- Notifications
You must be signed in to change notification settings - Fork0
A password manager for the sneakernet
License
ALCC01/sigil
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
A password manager for thesneakernet.
Sigil is a secure,PGP-backed password manager for your command line. Itallows you to store your secrets inside an encrypted vault that can only be openedusing your PGP key. You can also use it to store OTP generators and retrievetokens whenever you like.
It is as resilient as text files: a Sigil vault is a plaintextTOML filethat can be decrypted using any PGP implementation of you choice. This meansyour secrets will always remain at your disposal and under your control, evenwhen your fancy, cloud-based password managershuts down or you can'taccess/trust your phone. In fact, even ifSigil were to go away for whatever reason, your passwords would still be a meregpg --decrypt away.
You could throw your vault in a git repository or FTP server (or even take yourchances withDropbox or Google Drive) and have your secretssync throughout your devices, all with ease of mind that they are safe. As arule of thumb, wherever a file will go, so will your vault.
Releases aresigned, as are single commits on thisrepository.
- Secure: as much as OpenPGP and your system
- Lasting: if text files are not going away, neither are your secrets
- Portable: syncs through thesneakernet
- Auditable: as open source software, you're free to inspect, audit andbuild Sigil on your own
Because it has been around for a (long) while, it is battle-tested and isavailable on many platforms. Plus, its implementation is a mission-criticalpiece of software that can be rely on the experience of acommunity ofexperts.
It also has the advantage of being quite widespread and so it would be safeto assume that a large chunk of the target audience already has and is confidentin using a PGP key.
Because they can easily be made unavailable by a malicious actor or just revealto be less lasting than you thought and shut down, leaving you with a bunch ofdata in a proprietary format. Or maybe because in some jurisdictions they may becompelled to reveal metadata relating to your usage -- or worse, your secrets! --or you are not confident that such a leak may just be caused by a bona fideimplementation error.
There really isn't an answer here.pass is just as fine, but you mayfind it troublesome handling, moving and syncing its directory-based structure.In the end, Sigil follows the same philosophy of security and composeability.Tab completion for password names is something that is not feasible using Sigil,though.
The principle behind two factor authentication is combining something youknow(a password, even though we're cheating here) and something youown (such as aphone). The thing here is that you own you PC just as much as your phone, it'seven arguable that you may have (and be able to maintain)more control overyour computer than over an easily stolen/reset/bricked/unlocked phone.
Furthermore, the chances of a successfull remote attack and exfiltration of aPGP-encrypted file -- plus your private, somehow decripted key -- against yourcomputer should be pretty much the same as those of such an attack against yourphone, so the issue really boils down to which device you feel more confidentinphysically protecting. There's no actual reason to straight out preferyour phone over your PC.
If you want to be extra sure, you may also combine your vault with an external,FIDO2-like authenticator holding your PGP key.
Sigil relies on GPGME as provided bylibgpgme11-dev, which is available onmany Linux distros and should probably be already installed. In case it'smissing, please install it.
To install the latest release of Sigil, usesh -c "$(curl -sSL https://raw.githubusercontent.com/ALCC01/sigil/master/tools/install.sh)".Please note that though release files aresigned,this installerdoes not verifiy them.
Sigil is currently developed using Rust 1.27, you can userustup.rsto install it alongside with Cargo.
To compile and install it, usecargo install --git ssh://git@github.com/ALCC01/sigil.Make sure yourPATH contains$HOME/.cargo/bin.
After the installation is over, there are other steps you may want to take toincrease the usability and security of Sigil.
In your.bashrc file (or its equivalent for your shell of choice)
- Add
export SIGIL_VAULT="$HOME/.sigil.vault"or whatever path you wantyour vault to be written to - Add
export SIGIL_GPGKEY="me@example.com"or pretty much anything thatcould be used as a--recipientwithgpg --encrypt, hinting which key you'regoing to encrypt your vault with.
The following instructions will assume that you export these environmentvariables, otherwise you'll neet to use the--vault and--key arguments
You may also want toavoid your shell saving your password in its historywhen you provide it as a command line argument (usingbash this is possibleaddingHISTIGNORE="$HISTIGNORE:sigil *" to your.bashrc file). If feasible,you may want to avoid using the CLI arguments altogether and rely on theinteractive mode.
You can create your vault usingsigil touch. And you're done.
You can store a password in your vault using thesigil password add command,either providing the relevant arguments (use the--help option for info) orproviding none and following the interactive setup.
Retrieving your password is just as easy as using thesigil password get <name>command. Don't remember the name you assigned to the password?sigil ls.
sigil password rm <name> and then it's gone.
Sigil provides thesigil password generate <chars> utility command to generaterandom passwords ofchars length.
You can store a password in your vault using thesigil otp add command,either providing the relevant arguments (use the--help option for info) orproviding none and following the interactive setup.
You can generate an OTP token usingsigil otp token <name> <counter>.<counter> is only needed for HOTP generators. Don't remember the name youassigned to the generator?sigil ls.
Many services will issue you with aotpauth:// URL (or its QR representation).You can import such an URL usingsigil otp import <url>.
You can banish it out of existence usingsigil otp remove <name>.
Please refer toCHANGELOG.md.
Sigil is distributed under the terms of theMozilla Public License, v. 2.0.
Sigil - A password manager for the sneakernetCopyright (C) 2018 Alberto Coscia <inbox [-at-] albertocoscia [-dot-] me>This Source Code is subject to the terms of the Mozilla PublicLicense, v. 2.0. If a copy of the MPL was not distributed with thisfile, You can obtain one at http://mozilla.org/MPL/2.0/.This program is distributed in the hope that it will be useful,but WITHOUT ANY WARRANTY; without even the implied warranty ofMERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See theMozilla Public License for more details.About
A password manager for the sneakernet
Resources
License
Uh oh!
There was an error while loading.Please reload this page.