Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

Password manager for the command line for Unix like operating systems

License

NotificationsYou must be signed in to change notification settings

pythonhacker/varuh

Repository files navigation

Password management done right for the Unix command line and the shell.

Table of Contents

About

Varuh is a command line password manager that allows you to keep your passwords and other sensitive data using the power of the shell and Unix. It usessqlite databases to store the information and encrypts it with symmetric encryption ciphers likeAES-256 andXChaCha20-Poly1305 .

The nameVaruh meansguardian orprotector in the Slovene language.

Varuh is inspired byylva but it is full re-implementation - with some major changes in the key derivation functions and ciphers. It is written inGo and has been tested with Go versions 1.16 and 1.17 on Debian Linux (Antix). It should work on other versions of Linux and *BSD as well.

Install

Binary Release

If you are on a Debian or Debian derived system, you can directly download and install the latest version. Check out thereleases page and usedpkg to install the binary.

$ sudo dpkg -i varuh-${VERSION}_amd64.deb

The binary will be installed in/usr/bin folder.

Building from Source

You need theGo compiler to build the code. (This can be usually installed on *nix machines by the native package managers likeapt-get).

Installmake by using your native package manager. Something like,

$ sudo apt install make -y

should work.

Then,

 $ make Building varuh go: downloading github.com/akamensky/argparse v1.3.1 go: downloading golang.org/x/crypto v0.0.0-20210921155107-089bfa567519 go: downloading github.com/atotto/clipboard v0.1.4 go: downloading github.com/kirsle/configdir v0.0.0-20170128060238-e45d2f54772f go: downloading github.com/pythonhacker/argparse v1.3.2 go: downloading gorm.io/driver/sqlite v1.2.3 ...$ sudo make installInstalling varuh...done

The binary will be installed in/usr/local/bin folder.

Usage

$ varuh -husage: varuh [-h|--help] [-I|--init "<value>"] [-d|--decrypt "<value>"] [-C|--clone "<value>"] [-R|--remove "<value>"] [-U|--use-db "<value>"] [-E|--edit "<value>"] [-l|--list-entry "<value>"] [-x|--export "<value>"] [-m|--migrate "<value>"] [-f|--find "<value>" [-f|--find "<value>" ...]] [-e|--encrypt] [-A|--add] [-p|--path] [-a|--list-all] [-g|--genpass] [-s|--show] [-c|--copy] [-y|--assume-yes] [-v|--version] Password manager for the command line for Unix like operating systemsOptions:  -h  --help                      Print help information  -I  --init        <path>        Initialize a new database  -d  --decrypt     <path>        Decrypt password database  -C  --clone       <id>          Clone an entry with <id>  -R  --remove      <id>          Remove an entry with <id> or <id-range>  -U  --use-db      <path>        Set <path> as active database  -E  --edit        <id>          Edit entry by <id>  -l  --list-entry  <id>          List entry by <id>  -x  --export      <filename>    Export all entries to <filename>  -m  --migrate     <path>        Migrate a database to latest schema  -f  --find        <t1> <t2> ... Search entries with terms  -e  --encrypt                   Encrypt the current database  -A  --add                       Add a new entry  -p  --path                      Show current database path  -a  --list-all                  List all entries in current database  -g  --genpass                   Generate a strong password (length: 12 - 16)  -s  --show                      Show passwords when listing entries  -c  --copy                      Copy password to clipboard  -y  --assume-yes                Assume yes to actions requiring confirmation  -v  --version                   Show version information and exitAUTHORSCopyright (C) 2022 Anand B Pillai <abpillai@gmail.com>

Encryption and Security

Varuh gives the option of two symmetric ciphers - AES (default) and XChacha20-Poly1305.

AES is a block cipher supported with 256-bit key size for encryption and is the current standard for symmetric encryption ciphers.

XChacha20-Poly1305 is a stream cipher with a longer nonce (192 bits) which makes the cipher more resistant to timing attacks than AES-GCM. It also supports 256-bit key size.

The key derivation usesArgon2 with 32MB memory and 4 threads with a random cryptographic salt of 128 bit size for both ciphers.

Databases are created and decrypted with ownerrw mode (0600). This makes sure the databases are read/write - able only by the owner.

When theauto_encrypt andencrypt_on flags are turned on, the database is always encrypted after an operation so the passwords remain in the clear in memory as well as in disk for a very short time. This increases the security of the data.

For maximum security, the default settingsauto_encrypt andencrypt_on to true andvisible_passwords to false is suggested.

Databases

Varuh works with password databases. Each password database is a sqlite3 file. You can create any number of databases but at any given time there is only one active database which is in decrypted mode. Whenauto_encrypt is turned on (default), the program takes care of automatically encrypting and decrypting databases.

Create a database

$ varuh -I mypasswdsCreated new database - mypasswdsUpdating active db path - /home/anand/mypasswds$ ls -lt mypasswds -rw------- 1 anand anand 8192 Nov  9 23:06 mypasswds

The password database is created and is active now. You can start adding entries to it.

Add an entry

$ varuh -ATitle: My Website LoginURL: mywebsite.nameUsername: mememePassword (enter to generate new): Generating password ...doneTags (separated by space): testing test websiteNotes: Website uses Nginx authDo you want to add custom fields [y/N]: Created new entry with id: 1

You can now list the entry with one of the list options.

$ varuh -l 1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ID: 1Title: My Website LoginUser: mememeURL: http://mywebsite.namePassword: ****************Tags: testing test websiteNotes: Website uses Nginx authModified: 2021-21-09 23:12:35>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Add an entry with custom fields

From version 0.3 onwards, custom fields are supported.

$ varuh -ATitle: Github tokenURL: https://github.com/mydev/myprojectUsername: mydevPassword (enter to generate new): ghp_ipQrStuVwxYz1a2b3cdEF10ghI689kLaMnOpTags (separated by space): token githubNotes: Never ExpiresDo you want to add custom fields [y/N]: yField Name: DomainValue for Domain: github.comField Name: TypeValue for Type: Auth TokenField Name:Created new entry with id: 6$ varuh -l 6ID: 6Title: Github tokenUser: mydevURL: https://github.com/mydev/myprojectPassword: ghp_ipQrStuVwxYz1a2b3cdEF10ghI689kLaMnOpTags: token githubNotes: Never ExpiresDomain: github.comType: Auth TokenModified: 2021-21-13 00:07:18

For more on listing see theListing and Searching section below.

Edit an entry

$ varuh -E 1Current Title: My Website LoginNew Title: My Blog LoginCurrent URL: http://mywebsite.nameNew URL: myblog.nameCurrent Username: mememeNew Username: meblogCurrent Password: lTzC2z9kRppnYsYlNew Password ([y/Y] to generate new, enter will keep old one):Current Tags: testing test websiteNew Tags: Current Notes: Website uses Nginx authNew Notes: Website uses ApacheDo you want to add custom fields [y/N]:Updated entry.$ varuh -l 1 -s>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ID: 1Title: My Blog LoginUser: meblogURL: http://myblog.namePassword: myblog123Tags: testing test websiteNotes: Website uses ApacheModified: 2021-21-09 23:15:29>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Edit an entry with custom fields

When you edit an entry with custom fields, you get the option to change the name of the fields or delete the fields entirely.

$ varuh -E 6Current Title: Github tokenNew Title:Current URL: https://github.com/mydev/myprojectNew URL:Current Username: mydevNew Username: Current Password: ghp_ipQrStuVwxYz1a2b3cdEF10ghI689kLaMnOpNew Password ([y/Y] to generate new, enter will keep old one):Current Tags: token githubNew Tags: Current Notes: Never ExpiresNew Notes:Editing/deleting custom fieldsField Name: DomainNew Field Name (Enter to keep, "x" to delete): xDeleting field: DomainField Name: Type    New Field Name (Enter to keep, "x" to delete): Token TypeField Value: Auth Token    New Field Value (Enter to keep): Do you want to add custom fields [y/N]: Created 1 custom entries for entry: 21.Updated entry.$ varuh -l 6 -sID: 6Title: Github tokenUser: mydevURL: https://github.com/mydev/myprojectPassword: ghp_ipQrStuVwxYz1a2b3cdEF10ghI689kLaMnOpTags: token githubNotes: Never ExpiresToken Type: Auth TokenModified: 2021-21-13 00:16:41

(-s turns on visible passwords)

Clone an entry

To clone (copy) an entry,

$ $ varuh -C 1Cloned to new entry, id: 3

Remove an entry

$ varuh -R 1>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Title: My Website LoginUser: mememeURL: https://mywebsite.nameModified: 2021-21-09 23:12:35>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Please confirm removal [Y/n]: Entry with id 1 was removed from the database

It is an error if the id does not exist.

$ varuh -R 4No entry with id 4 was found

Remove a range of entries

You can remove a range of entry ids from id1-id2 using the following command.

$ varuh -R id1-id2

Example:

$ varuh -R 1-4

This will remove entries from 1 to 4 inclusive, asking for confirmation from the user every time.

Removal without confirmation

If you are very sure, you can avoid the confirmation prompt by passing the-y flag which will remove the entry without confirmation.

$ varuh -R 2 -y.........Entry with id 2 was removed from the database

Switch to a new database

Once a database is active, creating another one automatically encrypts the current one and makes the new one the active database. The automatic encryption happens only if the configuration flagauto_encrypt is turned on (See sectionConfiguration below).

$ varuh -I mysecretsEncrytping current database - /home/anand/mypasswdsPassword: Password again: Encryption complete.Created new database - mysecretsUpdating active db path - /home/anand/mysecrets

The previous database is now encrypted with the configured block cipher using the password. Please make sure you remember the password.

Switch back to previous database

If you want to switch back to a previous database, you can use the-U option. The same process is repeated with the current database getting encrypted and the older one getting decrypted.

$ varuh -U mypasswdsEncrypting current active database - /home/anand/mysecretsPassword: Password again: Encryption complete.Database /home/anand/mypasswds is encrypted, decrypting itPassword: Decryption complete.Switched active database successfully.

Database Migration

(New in version 0.4)

When new features are added - sometimes new fields would be required to be added in the database schema. To make sure your old databases work with the new features in such cases, the-m/--migrate option can be used to migrate your existing databases.

$ ./varuh -m /home/anand/mypasswdsPassword:Decryption complete.Migrating tables ...Encryption complete.Migration successful.

For migration you need to provide the database path - even for the active database. Once migrated, you can continue to use your database as before.

NOTE: It is suggested to make a backup copy of your current active database before migration.

Manual encryption and decryption

You can manually encrypt the current database using the-e option.

$ varuh -ePassword: Password again: Encryption complete.

Note that once you encrypt the active database, you cannot use the listings any more unless it is decrypted.

$ varuh -l 2No decrypted active database found.

Manually decrypt the database using-d option.

$ varuh -d mypasswds Password: Decryption complete.

Now the database is active again and you can see the listings.

$ varuh -l 3>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ID: 2Title: My Blog LoginUser: myblog.nameURL: http://meblogPassword: *********Tags: test testing websiteNotes: Website uses ApacheModified: 2021-21-09 23:21:32>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

Always on encryption

If the config paramencrypt_on is set totrue along withauto_encrypt (default), the program will keep encrypting the database after each action, whether it is an edit/listing action. In this mode, the decryption password is saved in memory and re-used for encryption to avoid too many password queries.

Example

$ varuh -f my -sPassword: Decryption complete.>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ID: 2Title: MY LOCAL BANKUser: bankloginURL: https://my.localbank.comPassword: bankpass123Tags: bank banking financeNotes: Modified: 2021-21-18 12:44:10>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>Encryption complete.

In this mode, your data is provided maximum safety as the database remains decrypted only for a short while on the disk while the data is being read and once done is encrypted back again.

Listing and Searching

List an entry using id

To list an entry using its id,

$ varuh -l 8>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ID: 8Title: Google accountUser: anandpillai@alumni.iitm.ac.inURL: Password: ***********Notes: Modified: 2021-21-25 15:02:50>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

To search an entry

An entry can be searched on its title, username, URL or notes. Search is case-insensitive.

$ varuh -f google>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ID: 8Title: Google accountUser: anandpillai@alumni.iitm.ac.inURL: Password: **********Notes: Modified: 2021-21-25 15:02:50>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ID: 9Title: Google accountUser: xyz@gmail.comURL: Password: ********Notes: Modified: 2021-21-25 15:05:36>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ID: 10Title: Google accountUser: somethingaboutme@gmail.comURL: Password: ***********Notes: Modified: 2021-21-25 15:09:51>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

To search using multiple terms

The-f option supports multiple terms, so you can specify this more than one time to narrow a search down to a specific entry.

$ varuh -f google -f anand>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ID: 8Title: Google accountUser: anandpillai@alumni.iitm.ac.inURL: Password: **********Notes: Modified: 2021-21-25 15:02:50>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>$ varuh -f google -f priyaEntry for "google priya" not found

To list all entries

To list all entries, use the option-a.

$ varuh -a>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ID: 1Title: My Bank #1User: myusername1URL: https://mysuperbank1.comPassword: ***********Notes: Modified: 2021-21-15 15:40:29>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ID: 2Title: My Digital Locker #1User: mylockerusernameURL: https://mysuperlocker1.comPassword: **********Notes: Modified: 2021-21-18 12:44:10>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>ID: 3Title: My Bank Login #2User: mybankname2URL: https://myaveragebank.comPassword: **********Notes: Modified: 2021-21-19 14:16:33>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>...

By default the listing is in ascending ID order. This can be changed in the configuration (see below).

Turn on visible passwords

To turn on visible passwords, modify the configuration setting (see below) or use the-s flag.

Copy password to clipboard

To copy a password to clipboard, use the-c or--copy flag. This worksonly if the result for a listing is single. For example this will work when listing an entry by id or when a search results in a single hit. Itwill not work when listing all entries or when a search results in multiple hits.

This is useful to copy the password to a password input field in the browser for example.

See current active database path

$ varuh -p/home/anand/mypasswds

Export

Varuh allows to export password databases to the following formats.

  1. csv
  2. markdown
  3. html
  4. pdf

To export use the-x option. The type of file is automatically figured out from the filename extension.

$ varuh -x passwds.csv!WARNING: Passwords are stored in plain-text!Exported 14 records to passwds.csv .Exported to passwds.csv.$ varuh -x passwds.htmlExported to passwds.html.

PDF export is supported ifpandoc is installed along with the requiredpdflatex packages. The following command (onDebian and derived systems) should install the required dependencies.

$ sudo apt-get install pandoc texlive-latex-base texlive-fonts-recommended texlive-fonts-extra texlive-latex-extra texlive-xetex lmodern -y

Then,

$ varuh -x passwds.pdfpdftk not found, PDF won't be secure!File passwds.pdf created without password.Exported to passwds.pdf.

PDF files are exported in landscape mode with 150 dpi and 600 columns. To avoid the data not fitting into one page the fieldsNotes andURL are not exported.

Ifpdftk is installed, the PDF files will be encrypted with an (optional) password.

$ sudo apt-get install pdftk -y$ varuh -x passwds.pdfPDF Encryption Password: ******File passwds.pdf created without password.Added password to passwds.pdf.Exported to passwds.pdf.

Misc

The following miscellaneous actions are supported.

Generate a strong password of length ranging from 12 - 16.

Astrong password is defined as a cryptographically secure string contaning at least one upper-case letter, one punctuation character and one number.

$ varuh -g7%zv/uzIgpqexJBy passing the `-c` option, the password is also copied to the clipboard.$ varuh -g -c y6UpD$~uBI#8Password copied to clipboard

Configuration

Varuh uses the standardFree Desktop XDG Base Directory Spec for storing its configuration in a JSON file. This usually translates to a folder name.config/varuh in your home directory on *nix systems.

The config file is namedconfig.json. It looks as follows.

`{    "active_db": "/home/anand/mypasswds",    "cipher": "aes",    "auto_encrypt": true,    "visible_passwords": false,    "encrypt_on": true,    "path": "/home/anand/.config/varuh/config.json",    "list_order": "id,asc",    "delimiter": ">",    "color": "default",    "bgcolor": "bgblack"}`

You can modify the following variables.

  1. auto_encrypt - Set this to true to enable automatic encryption/decryption when switching databases. Otherwise you have to do this manually. The default istrue.

  2. cipher - The block cipher to use. This isaes by default. To switch toxchacha20-poly1305 set this toxchacha,chacha orxchachapoly.

  3. visible_passwords - Set this to true to always show passwords in clear text in listings. Otherwise passwords are masked using asterisks. This can be overridden with the-s flag.

  4. encrypt_on - Set this to true for the program to always encrypt the database after every action. This makes sure that the database is never sitting in the unencrypted form on the disk and increases the security.

  5. list_order - Ordering when using the-a option to view all listings. Supported fields are,

    • id - Uses theID field.
    • timestamp - Uses theModified timestamp field. Use this to show latest entries first.
    • title - Uses theTitle field.
    • username - Uses theUser field.

    Always specify this configuration as<field>,<order>. Supported<order> values areasc anddesc.

  6. delimiter - This modifies the delimiter string when printing a listing. Only one character is allowed.

  7. color - The foreground color of the text when printing listings.

  8. bgcolor - The background color of the text when printing listings.

Visit thisgist to see the supported color options. All color values must be in lower-case.

The fieldsactive_db andpath are for internal use. Suggest not to modify them.

License

Varuh is licensed under theGNU GPL V3 license. See the LICENSE file for details.

Feedback

Please send your valuable feedback and suggestions to my email available in the program's usage listing.

About

Password manager for the command line for Unix like operating systems

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published
[8]ページ先頭
©2009-2026 Movatter.jp