Purseisaforkofdrduh/pwd.sh.
BothprogramsareBashshellscriptswhichuseGPGtomanagepasswordsandothersecretsinencryptedtextfiles.Purseusesasymmetric(public-key)authentication,whilepwd.shusessymmetric(password-based)authentication.
Whilebothscriptsuseatrustedcryptoimplementation(GPG)andsafelyhandlepasswords(neversavingplaintexttodisk),Purseeliminatestheneedtorememberanduseamasterpassword-justpluginaYubiKey,enterthePIN,thentouchittodecryptapasswordtoclipboard.
ByusingPursewithYubiKey,theriskofmasterpasswordtheftorkeyloggingiseliminated-onlyphysicalpossessionoftheYubikeyANDknowledgeofthePINcanunlocktheencryptedindexandpasswordfiles.
ReleasenotesVersion2b1(2020)Minorupdatetothesecondrelease.Currentlyinbetatesting.CompatibleonLinux,OpenBSD,macOS.
Changelist:
PursenowusesaGPGkeygrouptoencryptsecretstomultiplerecipientsforimprovedreliability.TheprogramwillpromptforkeyIDstodefinethekeygroup;asinglekeyIDcanstillbeused.Encryptedindexisnowoptionalandoffbydefault,allowingasingletouchtoencryptanddecryptsecretsinsteadoftwo.GPGconfigurationfileisnowincludedinPursebackuparchives.Version2b(2019)Thesecondreleaseofpurse.shfeaturesseveralsecurityandreliabilityimprovements,andisanoptionalupgrade.Currentlyinbetatesting.CompatibleonLinux,OpenBSD,macOS.
Knownissues:
ReadactionsnowrequiretwoYubikeytouches,iftouchtodecryptisenabled-oncefortheindexandtwicefortheencryptedpasswordfile.Changelist:
Passwordsarenowencryptedasindividualfiles,ratherthanallencryptedasasingleflatfile.Individualpasswordfilenamesarerandom,mappedtousernamesinanencryptedindexfile.Indexandpasswordfilesarenow"immutable"usingchmodwhilepurse.shisnotrunning.Readpasswordsarenowcopiedtoclipboardandclearedafteratimeout,insteadofprintedtostdout.Useprintfinsteadofechoforimprovedportability.Newoption:listpasswordsintheindex.Newoption:createtararchiveforbackup.Removedoption:deletepassword;theindexisnowapermanentledger.Removedoption:readallpasswords;nousecaseforhavingasinglecommand.Removedoption:suppressgeneratedpasswordoutput;shouldbereadfromsafetoverifysave.Version1(2018)TheoriginalreleasewhichhasbeenavailableforgeneraluseandreviewsinceJune2018(forkedfrompwd.shwhichdatesto2015).Therearenoknownbugsnorsecurityvulnerabilitiesidentifiedinthisstableversionofpurse.sh.CompatibleonLinux,OpenBSD,macOS.
UseThisscriptrequiresaGPGidentity-seedrduh/YubiKey-Guidetosetoneup.MultipleidentitiesstoredonseveralYubiKeysarerecommendedforreliability.
$gitclonehttps://github.com/drduh/Purse(Version2bandolder)SetyourGPGkeyIDwithexportPURSE_KEYID=0xFF3E7D88647EBCDBorbyeditingpurse.sh.
cdpurse.shandrunthescriptinteractivelyusing./purse.shorsymlinktoadirectoryinPATH:
TypewtowriteapasswordTypertoreadapasswordTypeltolistpasswordsTypebtocreateanarchiveforbackupTypehtoprintthehelptextOptionscanalsobepassedonthecommandline.
Exampleusage:
Createa30-characterpasswordforuserName:
$./purse.shwuserName30ReadpasswordforuserName:
$./purse.shruserNamePasswordsarestoredwithatimestampforrevisioncontrol.Themostrecentversioniscopiedtoclipboardonread.Tolistallpasswordsorreadapreviousversionofapassword:
$./purse.shl$./purse.shruserName@1574723600Createanarchiveforbackup:
$./purse.shbRestoreanarchivefrombackup:
$tarxvfpurse*tarThebackupcontainsonlyencryptedpasswordsandcanbepubliclysharedforuseontrustedcomputers.Foradditionalprivacy,therecipientkeyIDisnotincludedinGPGmetadata(throw-keyidsoption).Thepasswordindexfilecanalsobeencryptedbychangingtheencrypt_indexvariabletotrueinthescript.
Seedrduh/config/gpg.confforadditionalGPGconfigurationoptions.
Similarsoftwaredrduh/pwd.shzx2c4/password-storecaodonnell/passman.sh:apwd.shforkbndw/pick:command-linepasswordmanagerformacOSandLinuxanders/pwgen:generatepasswordsusingOSXSecurityframework
评论