passveilis a command line-based password manager heavily inspired by
pass. We have developed it to address our needs when it comes to password managers and decided to share it with the world as an open source project.
gpgto encrypt sensitive information in an on-disk key-value store. Additionally it hashes store keys using SHA256 to prevent accidental disclosure of confidential keys such as undisclosed project names.
darcsa powerful version control system with sophisticated merging capabilities.
passveiloffers a trust mechanism, which prevents transfer of sensitive data over insecure channels.
passveil comes with an integrated help system
based on optparse-applicative
as well as completion for the friendly interactive shell (
Each subcommand also offers a
help option documenting options for each of the subcommands.
$ passveil --help Usage: passveil [--store DIRECTORY] COMMAND passveil - distributed password manager Available options: --store DIRECTORY Specify an alternate store --version Show version and exit -h,--help Show this help text Key management: insert Insert a new password into the store delete Delete a password from the store edit Edit an existing password in the store move Move a password to another path Query operations: show Show password of a path list List all passwords below a path search List passwords matching a regular expression info Show key information Trust management: allow Allow password to be shared with others deny Deny password to be shared with others distrust List potentially compromised passwords Storage management: init Initialize a new store sync Synchronize store undo Undo local changes
Passveil in 5 Minutes
$ passveil init email@example.com $
To initialize a new
passveil we simply issue
passveil init and identify the
want to use for encryption.
$ passveil insert --generate 16 --batch this/is/a/test $ passveil show this/is/a/test 2]D[<MsTLoZy>Hvj $
We want to create a new entry
passveil store. The
flag specifies that we want to create a 16 character password
batch will prevent
from starting up a text editor that would allow us to manually
change the generated password before inserting it into the
show to retrieve the stored password.
$ passveil list this/is/a/test $ passveil list --tree / `-- this `-- is `-- a `-- test $
list subcommand displays all available keys
in the store. By specifying the
passveil will unfold all paths and display them
in tree format coloring nodes that contain encrypted information.
$ passveil info this/is/a/test created: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <firstname.lastname@example.org> issued: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <email@example.com> trusted: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <firstname.lastname@example.org> insiders: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <email@example.com> log: Tue Mar 2 09:57:03 2021 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <firstname.lastname@example.org> + 271AC087DB698C642BA839E51636E5B1C54C281F raichoo <email@example.com> $
passveil keeps track of a lot of additional
metadata for each entry in the store which can be accesessed using the
- created: Date of creation and key that was used
- issued: Last change of metadata
- trusted: Who has access to the secret
- insiders: Who had access since the last change
- log: Keeps track of trust changes
Most of this information is used by other operations like
distrust which utilizes insiders
to find secrets a key had once access to and which has not been
changed since. This can be used to identify potentially
compromised secrets in case a key gets stolen otherwise untrustworthy.