Home

Awesome

Purse is a fork of drduh/pwd.sh.

Both programs are Bash shell scripts which use GnuPG to manage passwords and other secrets in encrypted text files. Purse is based on asymmetric (public-key) authentication, while pwd.sh is based on symmetric (password-based) authentication.

While both scripts use a trusted crypto implementation (GnuPG) and safely handle passwords (never saving plaintext to disk, only using shell built-ins), Purse eliminates the need to remember a main passphrase - just plug in a YubiKey, enter the PIN, then touch it to decrypt a password to clipboard.

Install

This script requires a GnuPG identity - see drduh/YubiKey-Guide to set one up.

For the latest version, clone the repository or download the script directly:

git clone https://github.com/drduh/Purse

wget https://github.com/drduh/Purse/blob/master/purse.sh

Versioned Releases are also available.

Use

Run the script interactively using ./purse.sh or symlink to a directory in PATH:

Options can also be passed on the command line.

Create a 20-character password for userName:

./purse.sh w userName 20

Read password for userName:

./purse.sh r userName

Passwords are stored with an epoch timestamp for revision control. The most recent version is copied to clipboard on read. To list all passwords or read a specific version of a password:

./purse.sh l

./purse.sh r userName@1574723600

Create an archive for backup:

./purse.sh b

Restore an archive from backup:

tar xvf purse*tar

Configure

Several customizable options and features are also available, and can be configured with environment variables, for example in the shell rc file:

VariableDescriptionDefaultAvailable options
PURSE_CLIPclipboard to usexclippbcopy on macOS
PURSE_CLIP_ARGSarguments to pass to clipboard commandunset (disabled)-i -selection clipboard to use primary (control-v) clipboard with xclip
PURSE_TIMEseconds to clear password from clipboard/screen10any valid integer
PURSE_LENdefault generated password length14any valid integer
PURSE_COPYcopy password to clipboard before writeunset (disabled)1 or true to enable
PURSE_DAILYcreate daily backup archive on writeunset (disabled)1 or true to enable
PURSE_ENCIXencrypt index for additional privacy; 2 YubiKey touches will be required for separate decryption operationsunset (disabled)1 or true to enable
PURSE_COMMENTunencrypted comment to include in index and safe filesunsetany valid string
PURSE_CHARScharacter set for passwords[:alnum:]!?@#$%^&*();:+=any valid characters
PURSE_DESTpassword output destination, will set to screen without clipboardclipboardclipboard or screen
PURSE_ECHOcharacter used to echo password input*any valid character
PURSE_SAFEsafe directory namesafeany valid string
PURSE_INDEXindex file namepurse.indexany valid string
PURSE_BACKUPbackup archive file namepurse.$hostname.$today.tarany valid string

Note For additional privacy, the recipient key ID is not included in metadata (GnuPG throw-keyids option).

See config/gpg.conf for additional GnuPG options.