1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
|
# dpw the dynamic password manager
Inspired by [`pass`](https://www.passwordstore.org/) and designed to be
partly compatible out of the box.
The main point of this is to provide a somewhat familiar command line interface
for pluggable backends.
For instance, one could write a plugin that talks to Lastpass, Bitwarden
Hasicorp's Vault, or similar.
There are some mild changes in the interface from `pass`, a full list
of commands and options are available with the `-h` command line flag.
The environment variable `DPW_BACKEND` defaults to `dpw-gpg` which provides
the `pass` compatible backend. Since it's just a call to another executable
the backends can be written in any language.
I can also highly recommend my blog post on [GnuPG / GPG / PGP on a Yubikey](
https://riedstra.dev/2021/08/pgp-yubikey). That way your private key isn't
even exposed to your computer, only the utilization of it is.
## Backends
The `dpw-gpg` shell script should be short enough to read to give you an
idea for implementing your own. That being said the interface is blindingly
simple, accept the following four commands:
* list
* dump a list of the available keys, supporting arguments for sub keys
may be preferred by users but isn't necessary, `find` will still work
for them.
* insert `<key>`
* Read from stdin
* show `<key>`
* Dump to stdout
* rm `<key>`
* init ( optional )
`dpw` will take care of all the additional commands by wrapping the four
above as needed.
## dmenu script
There's also a small dmenu script included that makes copying or typing
out passwords and OTP tokens very quick and easy
# [age](https://github.com/FiloSottile/age) backend
Similar to the GPG backend, except you shouldn't actually use it, it's for
demo purposes _only_ to see how other pograms might be integrated. There's also
[https://git.riedstra.dev/go/dpw-ssm/about/](https://git.riedstra.dev/go/dpw-ssm/about/)
available now which backs to the AWS Parameter store, and should be a fair bit
more useful than the `age` backend.
The usage should be straightforward, install the utility and then set
`DPW_BACKEND=dpw-age` in your environment. It will not clobber any GPG based
password store you have unless you explicitly override `DPW_AGE_DIR`
It expects `age` and `age-keygen` to be in your path.
Check over `dpw init --help` for more options when initalizing the store.
Environment variables:
* `DPW_AGE_DIR=$HOME/.dpw-age`
* Default directory for storage
* `DPW_AGE_KEY=$HOME/.dpw-age-key`
* default key file
* `PASSWORD_STORE_UMASK=077`
* Umask for files created
* `DPW_AGE_RECIPIENTS`
* If set, no `.recipients` files are read and encryption will be to the keys
specified
NOTE: Because there's no agent passphrase protected keys are going to be
somewhat of a pain to use with this. Having a password manager with the
key sitting on disk right next to the files sort of defeats the purpose.
It's still perhaps useful in the sense that the requirements for setup
are minimal and you don't have to deal with dragging GPG around.
The Go library is available so in theory it wouldn't be hard to write
a self-contained backend that kept the key in memory. If made setgid
nobody it'll prevent your regular user from being able to extract the
keys from memory.
|
