windterm-decrypt

A toolkit for managing WindTerm profiles across machines — includes a CLI decryptor for saved secrets and a Qt GUI tool for exporting and importing full profile bundles.

Tools

File	Description
windterm_decrypt.py	CLI script to scan and decrypt saved secrets in a .wind directory
windx	Qt GUI application to analyze, export, and import WindTerm profile bundles

---

windterm_decrypt.py

How It Works

WindTerm encrypts sensitive fields using:

• Key derivation: PBKDF2-HMAC-SHA3-512(password, fingerprint, iterations=100000, dklen=48)
• Key: first 32 bytes of derived key
• IV: last 16 bytes of derived key (or embedded as the first 16 bytes of the ciphertext)
• Cipher: AES-256-CBC with PKCS#7 padding

The script automatically tries both IV strategies and reports whichever produces readable plaintext.

Requirements

• Python 3.10+
• cryptography

pip install cryptography

Usage

python windterm_decrypt.py <path-to-.wind-directory>

Examples:

# Linux / macOS
python windterm_decrypt.py ~/.wind

# Windows
python windterm_decrypt.py "C:\Users\YourName\.wind"

If a profile has a master password enabled, you will be prompted to enter it (input is hidden).

Example Output

== default.v10 ==  fingerprint: a1b2c3d4...  master_password: False

session.autoLogin  (sessions/my-server.json)
  encoded: U2FsdGVkX1...
  [derived-iv]
    text : mypassword123
  [embedded-iv]
    text : mypassword123

Scanned Fields

The following JSON keys are treated as encrypted secrets:

Field	Description
session.autoLogin	Session auto-login password
session.proxyPassword	Session proxy password
application.proxyPassword	Global proxy password
proxyPassword	Generic proxy password
*password	Any key ending with password
*autologin	Any key ending with autologin

---

windx (Qt GUI)

A C++/Qt desktop application for analyzing and migrating WindTerm profiles between machines.

Features

• Analyze — Scans all profiles in a .wind directory and displays a full session table with columns for profile, session name, host/target, port, username, SSH key path, password preview, and auto-login status
• Export — Serializes all profiles (including encrypted credentials, raw session files, SSH private keys, and root config files) into a portable .json bundle
• Import — Restores a bundle into a target .wind directory, re-encrypting credentials with the target profile's key material and materializing SSH private keys into the correct location
• Master password support — Prompts per-profile for master passwords during both export and import when application.masterPassword is enabled
• Auto path detection — Automatically locates the .wind directory from ~/.wind, the application directory, current directory, or a profiles.config override

Session fields captured per session

Field	Description
Name / Group	Display name and folder hierarchy
Protocol	SSH, Telnet, etc.
Host / Target / Port	Connection endpoint
Username	Login user
SSH key	Private key path + embedded key data
ProxyJump	SSH jump host
Agent forwarding	Forwarding flag
Auto-login	Decrypted credential payload (JSON)

Build Requirements

• Qt 6 (or Qt 5)
• CMake 3.16+
• OpenSSL (used by CryptoEngine for AES-256-CBC and PBKDF2)

cmake -B build -DCMAKE_BUILD_TYPE=Release
cmake --build build

Usage

Launch the windx binary. The UI auto-detects the .wind directory on startup. Use the toolbar buttons to:

1. Analyze .wind — load and decrypt all profiles
2. Export All Profiles — save a bundle .json file
3. Import All Profiles — restore from a previously exported bundle

---

Disclaimer

These tools are intended for managing your own WindTerm configurations. Do not use them to access credentials or profiles you are not authorized to view.

License

MIT