Avendesora is configured by way of a collection of files contained in the config directory (~/.config/avendesora). This directory may contain the following files:


This file contains the list of known account files. The first file in the list is the default account file (this is where new accounts go by default). You can use the new command to add additional files to this list, but to delete account file you must manually edit this file and remove them from the list.

config and config.doc:

You control the behavior of Avendesora through a collection of settings that are specified in config. The available settings and their default values are documented in config.doc. Generally you only place values in config if you would like to change them from their default value. In that way, you will get the latest values for all other settings when you update Avendesora.


One of the risks in using a password generator is that changed in the code can result in the passwords changing. Thus there is a risk that when you upgrade Avendesora that your passwords will change. Avendesora provides the archive and changed commands to help detect these situations. It also keeps hashes of several key parts of the code that if changed could result in the passwords changing. When Avendesora runs, it recomputes these hashes on itself and compares them to the hashes saved in this file. If any of the hashes have changed a warning message is produced, which can alert you to changes that you might have otherwise missed.

It is normal that these hashes change when the program is updated. When you see the message that the hashes have changed you should run the changed command to assure that none of your generated secrets have changed. This assumes that you have created an archive file and kept it up to date.


This file contains the definitions of the available stealth accounts. Stealth accounts allow you to create passwords for accounts that are not kept in an account file.

<account files>:

A file containing a collection of related accounts. All accounts in a file share a common master seed.

<archive file>:

This file contains all known accounts with any generated secrets expanded. It is used to identify account values that may have inadvertently changed.

<log file>:

The log file is created after each invocation of Avendesora. It provides details about the run that can help understand what happened during the run, which can help you resolve issues when things go wrong. This file can leak account information, and so it is best if it is encrypted.


The settings are documented in config.doc, and can be overwritten by specifying the desired values in the config file (found in ~/.config/avendesora). The available settings are:

log_file = log.gpg:

The desired location of the log file (relative to config directory). Adding a suffix of .gpg or .asc causes the file to be encrypted (otherwise it can leak account names). Use None to disable logging.

archive_file = archive.gpg:

The desired location of the archive file (relative to config director). End the path in .gpg or .asc. Use None to disable archiving.

previous_archive_file = archive.prev.gpg:

The existing archive file is renamed to this name when updating the archive file. This could be helpful if the archive file is somehow corrupted.

archive_stale = 1:

The archive file is consider stale if it is this many days older than the most recently updated account file.

default_field = ‘passcode password passphrase’:

The name of the field to use for the value command when one is not given. May be a space separated list of names, in which case the first that is found is used.

default_vector_field = ‘questions’:

The name of the field to use when an integer is given as the argument to the value command. In this case the field is expected to be a list and the argument is taken to be the index of the desired value. For example, if default_vector_field is ‘question’ and the argument given with the value command is 1, then question[1] is produced.

dynamic_fields = ‘’:

Fields whose values can change in real time. These fields will not be mentioned by the changed command, even if their value differs from when the most recent archive was created.

hidden_fields = ‘’:

Names of fields that should not appear in the summary produced by the values command unless the --all option is specified. A typical value includes estimated_value, postmortem_recipients, and bitwarden.

credential_ids = ‘username email’:

A string that contains the field names (space separated) that should be considered by the credentials command for the account identity.

credential_secrets = ‘passcode password passphrase’:

A string that contains the field names (space separated) that should be considered by the credentials command for the primary account secret.

display_time = 60:

The number of seconds that the secret will be displayed before it is erased when writing to the TTY or the clipboard.

ms_per_char = 12:

The time between keystrokes when autotyping. The default is 12ms. This is the global setting. Generally it is not necessary to change this. Leaving at its default value works in most cases and result in a pleasingly fast response times. However, some websites, particularly those that are infested with javascript helpers, cannot tolerate extremely fast typing rates. In these cases it is better to use the rate attribute to the discovery script to limit the typing rate. Doing so only slows the entry of your credentials on those websites.

encoding = ‘utf-8’:

The unicode encoding to use when reading or writing files.


The command used when editing an account. The command is given as list of strings. The strings may contain {filepath} and {account}, which are replaced by the path to the file and the name of the account.


The command used when creating a new account that has been initialized with a template. The command is given as list of strings. The strings may contain {filepath}, which is replaced by the path to the file.


A dictionary containing the supported browsers. For each entry the key is the name to be used for the browser, and the value is string that contains the command that invokes the browser. The value may contain {url}, which is replaced by the URL to open.


The name of the default browser. This name should be one of the keys in the browsers dictionary.

command_aliases = None:

You can create custom short cuts for Avendesora commands using the this setting. By default, Avendesora comes with a collection of aliases, but you can change them, delete them, or add others. Aliases are specified with a dictionary, where the key is the alias, and the value is a list that consists of full command name and an optional set of command line arguments. For example:

command_aliases = dict(
    b = ['browse'],
    bc = ['browse', '--browser', 'c'],

Alternately, you can specify the value of each alias as a string, in which case it is split at white space to provide the command name and options:

command_aliases = dict(
    b = 'browse',
    bc = 'browse --browser c',

In either case, the first item must be the name of a built-in command.

With this set of aliases, ‘b’ becomes a short cut for ‘browse’ and ‘bc’ becomes a short cut for ‘browse –browser c’.

With the introduction of this setting, the hard-coded command short cuts were removed from Avendesora. To get them back you should add the following to your ~/.config/avendesora/config file.

command_aliases = dict(
    a = 'add',
    A = 'archive',
    b = 'browse',
    bc = 'browse --browser c',
    c = 'conceal',
    C = 'changed',
    e = 'edit',
    f = 'find',
    h = 'help',
    ident = 'identity',
    I = 'identity',
    init = 'initialize',
    i = 'interactive',
    login = 'credentials',
    l = 'credentials',
    N = 'new',
    alphabet = 'phonetic',
    p = 'phonetic',
    quest = 'questions',
    q = 'questions',
    qc = 'questions --clipboard',
    r = 'reveal',
    s = 'search',
    val = 'value',
    v = 'value',
    vc = 'value --clipboard',
    vals = 'values',
    vs = 'values',
    V = 'values',

default_protocol = ‘https’:

The default protocol to use for a URL if the protocol is not specified in the requested URL. Generally this should be ‘https’ or ‘http’, though ‘https’ is recommended.

config_dir_mask = 0o077:

An integer that determines if the permissions of Avendesora configuration directory (~/.config/avendesora) are too loose. If they are, a warning is printed. A bitwise and operation is performed between this value and the actual file permissions, and if the result is nonzero, a warning is printed. Set to 0o000 to disable the warning. Set to 0o077 to generate a warning if the configuration directory is readable or writable by the group or others. Set to 0o007 to generated a warning if the directory is readable or writable by others.

label_color = ‘blue’:

The color of the label use by the value and values commands. Choose from black, red, green, yellow, blue, magenta, cyan, white.

highlight_color = ‘magenta’:

The color of the highlight use by the value and values commands. Choose from black, red, green, yellow, blue, magenta, cyan, white.

color_scheme = ‘dark’:

The color scheme used for the label color. Choose from dark, light. If the shell background color is light, use dark.

use_pager = True:

Use a external program to break long output into pages. May be either a boolean or a string. If a string the string is taken to be a command line use to invoke a paging program (like ‘more’). If True, the program name is taken from the PAGER environment variable if set, or ‘less’ is used if not set. If False, a paging program is not used.

selection_utility = ‘gtk’:

Which utility should be used when it becomes necessary for you to interactively make a choice. Two utilities are available: gtk, the default, and dmenu.

gtk is the built-in selection. When needed it pops a small dialog box in the middle of the screen. You can use the ‘j’ and ‘k’ to navigate to your selection and ‘l’ to make the selection or ‘h’ to cancel. Alternately you can use the arrow keys and Enter and Esc to navigate, select, and cancel.

dmenu is an external utility, and must be installed. With dmenu you type the first few letters of your selection to highlight it, then type ‘Enter’ to select or ‘Esc’ to cancel.

verbose = False:

Set this to True to generate additional information in the log file that can help debug account discovery issues. Normally it should be False to avoid leaking account information into log file. This is most useful when debugging account discovery, and in that case this setting has largely been superseded by the use of the –title and –verbose command line options.


The available account templates. These are used when creating new accounts. The templates are given as a dictionary where the key is the name of the template and the value is the template itself. The template is passed through textwrap.dedent() to remove any leading white space. Any lines that begin with ‘# Avendesora: ‘ represent comments that can contain instructions to the user. They will are removed when the account is created.

default_account_template = ‘bank’

The default account template that is used when creating a new account and the user does not specify a template name.


The GPG ID or IDs to use by default when creating encrypted files (the archive and account files).

gpg_armor = ‘extension’:

In the GPG world, armoring a file means converting it to simple ASCI. Choose between ‘always’, ‘never’ and ‘extension’ (.asc: armor, .gpg: no).

gpg_home = ~/.gnupg:

This is your GPG home directory. By default it will be ~/.gnupg.

gpg_executable = /usr/bin/gpg2:

Path to the gpg2 executable.

xdotool_executable = /usr/bin/xdotool:

Path to the xdotool executable.

xsel_executable = /usr/bin/xsel:

Recommend ‘/usr/bin/xsel -p’ if you wish to use mouse middle click. Recommend ‘/usr/bin/xsel -b’ if you wish to use mouse right click then paste.

dmenu_executable = /usr/bin/dmenu:

Path to the dmenu executable. Avendesora can be configured to use dmenu as selection utility rather than built-in gtk version.