diff --git a/dotfiles/dot_config/rbw/config.json b/dotfiles/dot_config/rbw/config.json
index a32db66..cd2b07d 100644
--- a/dotfiles/dot_config/rbw/config.json
+++ b/dotfiles/dot_config/rbw/config.json
@@ -7,6 +7,6 @@
     "notifications_url": null,
     "lock_timeout": 3600,
     "sync_interval": 999999999,
-    "pinentry": "pinentry",
+    "pinentry": "rbw-pinentry-keyring",
     "client_cert_path": null
 }
diff --git a/dotfiles/dot_local/bin/piku b/dotfiles/dot_local/bin/piku
new file mode 100755
index 0000000..f7faf0c
--- /dev/null
+++ b/dotfiles/dot_local/bin/piku
@@ -0,0 +1,100 @@
+#!/bin/sh
+
+# TODO: support config locations:
+# ./.piku-server
+# ~/.piku-server
+# git config --get remote.piku.url
+# git config --get remote.paas.url
+
+if grep -q WSL /proc/version 2>/dev/null
+then
+  # On WSL, use the Windows ssh.exe to benefit from 1Password integration
+  SSH="ssh.exe"
+else
+  SSH="ssh"
+fi
+
+remote_name="piku"
+if [ "$1" = "--remote" ] || [ "$1" = "-r" ]
+then
+  shift
+  remote_name="$1"
+  shift
+fi
+
+gitremote=$(git config --get remote."$remote_name".url)
+remote=${gitremote:-"${PIKU_SERVER}:${PIKU_APP}"}
+
+githome="https://raw.githubusercontent.com/piku/piku/master/"
+
+out() { printf "%s\n" "$*" >&2; }
+
+if [ "$1" = "init" ]
+then
+  if [ -f "ENV" ]
+  then
+    echo "ENV file already exists."
+  else
+    curl -s "${githome}examples/ENV" > ENV && echo "Wrote ./ENV file."
+  fi
+  if [ -f "Procfile" ]
+  then
+    echo "Procfile already exists."
+  else
+    curl -s "${githome}examples/Procfile" > Procfile && echo "Wrote ./Procfile."
+  fi
+  if [ "$gitremote" = "" ]
+  then
+    echo "Now set up your piku remote for this app:"
+    echo "git remote add piku piku@HOSTNAME:APPNAME"
+  fi
+  exit
+fi
+
+out "Piku remote operator."
+
+if [ "$remote" = "" ] || [ "$remote" = ":" ]
+then
+  out
+  out "Error: no piku server configured."
+  out "Use PIKU_SERVER=piku@MYSERVER.NET or configure a git remote called 'piku'."
+  out
+else
+  server=$(echo "$remote" | cut -f1 -d":" 2>/dev/null)
+  app=$(echo "$remote" | cut -f2 -d":" 2>/dev/null)
+  # gather SSH flags
+  while [ "${1#\-}"x != "${1}x" ];
+  do
+    sshflags="${sshflags} ${1}"
+    shift
+  done
+  # check the Piku command to be run
+  cmd="$1"
+  out "Server: $server"
+  out "App: $app"
+  out
+  case "$cmd" in
+    ""|help)
+      command $SSH -o LogLevel=QUIET ${sshflags:+${sshflags}} "$server" "$@" | grep -v "INTERNAL"
+      echo "  shell             Local command to start an SSH session in the remote."
+      echo "  init              Local command to download an example ENV and Procfile."
+      echo "  download          Local command to scp down a remote file. args: REMOTE-FILE(s) LOCAL-PATH"
+      echo "                    Remote file path is relative to the app folder."
+      ;;
+    apps|setup|setup:ssh|update)
+      # shellcheck disable=SC2029 # caused by the final "$@", expanded on the client side
+      command $SSH ${sshflags:+${sshflags}} "$server" "$@"
+      ;;
+    shell)
+      $SSH -t "$server" run "$app" bash
+      ;;
+    download)
+      scp "$server:~/.piku/apps/${app}/${2}" "${3:-'.'}"
+      ;;
+    *)
+      shift # remove cmd arg
+      # shellcheck disable=SC2029 # caused by the final "$@", expanded on the client side
+      command $SSH ${sshflags:+${sshflags}} "$server" "$cmd" "$app" "$@"
+      ;;
+  esac
+fi
diff --git a/dotfiles/dot_local/bin/rbw-pinentry-keyring b/dotfiles/dot_local/bin/rbw-pinentry-keyring
new file mode 100755
index 0000000..dda5862
--- /dev/null
+++ b/dotfiles/dot_local/bin/rbw-pinentry-keyring
@@ -0,0 +1,102 @@
+#!/bin/bash
+
+[[ -z "${RBW_PROFILE}" ]] && rbw_profile='rbw' || rbw_profile="rbw-${RBW_PROFILE}"
+
+set -eEuo pipefail
+
+function help() {
+    cat <<EOHELP
+Use this script as pinentry to store master password for rbw into your keyring
+
+Usage
+- run "rbw-pinentry-keyring clear" to clear the master password from your keyring 
+- add "rbw-pinentry-keyring" as "pinentry" in rbw config (${XDG_CONFIG_HOME}/rbw/config.json)
+- use rbw as normal
+Notes
+- needs "secret-tool" to access keyring
+- setup tested with pinentry-gnome3, but you can run the "secret-tool store"-command manually as well
+- master passwords are stored into the keyring as plaintext, so secure your keyring appropriately
+- supports multiple profiles, simply set RBW_PROFILE during setup
+- can easily be rewritten to use other backends than keyring by setting the "secret_value"-variable
+EOHELP
+}
+
+function clear() {
+    secret-tool clear application rbw profile "$rbw_profile" type master_password
+}
+
+function getpin() {
+    echo 'OK'
+
+    title=""
+    prompt=""
+    desc=""
+
+    while IFS=' ' read -r command args ; do
+        case "$command" in
+            SETTITLE)
+                title="$args"
+                echo 'OK'
+                ;;
+            SETDESC)
+                desc="$args"
+                echo 'OK'
+                ;;
+            SETPROMPT)
+                prompt="$args"
+                echo 'OK'
+                ;;
+            GETPIN)
+                if [[ "$prompt" == "Master Password" ]]; then
+                    set +e
+                    secret_value="$(secret-tool lookup application rbw profile "$rbw_profile" type master_password)"
+                    err=$?
+                    set -e
+
+                    if [[ $err == 1 ]]; then
+                        cmd="SETTITLE rbw\n"
+                        cmd+="SETPROMPT Master Password\n"
+                        cmd+="SETDESC Please enter the master password for '$rbw_profile'\n"
+                        cmd+="GETPIN\n"
+                        secret_value="$(printf "$cmd" | pinentry | grep -E "^D " | cut -c3-)"
+                        if [ -n "$secret_value" ]; then
+                            echo -n "$secret_value" | secret-tool store --label="$rbw_profile master password" application rbw profile "$rbw_profile" type master_password >/dev/null 2>&1
+                        fi
+                    fi
+
+                    printf 'D %s\n' "$secret_value"
+                    echo 'OK'
+                else
+                    cmd="SETTITLE $title\n"
+                    cmd+="SETPROMPT $prompt\n"
+                    cmd+="SETDESC $desc\n"
+                    cmd+="GETPIN\n"
+
+                    secret_value="$(printf "$cmd" | pinentry | grep -E "^D " | cut -c3-)"
+
+                    printf 'D %s\n' "$secret_value"
+                    echo 'OK'
+                fi
+                ;;
+            BYE)
+                exit
+                ;;
+            *)
+                echo 'ERR Unknown command'
+                ;;
+        esac
+    done
+}
+
+command="$1"
+case "$command" in
+    -h|--help|help)
+        help
+        ;;
+    -c|--clear|clear)
+        clear
+        ;;
+    *)
+        getpin
+        ;;
+esac
diff --git a/home/home.nix b/home/home.nix
index 56a73b5..9f335a8 100644
--- a/home/home.nix
+++ b/home/home.nix
@@ -508,5 +508,10 @@
   home.file.".msmtprc".source = ../dotfiles/dot_msmtprc;
   home.file.".mbsyncrc".source = ../dotfiles/dot_mbsyncrc;
 
+  home.file.".local/bin" = {
+    source = ../dotfiles/dot_local/bin;
+    recursive = true;
+  };
+
   home.file.".local/share/flf".source = ../dotfiles/dot_local/share/flf;
 }