Purse

GPG asymmetric (YubiKey) password manager
Alternatives To Purse
Project NameStarsDownloadsRepos Using ThisPackages Using ThisMost Recent CommitTotal ReleasesLatest ReleaseOpen IssuesLicenseLanguage
Keepassxc15,302
4 days ago651otherC++
KeePassXC is a cross-platform community-driven port of the Windows application “Keepass Password Safe”.
Glauth1,890319 days ago20February 28, 202258mitGo
A lightweight LDAP server for development, home use, or CI
Yubico Pam606
a year ago1February 27, 201852bsd-2-clauseC
Yubico Pluggable Authentication Module (PAM)
3snake524
a year agootherC
Tool for extracting information from newly spawned processes
Purse491
3 months agomitShell
GPG asymmetric (YubiKey) password manager
Yubikey Luks430
a year ago18Shell
Two factor authentication for harddisk encryption
Yubikey1362729 years ago10March 27, 20141mitRuby
A Ruby library for verifying, decoding, decrypting and parsing Yubikey one-time passwords.
Python Yubico Client724733 years ago8May 21, 2020bsd-3-clausePython
Python library for validating Yubico Yubikey One Time Passwords (OTPs) based on the validation protocol version 2.0.
Python Pyhsm62
12 years ago7November 03, 20165bsd-2-clausePython
Python code for YubiHSM
Passacre57
6 years ago12December 23, 20165otherC
better repeatable password generation
Alternatives To Purse
Select To Compare


Alternative Project Comparisons
Readme

Purse

Purse is a fork of drduh/pwd.sh.

Both programs are Bash shell scripts which use GPG to manage passwords and other secrets in encrypted text files. Purse uses asymmetric (public-key) authentication, while pwd.sh uses symmetric (password-based) authentication.

While both scripts use a trusted crypto implementation (GPG) and safely handle passwords (never saving plaintext to disk), Purse eliminates the need to remember and use a master password - just plug in a YubiKey, enter the PIN, then touch it to decrypt a password to clipboard.

By using Purse with YubiKey, the risk of master password theft or keylogging is eliminated - only physical possession of the Yubikey AND knowledge of the PIN can unlock the encrypted index and password files.

Release notes

Version 2b1 (2020)

Minor update to the second release. Currently in beta testing. Compatible on Linux, OpenBSD, macOS.

Known Issues:

  • Newer versions of macOS error with tr: Illegal byte sequence - see issue #4

Changelist:

  • Purse now uses a GPG keygroup to encrypt secrets to multiple recipients for improved reliability. The program will prompt for key IDs to define the keygroup; a single key ID can still be used.
  • Encrypted index is now optional and off by default, allowing a single touch to encrypt and decrypt secrets instead of two.
  • GPG configuration file is now included in Purse backup archives.

Version 2b (2019)

The second release of purse.sh features several security and reliability improvements, and is an optional upgrade. Currently in beta testing. Compatible on Linux, OpenBSD, macOS.

Known Issues:

  • Read actions now require two Yubikey touches, if touch to decrypt is enabled - once for the index and twice for the encrypted password file.

Changelist:

  • Passwords are now encrypted as individual files, rather than all encrypted as a single flat file.
  • Individual password filenames are random, mapped to usernames in an encrypted index file.
  • Index and password files are now "immutable" using chmod while purse.sh is not running.
  • Read passwords are now copied to clipboard and cleared after a timeout, instead of printed to stdout.
  • Use printf instead of echo for improved portability.
  • New option: list passwords in the index.
  • New option: create tar archive for backup.
  • Removed option: delete password; the index is now a permanent ledger.
  • Removed option: read all passwords; no use case for having a single command.
  • Removed option: suppress generated password output; should be read from safe to verify save.

Version 1 (2018)

The original release which has been available for general use and review since June 2018 (forked from pwd.sh which dates to 2015). There are no known bugs nor security vulnerabilities identified in this stable version of purse.sh. Compatible on Linux, OpenBSD, macOS.

Use

This script requires a GPG identity - see drduh/YubiKey-Guide to set one up. Multiple identities stored on several YubiKeys are recommended for reliability.

$ git clone https://github.com/drduh/Purse

(Version 2b and older) Set your GPG key ID with export PURSE_KEYID=0xFF3E7D88647EBCDB or by editing purse.sh.

cd purse.sh and run the script interactively using ./purse.sh or symlink to a directory in PATH:

  • Type w to write a password
  • Type r to read a password
  • Type l to list passwords
  • Type b to create an archive for backup
  • Type h to print the help text

Options can also be passed on the command line.

Example usage:

Create a 30-character password for userName:

$ ./purse.sh w userName 30

Read password for userName:

$ ./purse.sh r userName

Passwords are stored with a timestamp for revision control. The most recent version is copied to clipboard on read. To list all passwords or read a previous version of a password:

$ ./purse.sh l

$ ./purse.sh r [email protected]

Create an archive for backup:

$ ./purse.sh b

Restore an archive from backup:

$ tar xvf purse*tar

The backup contains only encrypted passwords and can be publicly shared for use on trusted computers. For additional privacy, the recipient key ID is not included in GPG metadata (throw-keyids option). The password index file can also be encrypted by changing the encrypt_index variable to true in the script.

See drduh/config/gpg.conf for additional GPG configuration options.

Similar software

Popular Password Projects
Popular Yubikey Projects
Popular Security Categories
Related Searches

Get A Weekly Email With Trending Projects For These Categories
No Spam. Unsubscribe easily at any time.
Shell
Security
Password
Bash
Unix
Backup
Encryption
Encrypted
Bash Script
Gpg
Password Manager
Gnupg
Yubikey