passveil(1)
Introducing passveil
passveil
is a command line-based password manager
heavily inspired by pass
. We have
developed it to address our needs when it comes to password managers
and decided to share it with the world as an open source project.
Encrypt
passveil
uses gpg
to encrypt
sensitive information in an on-disk key-value store.
Additionally it hashes store keys using SHA256 to prevent
accidental disclosure of confidential keys such as
undisclosed project names.
Distribute
darcs
a powerful version
control system with sophisticated merging capabilities.
Trust
passveil
offers a trust
mechanism, which prevents transfer of sensitive data over
insecure channels.
Usage
Getting Help
passveil
comes with an integrated help system
based on optparse-applicative
as well as completion for the friendly interactive shell (fish
) for
improved discoverability.
Each subcommand also offers a help
option documenting options for each of the subcommands.
Runtime requirements
$ passveil --help Usage: passveil [--store DIRECTORY] COMMAND passveil - distributed password manager Available options: --store DIRECTORY Specify an alternate store --version Show version and exit -h,--help Show this help text Key management: insert Insert a new password into the store delete Delete a password from the store edit Edit an existing password in the store move Move a password to another path Query operations: show Show password of a path list List all passwords below a path search List passwords matching a regular expression info Show key information Trust management: allow Allow password to be shared with others deny Deny password to be shared with others distrust List potentially compromised passwords Storage management: init Initialize a new store sync Synchronize store undo Undo local changes
Passveil in 5 Minutes
$ passveil init raichoo@antei.de $
To initialize a new passveil
we simply issue
passveil init
and identify the gpg
we
want to use for encryption.
$ passveil insert --generate 16 --batch this/is/a/test $ passveil show this/is/a/test 2]D[<MsTLoZy>Hvj $
We want to create a new entry this/is/a/test
in
our passveil
store. The generate
flag specifies that we want to create a 16 character password
while batch
will prevent passveil
from starting up a text editor that would allow us to manually
change the generated password before inserting it into the
store. Use show
to retrieve the stored password.
$ passveil list
this/is/a/test
$ passveil list --tree
/
`-- this
`-- is
`-- a
`-- test
$
The list
subcommand displays all available keys
in the store. By specifying the tree
flag
passveil
will unfold all paths and display them
in tree format coloring nodes that contain encrypted information.
$ passveil info this/is/a/test created: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <raichoo@antei.de> issued: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <raichoo@antei.de> trusted: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <raichoo@antei.de> insiders: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <raichoo@antei.de> log: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <raichoo@antei.de> + 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <raichoo@antei.de> $
passveil
keeps track of a lot of additional
metadata for each entry in the store which can be accesessed using the info
subcommand.
- created: Date of creation and key that was used
- issued: Last change of metadata
- trusted: Who has access to the secret
- insiders: Who had access since the last change
- log: Keeps track of trust changes
Most of this information is used by other operations like
distrust
which utilizes insiders
to find secrets a key had once access to and which has not been
changed since. This can be used to identify potentially
compromised secrets in case a key gets stolen otherwise untrustworthy.