PWVault
A few months ago I decided I was not happy with the password vault options that I had. So, in the true unix spirit, I decided to write my own. I wanted to make sure I met the following requirements.
- Be simple to use.
- Use industry standard encryption, ala GPG.
- Work with standard in and standard out (read: unix pipes).
- Be small and easy to maintain (read: 135 line unix shell script).
- SQL like behavior with inserts and updates.
- Cisco IOS like command abbreviation.
Previously I had been using pass, but it had (what I thought) were a few rough edges and some unnecessary features (I don't use git). Originally I figured I would augment pass to fit my preferences. However, upon looking at the code, I decided that modifying pass and / or removing undesired features was take longer than (re)writing something from scratch. Thus pwvault was forked.
PWVault does use the following programs.
- GPG - for industry standard encryption
- pwgen - to (optionally) generate passwords
- tree - to display the contents of the password vault
PWVault will create a .pwvaultrc file in your home directory and (by default) store the password vault in the .pwvault directory in your home directory. You can change the default location of the .pwvault directory by setting the PWVAULT variable in the .pwvaultrc file or by PWVAULT environment variable. This means that you can have multiple different password vault and easily specify which one you want to use. PWVault stores each password in a separate GPG encrypted file inside of the .pwvault directory. You can optionally make sub-directories there in to organize stored passwords as desired.
Here is the output of pwvault -h:
#[gtaylor@tncsrv04:~/]$ ./pwvault -h usage: pwvault [v[ault]] [delete|g[enerate]|h[elp]|i[nsert]|l[ist]|r[ename]|u[pdate]] delete Delete an existing password. g|generate Generate a new password using pwgen. i|insert Insert a new password. l|list List existing password(s). r|rename Rename an existing password. h|help Display the help / syntax. u|update Update an existing password. v|vault Specify which pwvault to use. #[gtaylor@tncsrv04:~/]$
As you can see pwvault accepts eight different commands; list, insert, update, delete, rename, generate, help and vault. You can also use the single (first) letter of all of the non-destructive commands. The insert and update commands behave like their SQL counterpart, meaning you can only insert a password if it does not already exist and that you can only update a password if it does exist. If you try to update a nonexistent password, or insert to an existing password, pwvault will exit with a non-zero status, thus allowing you to pragmatically detect the error.
I have been using pwvault for multiple months with tremendous success, as have a few of my colleagues, so I figured that it was ready to be shared with the world at large. I have even created and / or updated other scripts to rely on pwvault to make my life easier, including pwchanger an expect script to streamline changing passwords.
Note: I use pwvault so frequently that I created the following alias to make it faster to use.
alias pwv='pwvault'
Update - 2014-11-25
While helping a coworker set PWVault up for the first time it became apparent that there were a number of things that I had done to my system to tweak my environment to my preferences. Unfortunately this meant that there were some (undocumented) requirements that PWVault had. So, here's a small update to document them.
- A functional GPG configuration is a hard requirement, there is no way around this. (gpg --gen-key and follow the prompts.) - Note, I have my ~/.gnupg/gpg.conf file configured to add myself as a recipient by default: default-recipient-self
- While not strictly required, configuring Gnome Seahorse to act as a GPG Agent is strongly desirable so that you aren't prompted for GPG pass phrases all the time. - Install the (RHEL / CentOS) seahorse-plugins and configure Seahorse to act as a GPG Agent.
- See also:
- PWChanger
- Changing passwords in mass