#!/usr/bin/env bash # https://github.com/drduh/Purse set -o errtrace set -o nounset set -o pipefail #set -x # uncomment to debug umask 077 now=$(date +%s) copy="$(command -v xclip || command -v pbcopy)" gpg="$(command -v gpg || command -v gpg2)" backuptar="${PURSE_BACKUP:=purse.$(hostname).$(date +%F).tar}" keyid="${PURSE_KEYID:=0xFF3E7D88647EBCDB}" safeix="${PURSE_INDEX:=purse.index}" safedir="${PURSE_SAFE:=safe}" timeout=9 fail () { # Print an error message and exit. tput setaf 1 1 1 ; printf "\nError: ${1}\n" ; tput sgr0 exit 1 } get_pass () { # Prompt for a password. password="" prompt="${1}" while IFS= read -p "${prompt}" -r -s -n 1 char ; do if [[ ${char} == $'\0' ]] ; then break elif [[ ${char} == $'\177' ]] ; then if [[ -z "${password}" ]] ; then prompt="" else prompt=$'\b \b' password="${password%?}" fi else prompt="*" password+="${char}" fi done } decrypt () { # Decrypt with GPG. cat "${1}" | ${gpg} --armor --batch --decrypt 2>/dev/null } encrypt () { # Encrypt to a recipient. ${gpg} --encrypt --armor --batch --yes --throw-keyids \ --recipient ${keyid} --output "${1}" "${2}" } read_pass () { # Read a password from safe. if [[ ! -s ${safeix} ]] ; then fail "${safeix} not found" ; fi username="" while [[ -z "${username}" ]] ; do if [[ -z "${2+x}" ]] ; then read -r -p " Username: " username else username="${2}" ; fi done prompt_key "index" spath=$(decrypt ${safeix} | \ grep -F "${username}" | tail -n1 | cut -d : -f2) || \ fail "Decryption failed" prompt_key "password" clip <(decrypt ${spath} | head -n1) || \ fail "Decryption failed" } prompt_key () { # Print a message if safe file exists. if [[ -f "${safeix}" ]] ; then printf "\n Touch key to access ${1} ...\n\n" fi } gen_pass () { # Generate a password using GPG. len=20 max=80 if [[ -z "${3+x}" ]] ; then read -p " Password length (default: ${len}, max: ${max}): " length else length="${3}" ; fi if [[ ${length} =~ ^[0-9]+$ ]] ; then len=${length} ; fi # base64: 4 characters for every 3 bytes ${gpg} --armor --gen-random 0 "$((${max} * 3/4))" | cut -c -"${len}" } write_pass () { # Write a password and update index file. fpath=$(tr -dc "[:lower:]" < /dev/urandom | fold -w8 | head -n1) spath=${safedir}/${fpath} printf '%s\n' "${userpass}" | \ encrypt ${spath} - || \ fail "Failed to put ${spath}" prompt_key "index" ( if [[ -f "${safeix}" ]] ; then decrypt ${safeix} || return ; fi printf "${username}@${now}:${spath}\n") | \ encrypt ${safeix}.${now} - || \ fail "Failed to put ${safeix}.${now}" mv ${safeix}{.${now},} } list_entry () { # Decrypt the index to list entries. if [[ ! -s ${safeix} ]] ; then fail "${safeix} not found" ; fi prompt_key "index" decrypt ${safeix} || fail "Decryption failed" } backup () { # Archive encrypted index and safe directory. if [[ -f ${safeix} && -d ${safedir} ]] ; then \ tar cfv ${backuptar} ${safeix} ${safedir} else fail "Nothing to archive" ; fi printf "\nArchived ${backuptar}\n" ; \ } clip () { # Use clipboard and clear after timeout. ${copy} < ${1} printf "\n" shift while [ $timeout -gt 0 ] ; do printf "\r\033[KPassword on clipboard! Clearing in %.d" $((timeout--)) sleep 1 done printf "" | ${copy} } new_entry () { # Prompt for new username and/or password. username="" while [[ -z "${username}" ]] ; do if [[ -z "${2+x}" ]] ; then read -r -p " Username: " username else username="${2}" ; fi done if [[ -z "${3+x}" ]] ; then get_pass " Password for \"${username}\" (Enter to generate): " userpass="${password}" fi if [[ -z "${password}" ]] ; then userpass=$(gen_pass "$@") ; fi } print_help () { # Print help text. printf """ Purse is a Bash shell script to manage passwords with GnuPG asymmetric encryption. It is designed and recommended to be used with Yubikey as the secret key storage. Purse can be used interactively or by passing one of the following options: * 'w' to write a password * 'r' to read a password * 'l' to list passwords * 'b' to create an archive for backup Example usage: * Generate a 30 character password for 'userName': ./purse.sh w userName 30 * Copy the password for 'userName' to clipboard: ./purse.sh r userName * List stored passwords and copy a previous version: ./purse.sh l ./purse.sh r userName@1574723625 * Create an archive for backup: ./purse.sh b * Restore an archive from backup: tar xvf purse*tar""" } if [[ -z ${gpg} && ! -x ${gpg} ]] ; then fail "GnuPG is not available" ; fi if [[ ! -d ${safedir} ]] ; then mkdir -p ${safedir} ; fi chmod -R 0600 ${safeix} 2>/dev/null chmod -R 0700 ${safedir} 2>/dev/null password="" action="" if [[ -n "${1+x}" ]] ; then action="${1}" ; fi while [[ -z "${action}" ]] ; do read -n 1 -p " Read or Write (or Help for more options): " action printf "\n" done if [[ "${action}" =~ ^([hH])$ ]] ; then print_help elif [[ "${action}" =~ ^([bB])$ ]] ; then backup elif [[ "${action}" =~ ^([lL])$ ]] ; then list_entry elif [[ "${action}" =~ ^([wW])$ ]] ; then new_entry "$@" write_pass else read_pass "$@" ; fi chmod -R 0400 ${safeix} ${safedir} 2>/dev/null tput setaf 2 2 2 ; printf "\nDone\n" ; tput sgr0