Cross-platform, free and open-source password manager based on NodeJS.
Table of Contents
- Protecting your details
- Download & Install
- Encryption & Format
- Package & Release
Buttercup is a password manager - an assistant for helping you store all of your login credentials. Buttercup helps you keep your accounts safe and assists you when you want to log in - all you need to do is remember just one password: your master password.
This is the Desktop application in the Buttercup suite, and there's also a mobile app and browser extension so that you can access your credentials anywhere. You store your credentials (login information) in a secure archive, which can then be stored on your own computer or any of our supported cloud services (like Dropbox, for example).
Archives are encrypted using the AES specification, and cannot be read by anyone besides those with the master password. Brute-force decryption is not technically possible. You should not share your archive with anyone, but rest assured: your contents are safe.
Why you need software like Buttercup
Many of us have 10s or 100s of accounts, and it would be crazy to secure these with 1 or 2 passwords. Why? If an attacker gains access to one of the systems you have an account with, your password there may be easily stolen - if an attacker gets this it's highly likely they will try to log in to other accounts you have with the same password. If you're using the same password on more than one site, you risk having several accounts stolen if any one of them is breached.
Buttercup helps you by remembering all of your passwords, and because you no longer have to remember them yourself, you can use different passwords for every single site.
Protecting your details
Buttercup provides a secure way of storing your details, but it is only as secure as how you treat your master password and archive files.
Ensure that you never share your master password or use it anywhere other than with your archive. Never share or store your archive in a non-private environment. Always remember to make regular backups of your archive.
Download & Install
If you're using macOS, you can also use Homebrew Cask to download and install Buttercup:
$ brew cask install buttercup
choco install buttercup
Platforms and Operating Systems
Buttercup is available for macOS (dmg), Windows (exe) and Linux (deb, rpm, tarball) (64bit only).
We actively support Buttercup on the following platforms:
- MacOS (latest)
- Windows 10
- Ubuntu 18.04
Operating systems outside of these are not directly supported by staff - Issues will be followed on GitHub, however, and assistance provided where possible.
Buttercup is also available for Arch Linux (32/64bit) (AUR). This release channel is maintained by our community.
Some users have reported segmentation faults on Arch - if you notice a similar issue, perhaps check out this solution.
Buttercup supports portable builds on the following platforms:
- Linux: AppImage
Portable versions for Windows and Mac will arrive in the not-so-distant future.
Encryption & Format
Buttercup uses a delta-system to manage archive changes and save conflicts. The archive, upon saving, is encrypted with AES 256bit CBC mode with a SHA256 HMAC. Encryption is performed once the password has been salted and prepared with PBKDF2 at between 200-250k iterations.
Because security with password storage is of the utmost importance, Buttercup will remain in alpha/beta release mode until some level of professional scrutiny has occurred. It is completely possible that security-related changes will occur, but this is inevitable and we handle every question and criticism with great care when it comes to the safety of using our software.
Buttercup supports loading and saving credentials archives both locally and remotely. Remote archives can be stored in a variety of service providers like Dropbox, Google Drive and WebDAV-enabled services, such as Yandex.
Archives store groups and entries in a simple hierarchy. Both groups and entries can be moved into other groups. Deleted items are trashed before being removed permanently.
Buttercup has basic merge conflict resolution when 2 changes are made at once on the file (locally or remote).
Buttercup can connect to WebDAV-based services for the purpose of remotely-accessing vault files. Most WebDAV services and services supporting WebDAV are compatible.
Please note that Buttercup does not support self-signed certificates.
Importing and Exporting
You can import from other password managers (such as 1Password, Lastpass and KeePass) by opening your archive and choosing Import from the menu.
You can also export Buttercup vaults to CSV format.
Buttercup for Desktop supports the following languages:
- English (Default)
- Brazilian Portuguese
- Simplified Chinese
Submitting internationalization configurations
We welcome the addition of new languages to the Buttercup platform. Please follow the style of the current translations.
If adding languages that are more specific than usual (eg. "pt_br" - Brazilian Portuguese), ensure that you separate the parts by an underscore
_ and not a dash.
If you're interested in developing Buttercup:
Install Dependencies & Run
$ npm install $ npm run start
Package & Release
You will need some extra dependencies to build for different platforms on a single platform. Please refer to this guide and install required software for your platform.
Building libraries before releasing
$ npm run build
To package the app and make installers for all supported platforms:
$ npm run release
This may take a while depending on how fast your computer is. All apps and installers will be in
To package only for the current platform:
$ npm run package:current
Or for a specific platform:
$ npm run package:mac $ npm run package:win $ npm run package:linux
The above is a naive release process, without signing. To sign, notarize and release, as is the standard approach, first export the following environment variables:
export GH_TOKEN=github_token export WIN_CSC_LINK=file:///some/directory/buttercup_codesign.p12 export WIN_CSC_KEY_PASSWORD="codesign_password" export APPLE_ID=apple_id export APPLE_ID_PASSWORD=app_specific_password export TEAM_SHORT_NAME=team_short_name # if your account is connected to multiple teams
GH_TOKEN is your GitHub token,
WIN_CSC_LINK is the location of the p12 code signing certificate and
WIN_CSC_KEY_PASSWORD is the certificate password.
npm run release
In case you need to access Buttercup logs, they are located in:
- On Linux:
- On macOS:
- On Windows:
This project exists thanks to all the people who contribute. [Contribute].
We'd also like to thank:
- Mohammad Amiri (Brand & Identity) (@pixelvisualize)
- Arash Asghari (Brand & Identity) (@_arashasghari)
We welcome contributions. Please read Contribution Guide before sending a PR.
Thank you to all our backers!
Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]
Released under GNU/GPL Version 3