GPG asymmetric (YubiKey) password manager
Go to file
drduh 8f09cf87e3
Merge pull request #7 from drduh/wip-26mar24
More config options, trap exits, stdout support
2024-03-27 17:12:09 +00:00
.github Create FUNDING.yml 2024-03-10 22:38:49 +00:00
.gitignore Fix clip functionality 2024-03-26 15:57:33 -07:00 Version 3 beta 2024-03-10 14:59:33 -07:00 grammar 2024-03-27 10:11:45 -07:00 Encrypted index config option 2024-03-26 16:56:11 -07:00

Purse is a fork of drduh/

Both programs are Bash shell scripts which use GnuPG to manage passwords and other secrets in encrypted text files. Purse is based on asymmetric (public-key) authentication, while is based on symmetric (password-based) authentication.

While both scripts use a trusted crypto implementation (GnuPG) and safely handle passwords (never saving plaintext to disk, only using shell built-ins), Purse eliminates the need to remember a main passphrase - just plug in a YubiKey, enter the PIN, then touch it to decrypt a password to clipboard.


This script requires a GnuPG identity - see drduh/YubiKey-Guide to set one up.

For the latest version, clone the repository or download the script directly:

git clone


Versioned Releases are also available.


Run the script interactively using ./ or symlink to a directory in PATH:

  • w to write a password
  • r to read a password
  • l to list passwords
  • b to create an archive for backup
  • h to print the help text

Options can also be passed on the command line.

Create a 20-character password for userName:

./ w userName 20

Read password for userName:

./ r userName

Passwords are stored with an epoch timestamp for revision control. The most recent version is copied to clipboard on read. To list all passwords or read a specific version of a password:

./ l

./ r userName@1574723600

Create an archive for backup:

./ b

Restore an archive from backup:

tar xvf purse*tar


Several customizable options and features are also available, and can be configured with environment variables, for example in the shell rc file:

Variable Description Default Values
PURSE_TIME seconds to clear password from clipboard/screen 10 any valid integer
PURSE_LEN default generated password length 14 any valid integer
PURSE_COPY copy password to clipboard before write unset (disabled) 1 or true to enable
PURSE_DAILY create daily backup archive on write unset (disabled) 1 or true to enable
PURSE_ENCIX encrypt index for additional privacy; 2 YubiKey touches will be required for separate decryption operations unset (disabled) 1 or true to enable
PURSE_COMMENT unencrypted comment to include in index and safe files unset any valid string
PURSE_CHARS character set for passwords [:alnum:]!?@#$%^&*();:+= any valid characters
PURSE_DEST password output destination, will set to screen without clipboard clipboard clipboard or screen
PURSE_ECHO character used to echo password input * any valid character
PURSE_SAFE safe directory name safe any valid string
PURSE_INDEX index file name purse.index any valid string
PURSE_BACKUP backup archive file name purse.$hostname.$today.tar any valid string

Note For additional privacy, the recipient key ID is not included in metadata (GnuPG throw-keyids option).

See config/gpg.conf for additional GnuPG options.