A few months ago I decided I was not happy with the password vault options that I had. So, in the true unix spirit, I decided to write my own. I wanted to make sure I met the following requirements.

Previously I had been using pass, but it had (what I thought) were a few rough edges and some unnecessary features (I don't use git). Originally I figured I would augment pass to fit my preferences. However, upon looking at the code, I decided that modifying pass and / or removing undesired features was take longer than (re)writing something from scratch. Thus pwvault was forked.

PWVault does use the following programs.

PWVault will create a .pwvaultrc file in your home directory and (by default) store the password vault in the .pwvault directory in your home directory. You can change the default location of the .pwvault directory by setting the PWVAULT variable in the .pwvaultrc file or by PWVAULT environment variable. This means that you can have multiple different password vault and easily specify which one you want to use. PWVault stores each password in a separate GPG encrypted file inside of the .pwvault directory. You can optionally make sub-directories there in to organize stored passwords as desired.

Here is the output of pwvault -h:

#[gtaylor@tncsrv04:~/]$ ./pwvault -h
usage:  pwvault [v[ault] ] [delete|g[enerate]|h[elp]|i[nsert]|l[ist]|r[ename]|u[pdate]]
    delete        Delete an existing password.
    g|generate    Generate a new password using pwgen.
    i|insert      Insert a new password.
    l|list        List existing password(s).
    r|rename      Rename an existing password.
    h|help        Display the help / syntax.
    u|update      Update an existing password.
    v|vault       Specify which pwvault to use.

As you can see pwvault accepts eight different commands; list, insert, update, delete, rename, generate, help and vault. You can also use the single (first) letter of all of the non-destructive commands. The insert and update commands behave like their SQL counterpart, meaning you can only insert a password if it does not already exist and that you can only update a password if it does exist. If you try to update a nonexistent password, or insert to an existing password, pwvault will exit with a non-zero status, thus allowing you to pragmatically detect the error.

I have been using pwvault for multiple months with tremendous success, as have a few of my colleagues, so I figured that it was ready to be shared with the world at large. I have even created and / or updated other scripts to rely on pwvault to make my life easier, including pwchanger an expect script to streamline changing passwords.


Note: I use pwvault so frequently that I created the following alias to make it faster to use.

alias pwv='pwvault'

Update - 2014-11-25

While helping a coworker set PWVault up for the first time it became apparent that there were a number of things that I had done to my system to tweak my environment to my preferences. Unfortunately this meant that there were some (undocumented) requirements that PWVault had. So, here's a small update to document them.

See also:
Changing passwords in mass