Skip to content
/ Purse Public

GnuPG asymmetric secrets manager

License

MIT license
584 stars 45 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

drduh/Purse

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

101 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
LICENSE.md
LICENSE.md
 
 
README.md
README.md
 
 
purse.sh
purse.sh
 
 

Repository files navigation

Purse is a Bash shell script based on drduh/pwd.sh.

Both programs use GnuPG to manage secrets in encrypted text files. Purse is based on asymmetric (public-key) authentication, while pwd.sh is based on symmetric (passphrase-based) authentication.

Purse eliminates the need for a passphrase: plug in the YubiKey, enter PIN and touch it to access secrets.

Important

A GnuPG identity is required to use Purse - see drduh/YubiKey-Guide to set one up.

Install

Purse is available for download from Releases, or directly from GitHub:

wget https://github.com/drduh/Purse/blob/master/purse.sh

Use

Run the script interactively using ./purse.sh or symlink to a directory in PATH:

  • w to create a secret
  • r to access a secret
  • l to list all secrets
  • b to create a backup archive
  • h to print the help text

Options can also be passed on the command line.

Create a 20-character password for userName:

./purse.sh w userName 20

Read password for userName:

./purse.sh r userName

Passwords are stored with an epoch timestamp for revision control. The most recent version is copied to clipboard on read. To list all passwords or read a specific version of a password:

./purse.sh l

./purse.sh r userName@1574723600

Create an archive for backup:

./purse.sh b

Restore an archive from backup:

tar xvf purse*tar

Configure

See config/gpg.conf for recommended GnuPG options.

Several customizable options and features are also available, and can be configured with environment variables, for example in the shell rc file:

Variable Description Default Available options
PURSE_CLIP clipboard to use xclip pbcopy on macOS
PURSE_CLIP_ARGS arguments to pass to clipboard command unset (disabled) -i -selection clipboard to use primary (control-v) clipboard with xclip
PURSE_TIME seconds to clear password from clipboard/screen 10 any valid integer
PURSE_LEN default generated password length 14 any valid integer
PURSE_COPY copy password to clipboard before write unset (disabled) 1 or true to enable
PURSE_DAILY create daily backup archive on write unset (disabled) 1 or true to enable
PURSE_ENCIX encrypt index for additional privacy; 2 YubiKey touches will be required for separate decryption operations unset (disabled) 1 or true to enable
PURSE_COMMENT unencrypted comment to include in index and safe files unset any valid string
PURSE_CHARS character set for passwords [:alnum:]!?@#$%^&*();:+= any valid characters
PURSE_DEST password output destination, will set to screen without clipboard clipboard clipboard or screen
PURSE_ECHO character used to echo password input * any valid character
PURSE_SAFE safe directory name safe any valid string
PURSE_INDEX index file name purse.index any valid string
PURSE_BACKUP backup archive file name purse.$hostname.$today.tar any valid string

Note

For privacy, the recipient key ID is not included in metadata (using the GnuPG throw-keyids option).

About

GnuPG asymmetric secrets manager

Topics

bash security unix encryption password-manager gnupg gpg secrets password bash-script file-encryption secrets-management

Resources

Readme

License

MIT license
Activity

Stars

584 stars

Watchers

15 watching

Forks

45 forks
Report repository

Releases 5

Version 3 Latest
Jul 5, 2024
+ 4 releases

Sponsor this project

 
Learn more about GitHub Sponsors

Contributors 7

Languages