Awesome
Purse is a fork of drduh/pwd.sh.
Both programs are Bash shell scripts which use GnuPG to manage passwords and other secrets in encrypted text files. Purse is based on asymmetric (public-key) authentication, while pwd.sh is based on symmetric (password-based) authentication.
While both scripts use a trusted crypto implementation (GnuPG) and safely handle passwords (never saving plaintext to disk, only using shell built-ins), Purse eliminates the need to remember a main passphrase - just plug in a YubiKey, enter the PIN, then touch it to decrypt a password to clipboard.
Install
This script requires a GnuPG identity - see drduh/YubiKey-Guide to set one up.
For the latest version, clone the repository or download the script directly:
git clone https://github.com/drduh/Purse
wget https://github.com/drduh/Purse/blob/master/purse.sh
Versioned Releases are also available.
Use
Run the script interactively using ./purse.sh
or symlink to a directory in PATH
:
w
to write a passwordr
to read a passwordl
to list passwordsb
to create an archive for backuph
to print the help text
Options can also be passed on the command line.
Create a 20-character password for userName
:
./purse.sh w userName 20
Read password for userName
:
./purse.sh r userName
Passwords are stored with an epoch timestamp for revision control. The most recent version is copied to clipboard on read. To list all passwords or read a specific version of a password:
./purse.sh l
./purse.sh r userName@1574723600
Create an archive for backup:
./purse.sh b
Restore an archive from backup:
tar xvf purse*tar
Configure
Several customizable options and features are also available, and can be configured with environment variables, for example in the shell rc file:
Variable | Description | Default | Available options |
---|---|---|---|
PURSE_CLIP | clipboard to use | xclip | pbcopy on macOS |
PURSE_CLIP_ARGS | arguments to pass to clipboard command | unset (disabled) | -i -selection clipboard to use primary (control-v) clipboard with xclip |
PURSE_TIME | seconds to clear password from clipboard/screen | 10 | any valid integer |
PURSE_LEN | default generated password length | 14 | any valid integer |
PURSE_COPY | copy password to clipboard before write | unset (disabled) | 1 or true to enable |
PURSE_DAILY | create daily backup archive on write | unset (disabled) | 1 or true to enable |
PURSE_ENCIX | encrypt index for additional privacy; 2 YubiKey touches will be required for separate decryption operations | unset (disabled) | 1 or true to enable |
PURSE_COMMENT | unencrypted comment to include in index and safe files | unset | any valid string |
PURSE_CHARS | character set for passwords | [:alnum:]!?@#$%^&*();:+= | any valid characters |
PURSE_DEST | password output destination, will set to screen without clipboard | clipboard | clipboard or screen |
PURSE_ECHO | character used to echo password input | * | any valid character |
PURSE_SAFE | safe directory name | safe | any valid string |
PURSE_INDEX | index file name | purse.index | any valid string |
PURSE_BACKUP | backup archive file name | purse.$hostname.$today.tar | any valid string |
Note For additional privacy, the recipient key ID is not included in metadata (GnuPG throw-keyids
option).
See config/gpg.conf for additional GnuPG options.