releases (i.e., new features), newsletter subscribers will also receive an e-mail notification. For bugfix releases, only a changelog will be published in the blog.


I’ve lost my key password – what now?

An admin can provision a new key for you, and re-add you to your groups, restoring your access to all shared passwords. However, all private passwords will be lost, as they can only be opened with your private key.

How do I download and install PAVE?
How do I get updates for PAVE?

In addition to centralised updates as for the Free version (see above), customers can set up their own update servers for integration with existing infrastructure. Please refer to our installation manual for details.

Do I need an internet connection?

Not necessarily. An internet connection is obviously needed to download and install security patches and other updates, otherwise, it depends on your setup. You can use the PAVE server completely air-gapped if you want, or you can make it internet accessible to allow remote synchronization.

What happens if my license expires?

Password sharing is locked out for unlicensed users, all other functions are unaffected – you can still add new private passwords, and retain access to all existing, already shared passwords, but you cannot share new passwords.

How do groups work?


When adding or editing passwords, you can opt to share passwords with different groups. These are managed in the backend and group users in whatever way you deem useful (organisational units, etc.), giving them either read or write access to their shared passwords.

Can I use PAVE on multiple computers? I got a new computer, can I install my licensed PAVE there?

Yes. Licenses are per-user, not per-machine, so every licensed user can install PAVE on as many of their devices as desired. There’s no license limit on server installations either, you can have an unlimited amount of key/data servers (as long as all their users are licensed).

Is there a free test version?

Not at this point. Free PAVE contains the same user-facing features as Team PAVE, apart from password synchronization, and should be used for evaluations.

A test version of the full Team PAVE might be provided at a later point.

Can I add private passwords without sharing them with anyone?

Yes. Passwords not explicitly shared with any particular group are private and can only be encrypted with your personal key. The encrypted blobs are synchronised to the server, but only you will be able to decrypt them again.

(If you want to store passwords that are not synchronised, consider installing Free PAVE in parallel.)

A coworker is sick, how can I access their passwords?

All passwords shared with groups can be accessed by any member of that group, and its admins can add new users, re-encrypting the passwords for them.

Private passwords will be inaccessible, however.

I can’t update an old password, why?

Access to groups can be granted either fully or read-only. Read-only passwords cannot be edited; please add a new private password instead and ask your administrator to give you write access.

I changed a password, when will my coworkers see it?

PAVE resyncs its database roughly every five minutes. If you’re impatient, you can kick off a sync manually using the “Sync Passwords” option of the PAVE menu (or Ctrl/⌘+R).

How can we quickly change passwords?

Currently, PAVE only allows storing passwords. It is planned to add the possibility of scripting password changes to update passwords on websites from within PAVE, but not yet available.

Can I change my billing account’s e-mail address?

Please contact our support, currently there’s no automated way of changing it.

I lost my license key, can I download it again?

Please contact our support, we will send you a new license key.

How do I receive updates?
  • Clients default to automatically downloading updates from our official servers. Customers can configure their own update servers, or use MSI packages and their own distribution systems, if they prefer that.
  • Servers will receive automated updates in Linux (if you enable our repositories), or can be updated manually on all OSes (package download).