2019-01-31 01:50:11 +00:00
Purse is a fork of [drduh/pwd.sh ](https://github.com/drduh/pwd.sh ).
2018-06-02 20:31:01 +00:00
2024-03-10 21:59:33 +00:00
Both programs are Bash shell scripts which use [GnuPG ](https://www.gnupg.org/ ) to manage passwords and other secrets in encrypted text files. Purse is based on asymmetric (public-key) authentication, while pwd.sh is based on symmetric (password-based) authentication.
2018-06-02 20:31:01 +00:00
2024-03-27 17:11:45 +00:00
While both scripts use a trusted crypto implementation (GnuPG) and safely handle passwords (never saving plaintext to disk, only using shell built-ins), Purse eliminates the need to remember a main passphrase - just plug in a YubiKey, enter the PIN, then touch it to decrypt a password to clipboard.
2015-07-02 02:11:49 +00:00
2024-03-26 21:23:36 +00:00
# Install
2019-11-28 23:18:48 +00:00
2024-03-26 21:23:36 +00:00
This script requires a GnuPG identity - see [drduh/YubiKey-Guide ](https://github.com/drduh/YubiKey-Guide ) to set one up.
2020-05-25 21:22:21 +00:00
2024-03-26 21:23:36 +00:00
For the latest version, clone the repository or download the script directly:
2020-05-25 21:22:21 +00:00
2024-03-10 21:59:33 +00:00
```console
git clone https://github.com/drduh/Purse
2018-06-02 20:31:01 +00:00
2024-03-10 21:59:33 +00:00
wget https://github.com/drduh/Purse/blob/master/purse.sh
2018-06-02 20:31:01 +00:00
```
2024-03-26 21:23:36 +00:00
Versioned [Releases ](https://github.com/drduh/Purse/releases ) are also available.
# Use
2024-03-10 21:59:33 +00:00
Run the script interactively using `./purse.sh` or symlink to a directory in `PATH` :
2015-07-02 02:11:49 +00:00
2024-03-26 21:23:36 +00:00
- `w` to write a password
- `r` to read a password
- `l` to list passwords
- `b` to create an archive for backup
- `h` to print the help text
2015-07-31 04:14:09 +00:00
2019-11-28 23:18:48 +00:00
Options can also be passed on the command line.
2015-07-02 02:31:38 +00:00
2024-03-10 21:59:33 +00:00
Create a 20-character password for `userName` :
2015-07-31 04:14:09 +00:00
2019-01-31 01:50:11 +00:00
```console
2024-03-10 21:59:33 +00:00
./purse.sh w userName 20
2019-01-31 01:50:11 +00:00
```
2015-07-31 04:35:35 +00:00
2019-11-28 23:18:48 +00:00
Read password for `userName` :
```console
2024-03-10 21:59:33 +00:00
./purse.sh r userName
2019-11-28 23:18:48 +00:00
```
2015-07-31 04:35:35 +00:00
2024-03-26 21:23:36 +00:00
Passwords are stored with an epoch timestamp for revision control. The most recent version is copied to clipboard on read. To list all passwords or read a specific version of a password:
2015-07-31 04:53:28 +00:00
2019-01-31 01:50:11 +00:00
```console
2024-03-10 21:59:33 +00:00
./purse.sh l
2019-11-28 23:18:48 +00:00
2024-03-10 21:59:33 +00:00
./purse.sh r userName@1574723600
2019-01-31 01:50:11 +00:00
```
2015-07-31 04:53:28 +00:00
2019-11-28 23:18:48 +00:00
Create an archive for backup:
2015-07-02 02:03:55 +00:00
2019-01-31 01:50:11 +00:00
```console
2024-03-10 21:59:33 +00:00
./purse.sh b
2019-01-31 01:50:11 +00:00
```
2015-10-31 02:25:03 +00:00
2019-11-28 23:18:48 +00:00
Restore an archive from backup:
2015-10-31 02:25:03 +00:00
2019-01-31 01:50:11 +00:00
```console
2024-03-10 21:59:33 +00:00
tar xvf purse*tar
2019-01-31 01:50:11 +00:00
```
2015-10-31 02:25:03 +00:00
2024-03-26 21:23:36 +00:00
# Configure
Several customizable options and features are also available, and can be configured with environment variables, for example in the [shell rc ](https://github.com/drduh/config/blob/master/zshrc ) file:
2024-07-04 22:59:36 +00:00
Variable | Description | Default | Available options
2024-03-26 21:23:36 +00:00
-|-|-|-
2024-06-30 23:16:26 +00:00
`PURSE_CLIP` | clipboard to use | `xclip` | `pbcopy` on macOS
`PURSE_CLIP_ARGS` | arguments to pass to clipboard command | unset (disabled) | `-i -selection clipboard` to use primary (control-v) clipboard with xclip
2024-03-26 21:23:36 +00:00
`PURSE_TIME` | seconds to clear password from clipboard/screen | `10` | any valid integer
`PURSE_LEN` | default generated password length | `14` | any valid integer
`PURSE_COPY` | copy password to clipboard before write | unset (disabled) | `1` or `true` to enable
`PURSE_DAILY` | create daily backup archive on write | unset (disabled) | `1` or `true` to enable
2024-03-27 17:11:45 +00:00
`PURSE_ENCIX` | encrypt index for additional privacy; 2 YubiKey touches will be required for separate decryption operations | unset (disabled) | `1` or `true` to enable
2024-03-26 21:23:36 +00:00
`PURSE_COMMENT` | **unencrypted** comment to include in index and safe files | unset | any valid string
2024-03-26 23:56:11 +00:00
`PURSE_CHARS` | character set for passwords | `[:alnum:]!?@#$%^&*();:+=` | any valid characters
2024-03-26 21:23:36 +00:00
`PURSE_DEST` | password output destination, will set to `screen` without clipboard | `clipboard` | `clipboard` or `screen`
2024-03-26 23:36:25 +00:00
`PURSE_ECHO` | character used to echo password input | `*` | any valid character
2024-03-26 21:23:36 +00:00
`PURSE_SAFE` | safe directory name | `safe` | any valid string
`PURSE_INDEX` | index file name | `purse.index` | any valid string
`PURSE_BACKUP` | backup archive file name | `purse.$hostname.$today.tar` | any valid string
2024-03-26 21:32:02 +00:00
**Note** For additional privacy, the recipient key ID is **not** included in metadata (GnuPG `throw-keyids` option).
2015-08-05 02:48:09 +00:00
2024-03-26 23:56:11 +00:00
2015-08-05 02:48:09 +00:00
2024-03-26 21:23:36 +00:00
See [config/gpg.conf ](https://github.com/drduh/config/blob/master/gpg.conf ) for additional GnuPG options.