A Password Manager Using age for Encryption

A Password Manager Using age for Encryption

Contents

• Features
• Usage
• Install
• Import from pass
• How It Works

Features

It is inspired by pass. senior's features are

• Multiple stores
• OTP support
• Clipboard support for Linux (Wayland and X11), Termux, WSL, Darwin (macOS)
• Select and automatically copy or type (ydotool or xdotool) a password via seniormenu
• git support
• Completions for bash and zsh
• No config files
• Passphrase protected identities
• Passphrases only need to be entered once per session and then get cached by senior-agent
• A store can be shared among a group (encryption for multiple recipients)
• Symlinks between stores are supported

To do:

• Android app
• Browser Add-On
• More import scripts

Usage

Create a New Store

senior init
# optionally initialise for git use:
senior git init
senior git add '*'
senior git commit -m "init"

The default store name is main. You can use senior -s to use another name.

git-clone an Existing Store

senior clone [email protected]:exampleuser/mystore.git

Without specifying another store name (using -s), the default name will be mystore in this example. Someone who already has access to the store can then add you to the recipients via

senior add-recipient "" ""

Use an Existing Identity

Both senior create and senior clone support the optional flag -i or --identity to use an existing identity instead of generating a new one. Supported are

• Cleartext age identity
• Passphrase encrypted age identity
• ssh key of type ed25519 or rsa

Edit/Show/Move/Remove a Password

senior edit example.com
senior show example.com
senior mv example.com example2.com
senior rm example2.com

senior show has the option -k or --key to only print the value of a key: value pair. The special key otp creates the one-time password from the otpauth-string.

$ senior show example.com
mysecretpassword
login: myusername
otpauth://totp/Example:[email protected]?secret=JBSWY3DPEHPK3PXP&issuer=Example
# use `-c` or `--clip` to also add it to the clipboard
$ senior show -c -k login example.com
myusername
$ senior show -k otp example.com
118250

git Support

With senior git you can run git commands in the senior print-dir directory. If you have initialised your store for git use then any senior edit creates a git-commit. To sync it with remote, run

senior git pull
senior git push

Multiple Stores

You can use multiple stores by using -s or --store

$ ls "$(senior print-dir)"/..
friends  main  work
# the default store is `main`
$ senior show
/home/bob/.local/share/senior/main
├── gitlab.com
├── friends -> ../friends
│   ├── amazon.com
│   ├── example.com
│   └── netflix.com
└── gitlab.com
$ senior -s friends show
/home/bob/.local/share/senior/friends
├── amazon.com
├── example.com
└── netflix.com
$ senior -s work show
/home/bob/.local/share/senior/work
├── server1
└── workstation

Notice the symlink main/friends -> ../friends. This makes the two commands

$ senior -s friends show example.com
$ senior show friends/example.com

equivalent. senior recognises that main/friends/example.com is actually at friends/example.com and therefore uses friends/.identity.age to decrypt. The same goes for senior edit and using friends/.recipients/* to encrypt. This is very practical for seniormenu, as it only looks inside the default store.

If only one store exists then this is the default store. Otherwise, main is the default store.

seniormenu

seniormenu [--menu ] [--dotool ] [--type] [  ...]

seniormenu uses dmenu-wl or dmenu (can be changed with --menu ) to let you select a password for the clipboard. You can provide a to get another value from the password file (like login, email, ...).

With --type the password gets typed using ydotool (for Wayland) / xdotool (for X11). The default can be changed with --dotool .

ydotool feature only: You can specify multiple keys. Inbetween keys, a TAB is typed. After typing the password or the otp, the ENTER key gets pressed.

Set up some keybindings in your window manager to quickly clip/type passwords. An example for sway/i3 is

bindsym $mod+u exec seniormenu --menu bemenu --type
bindsym $mod+y exec seniormenu --menu bemenu --type otp
bindsym $mod+t exec seniormenu --menu bemenu --type login password

senior-agent

If you have set a passphrase to protect your identity file, then running age -d -i .identity.age example.com.age would require you to enter the passphrase each time. Because this is very cumbersome, senior provides an agent.

Upon receiving your passphrase once, senior starts senior-agent to cache your identity. This way you only have to enter your passphrase once per session.

Install

Arch BASED Systems

Simply use the provided PKGBUILD.

# Download the PKGBUILD into an empty directory
curl -O "https://gitlab.com/retirement-home/senior/-/raw/main/PKGBUILD"
# Install the package with all its dependencies
makepkg -sic

Other Systems

# build
make

# install
sudo make install

# uninstall
sudo make uninstall

On Termux you should omit the sudo. Make sure you have the dependencies installed (look at depends and makedepends in the PKGBUILD).

Import from pass

Use the script pass2senior.py to import your passwords.

./pass2senior.py ~/.password-store "$(senior print-dir)"
# set a passphrase
senior change-passphrase

How It Works

Your store is just a directory, usually ~/.local/share/senior/main/. Run senior print-dir to find out. Let us look at the directory tree.

$ tree -a "$(senior print-dir)"
/home/bob/.local/share/senior/main
├── example.com.age
├── .gitignore
├── gitlab.com.age
├── .identity.age
└── .recipients
    └── main.txt

Apart from .gitignore there are two special entries: .identity.age and .recipients/.

• .identity.age is your age identity that is used to decrypt the passwords.

• .recipients/main.txt contains the public keys used for encrypting the passwords.

The passwords are age-encrypted text files. Let us look at a password:

$ senior show gitlab.com
mysupersafepassword
login: myuser

The show command is equivalent to

$ age -d -i .identity.age gitlab.com.age
mysupersafepassword
login: myuser

With senior edit ..., after editing the decrypted text file, it gets encrypted via

$ age -e -R .recipients/main.txt -o gitlab.com.age /tmp/gitlab.com.txt