aboutsummaryrefslogtreecommitdiffstats

pwman - Commandline password manager

Homepage

Git repository

Github repository

pwman is a commandline based password manager. It encrypts the password database file using strong AES-256 encryption.

pwman has support for the following things:

  • Store arbitrary attributes and text data along with the passwords and login credentials.
  • Generate two factor authentication tokens (TOTP).
  • Database search with Regular Expressions or SQL LIKE syntax.
  • Database compare (diff). In pwman prompt, at pwman command line and as git diff extension.
  • Shell-style Tab-completion for all commands.
  • Custom Python scripts for arbitrary database processing.
  • Export of the complete database as SQL text dump, CSV dump and human readable plain text dump.

Algorithms

Encryption algorithm: AES in CBC mode with 256 bit key.
Key derivation function (KDF): Argon2id with 24 MiB memory cost or more (see environment variables below).

Install pwman

pwman does not have to be installed. The pwman script can be run directly from the source tree. It is not recommended to install pwman into the operating system.

Installing pwman into a virtualenv

If you want to install pwman into a Python virtualenv, run the following commands to create a new venv and install pwman from PyPi:

python3 -m venv --system-site-packages ./pwman-venv
. ./pwman-venv/bin/activate
pip3 install -U pwman-python

Run pwman

Just run the pwman executable to start pwman.

Type pwman -h for help about the command line options.

pwman prompt

If started without options, pwman enters the command prompt:

pwman$

Type the command help and press enter to see help about all possible commands.

Command help

To get help about a specific command, enter the command into the prompt and append a question mark without spaces in between:

pwman$ find?

Using a custom script to process the database content

A custom Python script can be passed to pwman as command line option. Such a script can do anything to the content of the database.

Please see the example script examplescript.py for more information.

API documentation

The API documentation can be found in the API documentation directory.

Crypto backends

Pwman uses either Cryptodome or pyaes for AES encryption. Therefore, either one of these Python modules has to be installed. Pwman first tries to use Cryptodome and then falls back to pyaes, if Cryptodome is not installed.

For key derivation either argon2-cffi or argon2pure can be used. Preferably argon2-cffi shall be installed. As an option argon2pure is supported. argon2pure is a pure Python implementation of the algorithm and it is extremely slow. Therefore, it will never be selected automatically. See environment variables.

Environment variables

Environment variables that affect pwman operation are:

Environment variable Description Possible values Default
PWMAN_CRYPTOLIB Select the crypto backend "cryptodome", "pyaes" probe in order
PWMAN_ARGON2LIB Select the Argon2 backend "argon2-cffi", "argon2pure" "argon2-cffi"
PWMAN_ARGON2MEM Set the amount of memory (in KiB) used for key derivation. Increasing this value improves security, but it also increases the amount of memory required during encryption and decryption. Number of KiB, but not less than 24584. 24584
PWMAN_ARGON2TIME Set the time used for key derivation. Increasing this value improves security, but it also increases the time required for encryption and decryption. Number of iterations, but not less than 2 and not less than 2500000 / PWMAN_ARGON2MEM. 163
PWMAN_DATABASE Path to the default database any file path ~/.pwman.db
PWMAN_RAWGETPASS If true, do not use safe master password input. Read directly from stdin instead. boolean (0, 1, true, false, yes, no) false

You probably don't need to set any environment variable to use pwman. The default values are most likely what you want.

Out of memory errors

Pwman uses a strong and memory hard algorithm (Argon2id) to derive the master encryption key from the user supplied master passphrase. This algorithm uses lots of memory (and time) to make brute forcing the key expensive. This significantly improves security, if the master passphrase has less entropy than the raw AES-256 key.

Pwman also locks all memory to RAM, so that no secrets and keys are written to swap disk space. Therefore, pwman might crash if the actual memory usage during key derivation exceeds the system's memory lock limit.

To increase the locked memory available to applications, please increase the OS limits by installing a raised limit as follows:

# as root:
cp pwman-memlock-limits.conf /etc/security/limits.d/
reboot

Swap partition

Pwman locks all memory to ensure that no secrets are copied from RAM to possibly unencrypted swap disk space.

However, pwman can only lock its own memory. It cannot lock memory owned by the window manager, X11, Wayland, the terminal emulator or anything else. Therefore, it is strongly recommended to avoid using unencrypted swap disk space when using pwman. If you have unencrypted swap space it is possible that (parts of) the database or the master passphrase end up being written to it.

Therefore, please use encrypted swap space, if you need swap space. If you do not need swap space, please disable swap entirely.

Do not use unencrypted swap space.

Pwman currently only locks memory on Linux and Android platforms. If pwman is unable to lock memory, it will print a warning message and give you a chance to abort.

bues.ch cgit interface