Set umask, don't hide safe, update documentation and license

This commit is contained in:
drduh 2019-01-30 17:50:11 -08:00
parent d3cc946180
commit 37dde781cd
3 changed files with 43 additions and 48 deletions

View File

@ -1,6 +1,6 @@
The MIT License (MIT)
Copyright (c) 2018 drduh
Copyright (c) 2018-2019 drduh
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal

View File

@ -2,70 +2,71 @@
![screencast gif](https://user-images.githubusercontent.com/12475110/40880505-3834ce1c-6667-11e8-89d0-6961886842c6.gif)
Purse is a fork of [pwd.sh](https://github.com/drduh/pwd.sh/).
Purse is a fork of [drduh/pwd.sh](https://github.com/drduh/pwd.sh).
Both programs are shell scripts which use GPG to manage passwords in an encrypted file. Purse uses asymmetric (public-key) encryption, while pwd.sh uses a symmetric (password) scheme.
Both programs are shell scripts which use [GPG](https://www.gnupg.org/) to manage passwords in an encrypted text file. Purse uses asymmetric (public-key) encryption, while pwd.sh uses symmetric (password) encryption.
While both are reasonably secure by using a trusted crypto implementation (GPG) and safe handling of password input, Purse eliminates the need to remember or use a master password to unlock. Just plug in the key, enter the PIN to unlock it, then touch to decrypt Purse passwords.
While both are reasonably secure by using a trusted crypto implementation (GPG) and safe handling of password input, Purse eliminates the need to remember and use a master password - just plug in a YubiKey, enter the PIN, then touch it to decrypt the password safe to stdout.
By using GPG keys and a hardware token like YubiKey, the risk of master password phishing or keylogging is eliminated; only physical possession of the hardware token AND knowledge of its PIN code may unlock private material.
By using GPG keys and a hardware token like YubiKey, the risk of master password phishing or keylogging is eliminated; only physical possession of the hardware token AND knowledge of the PIN can unlock the password safe.
# Installation
This script requires an existing GPG key and is intended to be used with a YubiKey or other hardware token for storing the private key.
See [YubiKey Guide](https://github.com/drduh/YubiKey-Guide/) for instructions on setting one up.
This script requires an existing GPG key and is intended to be used with a YubiKey or similar hardware token for storing the private key. See [drduh/YubiKey-Guide](https://github.com/drduh/YubiKey-Guide) for instructions on setting one up.
To install the script:
```
git clone https://github.com/drduh/purse
```console
$ git clone https://github.com/drduh/Purse
```
Then modify it to use the preferred GPG key ID.
# Use
`cd purse` and run the script interactively using `./purse.sh`
`cd Purse` and run the script interactively using `./purse.sh`
* Type `w` to write a password.
* Type `r` to read a password.
* Type `d` to delete a password.
* Type `h` to print the help text.
Options can also be passed on the command line.
Examples:
Create password with length of 30 characters for `gmail`:
Create 30-character password for `gmail`:
./purse.sh w gmail 30
```console
$ ./purse.sh w gmail 30
```
Append `<space>q` to suppress generated password output.
Append `q` to create a password without displaying it.
Read password for `user@github`:
./purse.sh r user@github
```console
$ ./purse.sh r user@github
```
Delete password for `reddit`:
./purse.sh d reddit
```console
$ ./purse.sh d reddit
```
Copy password for `github` to clipboard on macOS:
Copy password for `github` to clipboard (substitute `pbcopy` on macOS):
./purse.sh r github | cut -f 1 -d ' ' | awk 'NR==4{print $1}' | pbcopy
```console
$ ./purse.sh r github | cut -f 1 -d ' ' | awk 'NR==4{print $1}' | xclip
```
The script and encrypted `.purse` ciphertext file can be publicly shared between computers.
This script and encrypted `purse.enc` file can be publicly shared between trusted computers. For additional privacy, the recipient key ID is **not** included in GPG metadata.
A recommended `~/.gnupg/gpg.conf` configuration file can be found at [drduh/config/gpg.conf](https://github.com/drduh/config/blob/master/gpg.conf).
See [drduh/config/gpg.conf](https://github.com/drduh/config/blob/master/gpg.conf) for additional GPG options.
# Similar software
[pwd.sh](https://github.com/drduh/pwd.sh/)
[Pass: the standard unix password manager](http://www.passwordstore.org/)
[caodonnell/passman.sh: a pwd.sh fork](https://github.com/caodonnell/passman.sh)
[bndw/pick: a minimal password manager for OS X and Linux](https://github.com/bndw/pick)
[anders/pwgen: generate passwords using OS X Security framework](https://github.com/anders/pwgen)
* [drduh/pwd.sh](https://github.com/drduh/pwd.sh)
* [bndw/pick: command-line password manager for macOS and Linux](https://github.com/bndw/pick)
* [Pass: the standard unix password manager](https://www.passwordstore.org/)
* [anders/pwgen: generate passwords using OS X Security framework](https://github.com/anders/pwgen)
* [caodonnell/passman.sh: a pwd.sh fork](https://github.com/caodonnell/passman.sh)

View File

@ -1,12 +1,15 @@
#!/usr/bin/env bash
# https://github.com/drduh/Purse
set -o errtrace
set -o nounset
set -o pipefail
umask 077
filter="$(command -v grep) -v -E"
gpg="$(command -v gpg || command -v gpg2)"
safe="${PURSE_SAFE:=.purse}"
safe="${PURSE_SAFE:=purse.enc}"
keyid="0xFF3E7D88647EBCDB"
@ -61,7 +64,7 @@ encrypt () {
read_pass () {
# Read a password from safe.
if [[ ! -s ${safe} ]] ; then fail "No password safe found" ; fi
if [[ ! -s ${safe} ]] ; then fail "${safe} not found" ; fi
if [[ -z "${2+x}" ]] ; then read -r -p "
Username (Enter for all): " username
@ -158,20 +161,14 @@ print_help () {
# Print help text.
echo "
purse is a shell script to manage passwords with GnuPG asymmetric encryption.
It is recommended to be used with a Yubikey or other hardware token.
The script can run interactively as './purse.sh' or with the following args:
Purse is a password manager shell script using GnuPG asymmetric encryption. It is recommended for use with Yubikey or similar hardware token. Purse can be used interactively or with one of the following options:
* 'r' to read a password
* 'w' to write a password
* 'd' to delete a password
* 'h' to see this help text
* 'h' to print this help text
A username can be supplied as an additional argument or 'all' for all entries.
For writing, a password length can be appended. Append 'q' to suppress output.
A username, password length and 'q' options can also be used.
Examples:
@ -187,7 +184,7 @@ print_help () {
./purse.sh w github 50
* To suppress the generated password:
* Generate a password and write without displaying it:
./purse.sh w github 50 q
@ -195,10 +192,7 @@ print_help () {
./purse.sh d mail
A password cannot be supplied as an argument, nor is used as one throughout
the script, to prevent it from appearing in process listing or logs.
To report a bug, visit https://github.com/drduh/purse"
A password cannot be supplied as an argument, nor is used as one in the script, to prevent it from appearing in process listing or logs."
}