.github | ||
.gitignore | ||
LICENSE.md | ||
purse.sh | ||
README.md |
Purse is a fork of drduh/pwd.sh.
Both programs are Bash shell scripts which use GnuPG to manage passwords and other secrets in encrypted text files. Purse is based on asymmetric (public-key) authentication, while pwd.sh is based on symmetric (password-based) authentication.
While both scripts use a trusted crypto implementation (GnuPG) and safely handle passwords (never saving plaintext to disk, only using shell built-ins), Purse eliminates the need to remember a main passphrase - just plug in a YubiKey, enter the PIN, then touch it to decrypt a password to clipboard.
Install
This script requires a GnuPG identity - see drduh/YubiKey-Guide to set one up.
For the latest version, clone the repository or download the script directly:
git clone https://github.com/drduh/Purse
wget https://github.com/drduh/Purse/blob/master/purse.sh
Versioned Releases are also available.
Use
Run the script interactively using ./purse.sh
or symlink to a directory in PATH
:
w
to write a passwordr
to read a passwordl
to list passwordsb
to create an archive for backuph
to print the help text
Options can also be passed on the command line.
Create a 20-character password for userName
:
./purse.sh w userName 20
Read password for userName
:
./purse.sh r userName
Passwords are stored with an epoch timestamp for revision control. The most recent version is copied to clipboard on read. To list all passwords or read a specific version of a password:
./purse.sh l
./purse.sh r userName@1574723600
Create an archive for backup:
./purse.sh b
Restore an archive from backup:
tar xvf purse*tar
Configure
Several customizable options and features are also available, and can be configured with environment variables, for example in the shell rc file:
Variable | Description | Default | Values |
---|---|---|---|
PURSE_CLIP |
clipboard to use | xclip |
pbcopy on macOS |
PURSE_CLIP_ARGS |
arguments to pass to clipboard command | unset (disabled) | -i -selection clipboard to use primary (control-v) clipboard with xclip |
PURSE_TIME |
seconds to clear password from clipboard/screen | 10 |
any valid integer |
PURSE_LEN |
default generated password length | 14 |
any valid integer |
PURSE_COPY |
copy password to clipboard before write | unset (disabled) | 1 or true to enable |
PURSE_DAILY |
create daily backup archive on write | unset (disabled) | 1 or true to enable |
PURSE_ENCIX |
encrypt index for additional privacy; 2 YubiKey touches will be required for separate decryption operations | unset (disabled) | 1 or true to enable |
PURSE_COMMENT |
unencrypted comment to include in index and safe files | unset | any valid string |
PURSE_CHARS |
character set for passwords | [:alnum:]!?@#$%^&*();:+= |
any valid characters |
PURSE_DEST |
password output destination, will set to screen without clipboard |
clipboard |
clipboard or screen |
PURSE_ECHO |
character used to echo password input | * |
any valid character |
PURSE_SAFE |
safe directory name | safe |
any valid string |
PURSE_INDEX |
index file name | purse.index |
any valid string |
PURSE_BACKUP |
backup archive file name | purse.$hostname.$today.tar |
any valid string |
Note For additional privacy, the recipient key ID is not included in metadata (GnuPG throw-keyids
option).
See config/gpg.conf for additional GnuPG options.