A Password Manager Using age for Encryption



A Password Manager Using age for Encryption

senior demonstration



It is inspired by pass. senior's features are

  • Multiple stores
  • OTP support
  • Clipboard support for Linux (Wayland and X11), Termux, WSL, Darwin (macOS)
  • Select and automatically copy or type (ydotool or xdotool) a password via seniormenu
  • git support
  • Completions for bash and zsh
  • No config files
  • Passphrase protected identities
  • Passphrases only need to be entered once per session and then get cached by senior-agent
  • A store can be shared among a group (encryption for multiple recipients)
  • Symlinks between stores are supported

To do:

  • Android app
  • Browser Add-On
  • More import scripts


Create a New Store

senior init
# optionally initialise for git use:
senior git init
senior git add '*'
senior git commit -m "init"

The default store name is main. You can use senior -s to use another name.

git-clone an Existing Store

senior clone [email protected]:exampleuser/mystore.git

Without specifying another store name (using -s), the default name will be mystore in this example. Someone who already has access to the store can then add you to the recipients via

" """>
senior add-recipient "" ""

Use an Existing Identity

Both senior create and senior clone support the optional flag -i or --identity to use an existing identity instead of generating a new one. Supported are

  • Cleartext age identity
  • Passphrase encrypted age identity
  • ssh key of type ed25519 or rsa

Edit/Show/Move/Remove a Password

senior edit example.com
senior show example.com
senior mv example.com example2.com
senior rm example2.com

senior show has the option -k or --key to only print the value of a key: value pair. The special key otp creates the one-time password from the otpauth-string.

$ senior show example.com
login: myusername
otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example
# use `-c` or `--clip` to also add it to the clipboard
$ senior show -c -k login example.com
$ senior show -k otp example.com

git Support

With senior git you can run git commands in the senior print-dir directory. If you have initialised your store for git use then any senior edit creates a git-commit. To sync it with remote, run

senior git pull
senior git push

Multiple Stores

You can use multiple stores by using -s or --store

../friends │   ├── amazon.com │   ├── example.com │   └── netflix.com └── gitlab.com $ senior -s friends show /home/bob/.local/share/senior/friends ├── amazon.com ├── example.com └── netflix.com $ senior -s work show /home/bob/.local/share/senior/work ├── server1 └── workstation">
$ ls "$(senior print-dir)"/..
friends  main  work
# the default store is `main`
$ senior show
├── gitlab.com
├── friends -> ../friends
│   ├── amazon.com
│   ├── example.com
│   └── netflix.com
└── gitlab.com
$ senior -s friends show
├── amazon.com
├── example.com
└── netflix.com
$ senior -s work show
├── server1
└── workstation

Notice the symlink main/friends -> ../friends. This makes the two commands

$ senior -s friends show example.com
$ senior show friends/example.com

equivalent. senior recognises that main/friends/example.com is actually at friends/example.com and therefore uses friends/.identity.age to decrypt. The same goes for senior edit and using friends/.recipients/* to encrypt. This is very practical for seniormenu, as it only looks inside the default store.

If only one store exists then this is the default store. Otherwise, main is the default store.


seniormenu [--menu ] [--dotool ] [--type] [  ...]

seniormenu uses dmenu-wl or dmenu (can be changed with --menu ) to let you select a password for the clipboard. You can provide a to get another value from the password file (like login, email, ...).

With --type the password gets typed using ydotool (for Wayland) / xdotool (for X11). The default can be changed with --dotool .

ydotool feature only: You can specify multiple keys. Inbetween keys, a TAB is typed. After typing the password or the otp, the ENTER key gets pressed.

Set up some keybindings in your window manager to quickly clip/type passwords. An example for sway/i3 is

bindsym $mod+u exec seniormenu --menu bemenu --type
bindsym $mod+y exec seniormenu --menu bemenu --type otp
bindsym $mod+t exec seniormenu --menu bemenu --type login password


If you have set a passphrase to protect your identity file, then running age -d -i .identity.age example.com.age would require you to enter the passphrase each time. Because this is very cumbersome, senior provides an agent.

Upon receiving your passphrase once, senior starts senior-agent to cache your identity. This way you only have to enter your passphrase once per session.


Arch BASED Systems

Simply use the provided PKGBUILD.

# Download the PKGBUILD into an empty directory
curl -O "https://gitlab.com/retirement-home/senior/-/raw/main/PKGBUILD"
# Install the package with all its dependencies
makepkg -sic

Other Systems

# build

# install
sudo make install

# uninstall
sudo make uninstall

On Termux you should omit the sudo. Make sure you have the dependencies installed (look at depends and makedepends in the PKGBUILD).

Import from pass

Use the script pass2senior.py to import your passwords.

./pass2senior.py ~/.password-store "$(senior print-dir)"
# set a passphrase
senior change-passphrase

How It Works

Your store is just a directory, usually ~/.local/share/senior/main/. Run senior print-dir to find out. Let us look at the directory tree.

$ tree -a "$(senior print-dir)"
├── example.com.age
├── .gitignore
├── gitlab.com.age
├── .identity.age
└── .recipients
    └── main.txt

Apart from .gitignore there are two special entries: .identity.age and .recipients/.

  • .identity.age is your age identity that is used to decrypt the passwords.

  • .recipients/main.txt contains the public keys used for encrypting the passwords.

The passwords are age-encrypted text files. Let us look at a password:

$ senior show gitlab.com
login: myuser

The show command is equivalent to

$ age -d -i .identity.age gitlab.com.age
login: myuser

With senior edit ..., after editing the decrypted text file, it gets encrypted via

$ age -e -R .recipients/main.txt -o gitlab.com.age /tmp/gitlab.com.txt
You might also like...
age-encrypted secrets for NixOS; drop-in replacement for agenix

ragenix ragenix provides age-encrypted secrets for NixOS systems which live in the Nix store and are decrypted on system activation. Using ragenix to

Python bindings for rage (age in Rust)

pyrage Python bindings for the Rust implementation of age. Index Installation Usage Development Licensing Installation You can install pyrage with pip

Rust library for practical time-lock encryption using `drand` threshold network

tlock-rs: Practical Timelock Encryption/Decryption in Rust This repo contains pure Rust implementation of drand/tlock scheme. It provides time-based e

A simple command-line application to securely store secrets using encryption

rust-secret-vault A simple yet robust command-line tool designed to safely encrypt and store your sensitive information. Harnessing the power of AES-2

An implementation of the OPAQUE password-authenticated key exchange protocol

The OPAQUE key exchange protocol OPAQUE is an asymmetric password-authenticated key exchange protocol. It allows a client to authenticate to a server

Master Password in Pure Rust
Master Password in Pure Rust

Master Password •••| This is the Rust version of the original found here. This can be used as a drop-in replacement for the reference C version, offer

rabe is an Attribute Based Encryption library, written in Rust

Rabe rabe is a rust library implementing several Attribute Based Encryption (ABE) schemes using a modified version of the bn library of zcash (type-3

A Rust port of the password primitives used in Django Project.

Rust DjangoHashers A Rust port of the password primitives used in Django Project. Django's django.contrib.auth.models.User class has a few methods to

WebAssembly wrapper of the rage encryption library

rage-wasm: WebAssembly wrapper of rage rage is a simple, modern, and secure file encryption tool, using the age format. It features small explicit key

Authenticated Encryption with Associated Data Algorithms: high-level encryption ciphers

RustCrypto: Authenticated Encryption with Associated Data (AEAD) Algorithms Collection of Authenticated Encryption with Associated Data (AEAD) algorit

Rust Crypto 457 Jan 4, 2023
Rust encryption library for practical time-lock encryption.

tlock_age: Hybrid Timelock Encryption/Decryption in Rust tlock_age is a library to encrypt and decrypt age filekey using tlock scheme. It provides an

Thibault 5 Mar 29, 2023
The simple password manager for geeks, built with Rust.

Rooster Rooster is a simple password manager for geeks (it works in the terminal). Rooster is made available free of charge. You can support its devel

Conrad Kleinespel 131 Dec 25, 2022
🐴 RusTOTPony — CLI manager of one-time password generators aka Google Authenticator

?? RusTOTPony CLI manager of time-based one-time password generators. It is a desktop alternative for Google Authenticator. Installation Arch Linux Pa

German Lashevich 23 Jan 5, 2023
A simple password manager written in rust

Passman - A password manager written in rust. How to use?: USAGE: passman option Currently available options are: new - initalize passman with a new m

Strawkage 7 Aug 26, 2021
A simple password manager written in Rust

ripasso A simple password manager written in Rust. The root crate ripasso is a library for accessing and decrypting passwords stored in pass format (G

Joakim Lundborg 550 Dec 30, 2022
A password manager coded in rust

pasman A password manager coded in rust Install Dependency rust Shell git clone https://github.com/AMTitan/pasman.git cd pasman cargo build --release

Arthur Melton 4 Nov 8, 2021
The free password manager for power users

The free password manager for power users

null 312 Oct 22, 2022
A lightning-fast password generator and manager written in Rust

Passlane A lightning-fast password manager for the command line Features Generate passwords Place the generated password into the clipboard Save previ

Anssi Piirainen 4 Dec 15, 2022
A terminal-based password manager, generator, and importer/exporter (Firefox, Chrome) backed with a concurrent hashmap

rucksack A terminal-based password manager, generator, and importer/exporter (Firefox, Chrome) backed with a concurrent hashmap Features Password gene

null 6 Jan 18, 2023