passveil(1)
Introducing passveil
passveil is a command line-based password manager
heavily inspired by pass. We have
developed it to address our needs when it comes to password managers
and decided to share it with the world as an open source project.
Encrypt
passveil uses gpg to encrypt
sensitive information in an on-disk key-value store.
Additionally it hashes store keys using SHA256 to prevent
accidental disclosure of confidential keys such as
undisclosed project names.
Distribute
darcs a powerful version
control system with sophisticated merging capabilities.
Trust
passveil offers a trust
mechanism, which prevents transfer of sensitive data over
insecure channels.
Usage
Getting Help
passveil comes with an integrated help system
based on optparse-applicative
as well as completion for the friendly interactive shell (fish) for
improved discoverability.
Each subcommand also offers a help option documenting options for each of the subcommands.
Runtime requirements
$ passveil --help
Usage: passveil [--store DIRECTORY] COMMAND
passveil - distributed password manager
Available options:
--store DIRECTORY Specify an alternate store
--version Show version and exit
-h,--help Show this help text
Key management:
insert Insert a new password into the store
delete Delete a password from the store
edit Edit an existing password in the store
move Move a password to another path
Query operations:
show Show password of a path
list List all passwords below a path
search List passwords matching a regular expression
info Show key information
Trust management:
allow Allow password to be shared with others
deny Deny password to be shared with others
distrust List potentially compromised passwords
Storage management:
init Initialize a new store
sync Synchronize store
undo Undo local changes
Passveil in 5 Minutes
$ passveil init raichoo@antei.de
$
To initialize a new passveil we simply issue
passveil init and identify the gpg we
want to use for encryption.
$ passveil insert --generate 16 --batch this/is/a/test
$ passveil show this/is/a/test
2]D[<MsTLoZy>Hvj
$
We want to create a new entry this/is/a/test in
our passveil store. The generate
flag specifies that we want to create a 16 character password
while batch will prevent passveil
from starting up a text editor that would allow us to manually
change the generated password before inserting it into the
store. Use show to retrieve the stored password.
$ passveil list
this/is/a/test
$ passveil list --tree
/
`-- this
`-- is
`-- a
`-- test
$
The list subcommand displays all available keys
in the store. By specifying the tree flag
passveil will unfold all paths and display them
in tree format coloring nodes that contain encrypted information.
$ passveil info this/is/a/test created: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <raichoo@antei.de> issued: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <raichoo@antei.de> trusted: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <raichoo@antei.de> insiders: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <raichoo@antei.de> log: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <raichoo@antei.de> + 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <raichoo@antei.de> $
passveil keeps track of a lot of additional
metadata for each entry in the store which can be accesessed using the info subcommand.
- created: Date of creation and key that was used
- issued: Last change of metadata
- trusted: Who has access to the secret
- insiders: Who had access since the last change
- log: Keeps track of trust changes
Most of this information is used by other operations like
distrust which utilizes insiders
to find secrets a key had once access to and which has not been
changed since. This can be used to identify potentially
compromised secrets in case a key gets stolen otherwise untrustworthy.