~bohwaz/blog/

Avec de vrais morceaux de 2.0 !

mypwsafe: a simple CLI password manager

It's been some time that I was looking for a password manager which is simple to use, very secure, and based on open technology and not on obscure binary format that can disappear easily, leaving you with no access to your data.

I tried many of them, KeePassX, KeePass and other GUI programs were interesting but really overkill for my needs. So I took a look on the CLI-side. pwsafe looked interesting and simple enough, but it is not actively developed anymore and will be dropped from the next Debian release, although it uses a well-documented format (compatible with Password Safe), it's still a non-standard binary format and doesn't look like a good choice for a long-term relationship. cpm looked interesting, as it was based on XML and GPG, but I never understood how the hell it was supposed to work. Its interface seems one of the most complicated things ever for such a simple task.

Looking around, I found simsafe, a simple Perl script which allows to create and edit a GPG-encrypted text file with your favorite editor. But you know, I'm never happy with what already exists, so I don't really like Perl for basic tasks and basically it seemed too hard for my laziness to open an editor and write a text-file all by myself.

So, I took a couple hours and wrote something a bit more elaborate. And here it is: mypwsafe is a simple bash script, which stores your login/password credentials in a CSV-like text file, encrypted with GPG. It only needs two things: pwgen for password generation, and GPG for encryption and decryption.

It can work in 2 different GPG modes: symmetric, where it uses a specific passphrase to encrypt the passwords file, and key-based where it simply uses your private key for that task (so you can use GPG agent and all if you wish). Personally I prefer to use the key-based encryption, as I always remember my GPG passphrase. But the symmetric encryption can also be interesting if you like it.

This is configurable at the beginning of the script, just set USE_SYMMETRIC to true instead of false. If you use key-based encryption, you will have to change the GPG_ID value too, with the name or email address linked to your GPG key.

Here's one example with symmetric encryption and password generation (I just hit enter on password field):

   $ ./mypwsafe.sh --add
   Password safe file does not exists. To create one, please supply password:
   Enter passphrase: 
   Confirm passphrase: 
   -- Saving a new login/password couple to password safe --
   Identifier (or hostname): seenthis.net
   Login: bohwaz
   Password (leave empty to create random one): vECWR4u4Rge

   Encrypting file...
   Done.

   $ ./mypwsafe.sh --all
   Enter passphrase: 
   ID            Login   Password
   seenthis.net  bohwaz  vECWR4u4Rge

A little warning: with symmetric encryption, your passphrase is stored on your hard drive by the script (and deleted after script completion), like in simsafe, but with key-based encryption, your passphrase is NEVER stored on your drive, only GPG has access to the passphrase. So I advise you to use key-based encryption.

Here is an example with key-based encryption to search for a specific password:

   $ mypwsafe.sh dailymotion

   Vous avez besoin d'une phrase de passe pour déverrouiller la
   clé secrète pour l'utilisateur: « BohwaZ <bohwaz@notfound.tld> »
   clé de 4096 bits RSA, ID D0B04280, créée le 2010-11-18 (ID clé principale B818EA34)

   ID               Login                              Password
   dailymotion.com  bohwaz                             blabla

As you can notice you just have to give a regexp in argument and it will return all matching IDs. There is also a "--edit" option, which opens the CSV text file in your favorite editor (a temporary unencrypted copy of the file is created on disk for this, and deleted afterwards), and a "--change-password" to change the file password when using symmetric encryption.

If one day you lose the script, it's always easy to recover your data as it's just plaintext CSV, using tab-separated values, encrypted with GPG.

Download the script here: http://bohwaz.net/static/mypwsafe.sh

Write a comment
(optional)
(optional)
(mandatory)
                       __                                 
  ___ ___  _ __  ___  /_/  __ _ _   _  ___ _ __   ___ ___ 
 / __/ _ \| '_ \/ __|/ _ \/ _` | | | |/ _ \ '_ \ / __/ _ \
| (_| (_) | | | \__ \  __/ (_| | |_| |  __/ | | | (_|  __/
 \___\___/|_| |_|___/\___|\__, |\__,_|\___|_| |_|\___\___|
                             |_|                          
(mandatory)

URLs will create links automatically.
Allowed HTML tags: <blockquote> <cite> <pre> <code> <var> <strong> <em> <del> <ins> <kbd> <samp> <abbr>

Andrey

Thank you for the mypwsafe. I use keepassx. And it is in general good for me. But I prefer to have simple command line password manager. pwsafe is good but I don't like it. Mypwsafe seems very simple and seems contains all what I need. It works not very correct for me right now but I'll try adjust it to my needs. Thank you!