ShadowPass

A tool for keeping a GnuPG encrypted password store.

A brief history

I have, for a long time, kept a gpg encrypted password file in markdown format in a private git repo that I have appropriately named, 'shadow'. It follows me everywhere. When I need a password, I vi the file, and with the help of the gpg vim plugin, I can quickly access my secret. This has worked for a long time. However, as the file grows it can become a bit unwieldy. Thus, 'shadowpass'.

But what about the other tools?

For the past couple years I have been working on a mac as my primary desktop. This has its benefits in the world of password storage. Namely, keychain. Keychain is awesome. It allows the system, utilities or the user, to directly read and write to the password store, with some mild 'would you like to grant access' style security methods. The database is encrypted and such, which is basically a must for any password storage utility. I've also been using another great utility on the Mac called '1Password'. 1Password is a gui application that stores your passwords in an encrypted password store, giving you a gui and some browser plugins so that you can store per site passwords for some auto fill magic. Cool stuff, but its outside the scope of this tool.

So why?

Having password storage tools locally on your desktop does wonders for you... when you are local. But what if you are working on a remote system that isn't of the Apple variety? For my case, I want offlineimap to be able to lookup a password automatically with one simple command line utility on a box where I don't have my common desktop tools like the security tool on OS X. There are some other tools out there like Keypass, kwallet, gnome-pass, python-keyring, etc, but to my knowledge none of these support GPG. I am big on GPG, and since I am not using X on a remote system they do me little good, with the exception of python-keyring.

Usage

Getting and setting a record is easy. Jus specify the path with either the -g or -s flags.

shadowpass -c ~/.shadow.yaml -s sites/forge

You will be prompted for the secret that you would like to store at this path. Then to retrieve the value that you stored there, just use the get flag.

shadowpass -c ~/.shadow.yaml -g sites/forge

Easy, right? Paths can be of any length, so you are free to organize your passwords in any way you like.

Storage format

Its all just json. The path gets translated into a hash of hashes structures converting the path keys into hash keys, before getting or setting the value for those keys.

Want to get the entire database? Easy.

shadowpass -c ~/.shadow.yaml -g /

This tells shadowpass to get the root, and therfore everything beneath it. You can follow the same logic to get everything below a certain point. For example:

shadowpass -c ~/.shadow.yaml -g sites/social/github

Will return you all the items you have stored beneath the key github. This is useful so you can store username, password, and any extras, like api key, etc.