Support Looking for help?

Very. By utilising the latest encryption standards (X25519 and Chacha20 – safer, faster and more modern than the more commonly used AES encryption) we ensure that your data will always be safe, whether in transit or stored. And since all data storage is under your control, and not some foreign cloud service, even these encrypted data will be hard to steal – and impossible to crack.

Not yet. Mobile clients are planned for the near future.

macOS, Windows  and Linux (Debian and derivatives) are fully supported. Support for mobile operating systems will be added in future (see above) and Linux packages for RHEL and derivatives provided shortly.

We offer email-based support as well as telephone support.

A full manual can be found on https://docs.pave.software/, additionally, our blog articles have in-depth information on specific technical aspect of PAVE.

You can open the password form either with the + Add button in the upper right corner, or by pressing ⌘+N/Ctrl+N.

A title/short description is needed for all passwords, the other fields are optional. If you want to generate a password, either press the Generate button, or use the (⌘/Ctrl)+1/2/3 shortcuts.

By clicking “Save password”, the password is encrypted, stored and (in case of Team PAVE) synchronised with all groups you shared it with.

Nothing at all – we store no data (except those necessary for billing), all passwords reside on your computers. You can keep using PAVE indefinitely.

You are recommended to use our, or any other cryptographically secure password generator to make up passwords – the human brain is too easy tricked into using predictable patterns.

If you want to generate passwords that are easily memorized, we recommend XKCD style passwords:

But even for this method, please make sure you are using a cryptographically secure generator. Using song lyrics, or book contents, or similar pseudo-random sources leads to trivially cracked passwords

PAVE’s password generator works similar to other generators: We utilize the operating system’s CSPRNG (/dev/random on macOS/Linux and CryptGenRandom on Windows) to generate true random data, and then convert it to a string of random letters, digits and (on the highest setting) punctation marks. With this, the generator’s weak, medium and strong settings achieve (roughly) 56, 88 and 192 bit equivalent entropy.

Wherever possible, strong passwords should be generated, the weaker settings are intended for memorized passwords and for services that disallow long passwords, and should be rotated regularly.

(Adding XKCD-style passwords to the password generator is planned, with a strengths of 64 and 96 bits, resulting in four and six word passphrases.)

Not yet. An importer is planned, and will be provided in the near future.

Please write an e-mail to digital@tao.at. An issue tracker will be set up soon™.

There is no limit on either the Free or any of the Team versions. Database sizes in the order of a few thousands of passwords work reasonably well even on several years old laptops, bigger databases might need faster hardware to be searched quickly. Additional performance improvements are planned with subsequent versions.

macOS

Delete the PAVE entry in your Applications folder to uninstall the app.

To remove cached and other temporary data, delete the folder ~/Library/Application Support/FreePAVE (or TeamPAVE).

If you also want to delete your user data (including all FreePAVE passwords and TeamPAVE private keys), delete the folder ~/.config/pave as well.

Windows

Uninstall the PAVE entry in Control Panel\Programs and Features to uninstall the application.

To remove cached and other temporary data, delete the folder %APPDATA%\FreePAVE (or TeamPAVE).

If you also want to delete your user data (including all FreePAVE passwords and TeamPAVE private keys), delete the folder%APPDATA%/pave as well.

Linux

• Remove the package
• Remove ~/.config/FreePAVE (or TeamPAVE) to remove cached and other temporary data
• Remove ~/.config/pave to delete your user data (including all FreePAVE passwords and TeamPAVE private keys)

Without backups there is no way to restore deleted data.

The PAVE folder contains all private keys, and in case of Free PAVE also the password database.

On OSX and Linux, it can be found in ~/.config/pave, on Windows in %APPDATA%\pave.

For Team PAVE, the server’s database also needs to be backed up. Please refer to your database engine’s documentation for best practices.

Free PAVE and Team PAVE client

• At least 200 MiB free disk space
• 256 MiB free RAM
• The faster the CPU the better, obviously, but for normal-sized databases (about a thousand passwords), any Core2 or Core i3 CPU will suffice.

Team PAVE server

• At least 16 MiB free disk space
• At least 32 MiB free RAM
• MySQL or PostgreSQL database server, or an additional 4 MiB disk space per thousand passwords for SQLite
• 2 or more (virtual) CPU cores recommended

PAVE uses encryption in several areas:

• Communication between servers (update, sync, keys) and clients: PAVE uses regular TLS 1.2, supporting all algorithms supported by NodeJS and Go.
• Storing Free PAVE databases and Team PAVE keys: This uses XSalsa20 for encryption, Poly1305 for authentication (via libsodium’s secret box API), and scrypt as key derivation function to derive the key (via libsodium’s pwhash API).
• Encrypting Team PAVE passwords: Here, X25519 is used as key exchange algorithm, combined again with XSalsa20 and Poly1305 (via libsodium’s box API).

For Team PAVE accounts, we obviously need to see your billing data, and we retain e-mail addresses of all registered users.

Other than that, we have absolutely zero insight into what you do with PAVE. As there’s neither cloud hosting nor -backups, we do not have any access to your data, not even encrypted. Everything remains on your local network.

Currently we have English and German translations available. Further can be provided on demand.

• Improved security: By default, browser key rings are not encrypted (unless you set a “master password”). This makes it easier for malware to steal your passwords without you noticing.
• Password sharing: It’s hard to get passwords out of most browsers’ key rings, so re-using them inside other programs is hard (e.g., you want to use your GMail password inside your mail app, too), so is sharing them with others.
• Password synchronization: While some browsers support syncing passwords, they only do so to cloud vendors, giving them access to all your passwords. PAVE keeps your passwords safe, and still allows syncing not only between your own computers, but also with others in your team.

Your passwords are gone. Master passwords are designed to be almost impossible to brute force (using scrypt with sensitive preset as KDF), and as such, there is no way to get your passwords back without knowing (or guessing) the password.

After registering with your e-mail address, you will be redirected to the download site. On it, you will find downloads for all supported platforms.

For macOS: After downloading, click the .dmg file to open it; drag and drop the Pave icon into the Applications folder.

For Windows: After downloading, double-click the .exe file to start the installer, it will install PAVE and create a desktop shortcut.

For Linux: A repository is provided for common distributions to allow automated updates, please follow the instructions on the download site to configure it. Alternatively, you can download a deb/pacman package and install it manually, please refer to your distribution’s documentation for further information.

In macOS and Windows, updates are automatically downloaded and you will be prompted to quit PAVE for installing the upgrade. You can postpone this for as long as you like, but we recommend installing patches quickly.

Linux users can either set up a repository during installation, to receive automated updates, or update manually, by downloading and installing the new version on top of the old.

Single and Team PAVE are independent, you can use both in parallel if you wish to. In future, we will provide a data migration tool so you can transfer passwords between them. Imported passwords will be private by default, but can be shared with others.

Not necessarily. An internet connection is obviously needed to download and install security patches and other updates, but otherwise, you can use PAVE entirely off-line.

Yes. While the free tier has no built-in sync, you can manually copy the database file between computers to access your passwords on all of them.

Yes, Free PAVE is free for commercial uses.

Updates are downloaded automatically once available and will trigger a notification asking you to restart PAVE. During the restart, the update will be installed in background.

On major releases (i.e., new features), newsletter subscribers will also receive an e-mail notification. For bugfix releases, only a changelog will be published in the blog.

An admin can provision a new key for you, and re-add you to your groups, restoring your access to all shared passwords. However, all private passwords will be lost, as they can only be opened with your private key.

Please refer to our installation manual.

In addition to centralised updates as for the Free version (see above), customers can set up their own update servers for integration with existing infrastructure. Please refer to our installation manual for details.

Not necessarily. An internet connection is obviously needed to download and install security patches and other updates, otherwise, it depends on your setup. You can use the PAVE server completely air-gapped if you want, or you can make it internet accessible to allow remote synchronization.

Password sharing is locked out for unlicensed users, all other functions are unaffected – you can still add new private passwords, and retain access to all existing, already shared passwords, but you cannot share new passwords.

When adding or editing passwords, you can opt to share passwords with different groups. These are managed in the backend and group users in whatever way you deem useful (organisational units, etc.), giving them either read or write access to their shared passwords.

Yes. Licenses are per-user, not per-machine, so every licensed user can install PAVE on as many of their devices as desired. There’s no license limit on server installations either, you can have an unlimited amount of key/data servers (as long as all their users are licensed).

Not at this point. Free PAVE contains the same user-facing features as Team PAVE, apart from password synchronization, and should be used for evaluations.

A test version of the full Team PAVE might be provided at a later point.

Yes. Passwords not explicitly shared with any particular group are private and can only be encrypted with your personal key. The encrypted blobs are synchronised to the server, but only you will be able to decrypt them again.

(If you want to store passwords that are not synchronised, consider installing Free PAVE in parallel.)

All passwords shared with groups can be accessed by any member of that group, and its admins can add new users, re-encrypting the passwords for them.

Private passwords will be inaccessible, however.

Access to groups can be granted either fully or read-only. Read-only passwords cannot be edited; please add a new private password instead and ask your administrator to give you write access.

PAVE resyncs its database roughly every five minutes. If you’re impatient, you can kick off a sync manually using the “Sync Passwords” option of the PAVE menu (or Ctrl/⌘+R).

Currently, PAVE only allows storing passwords. It is planned to add the possibility of scripting password changes to update passwords on websites from within PAVE, but not yet available.

Please contact our support, currently there’s no automated way of changing it.

Please contact our support, we will send you a new license key.

• Clients default to automatically downloading updates from our official servers. Customers can configure their own update servers, or use MSI packages and their own distribution systems, if they prefer that.
• Servers will receive automated updates in Linux (if you enable our repositories), or can be updated manually on all OSes (package download).

PAVELinks allow you to quickly reference shared passwords, without giving away any sensitive information. This way, you can freely send them over e-mail or other open channels without having to worry about people eavesdropping – only people you have shared a password with can access it, by simply clicking on the link:

The link only contains an ID used internally by PAVE, so it is completely useless to outsiders.