1
0
mirror of https://github.com/octoleo/Purse.git synced 2024-12-28 03:45:04 +00:00
GPG asymmetric (YubiKey) password manager
Go to file
2024-03-10 14:59:33 -07:00
.gitignore Version 3 beta 2024-03-10 14:59:33 -07:00
LICENSE.md Version 3 beta 2024-03-10 14:59:33 -07:00
purse.sh Version 3 beta 2024-03-10 14:59:33 -07:00
README.md Version 3 beta 2024-03-10 14:59:33 -07:00

Purse

Purse is a fork of drduh/pwd.sh.

Both programs are Bash shell scripts which use GnuPG to manage passwords and other secrets in encrypted text files. Purse is based on asymmetric (public-key) authentication, while pwd.sh is based on symmetric (password-based) authentication.

While both scripts use a trusted crypto implementation (GnuPG) and safely handle passwords (never saving plaintext to disk), Purse eliminates the need to remember and use a master password - just plug in a YubiKey, enter the PIN, then touch it to decrypt a password to clipboard.

By using Purse with YubiKey, the risk of master password theft or keylogging is eliminated - only physical possession of the Yubikey AND knowledge of the PIN can unlock the encrypted index and password files.

Release notes

See Releases

Use

This script requires a GnuPG identity - see drduh/YubiKey-Guide to set one up. Multiple identities stored on several YubiKeys are recommended for improved durability and reliability.

Clone the repository:

git clone https://github.com/drduh/Purse

Or download the script directly:

wget https://github.com/drduh/Purse/blob/master/purse.sh

(Version 2b and older) Set the GnuPG key ID with export PURSE_KEYID=0xFF3E7D88647EBCDB or by editing purse.sh

Run the script interactively using ./purse.sh or symlink to a directory in PATH:

  • Type w to write a password
  • Type r to read a password
  • Type l to list passwords
  • Type b to create an archive for backup
  • Type h to print the help text

Options can also be passed on the command line.

Example usage:

Create a 20-character password for userName:

./purse.sh w userName 20

Read password for userName:

./purse.sh r userName

Passwords are stored with a timestamp for revision control. The most recent version is copied to clipboard on read. To list all passwords or read a specific version of a password:

./purse.sh l

./purse.sh r userName@1574723600

Create an archive for backup:

./purse.sh b

Restore an archive from backup:

tar xvf purse*tar

Note For additional privacy, the recipient key ID is not included in metadata (throw-keyids option).

The password index file can also be encrypted by changing the encrypt_index variable to true in the script.

See config/gpg.conf for additional configuration options.