Skip to main content

Encrypted plaintext password store

Project description

Sala lets you store passwords and other bits of sensitive plain-text information to encrypted files on a directory hierarchy. The information is protected by GnuPG’s symmetrical encryption.

Copyright (C) 2011 Petri Lehtinen. Sala is free software; you can redistribute it and/or modify it under the terms of the MIT license. See the file LICENSE distributed with the source code for details.

Basic usage

Passwords are stored in a directory hierarchy, each file containing one secret, like this:

/path/to/passwords
|-- example-service.com
|   |-- +webmail
|   |   |-- @myuser
|   |   `-- @otheruser
|   `-- +adminpanel
|       `-- @admin
`-- my-linux-box
    |-- @myuser
    `-- @root

I use a convention of naming directories after services and using @username as the file name. If a service has groups, categories, subservices, etc., I use subdirectories whose names are prefixed with +. This naming scheme is not enforced by sala, and you can come up with your own scheme, for example if you want to hide the usernames, too.

To create a new password store, first create an empty directory, change into it, and invoke:

$ sala init

This command asks for the master passphrase you want to use for the store. It then initializes the password store by creating a long random key and encrypting it with the master passphrase.

Create a new password for service/@myuser:

$ sala set service/@myuser

This command first asks you for the master passphrase, and then the secret that should be stored to the file service/@myuser. The intermediate directory service is created automatically.

To read the secret you just stored, invoke:

$ sala get service/@myuser

This command asks again for the master passphrase, and outputs the secret.

All the files are just normal files, so you can safely remove or rename files if you want to.

The above commands can also be used on multiple files at once:

sala set service2/@myuser service3/@otheruser
sala get service2/@myuser service3/@otheruser

If no command is specified, sala assumes get if the first file exists and set otherwise. That is, the command:

sala foo/@bar

reads the secret foo/@bar if the file exists, and creates a new secret otherwise. Note that this may not work as you expect for multiple files, as the existence of the first file determines whether to read or to write.

Configuration

Sala can be configured with an INI-style configuration file. Sala tries to read the configuration from ~/.sala.conf, ~/.config/sala.conf (more specifically $XDG_CONFIG_HOME/sala.conf) and sala.conf in the top directory of the password store, in this order. None of the files are required. If a configuration setting is specified in more than one file, the latter file (in the list above) takes precedence.

Here’s the default configuration:

# All configuration settings are in the [sala] section.
[sala]

# The cipher to use with GnuPG's symmetrical encryption.
# Run "gpg --version" to list supported ciphers.
cipher = AES256

# Master key length, in bytes
key-length = 64

# A shell command to run to generate password suggestions
password-generator = pwgen -nc 12 10

Changing cipher only affects secrets that are set after the configuration setting is changed. Old secrets will not automatically be re-encrypted.

Only sala init uses the key-length option. If you want the master key to be of a different size, make sure the configuration file exists before you run sala init.

The password-generator option is run through the shell to generate password suggestions. If the command fails (is not found or exits with non-zero exit status), its output is ignored. Othewise, the output should consist of one or more words separated with whitespace (space, tab, newline, etc.). These words are presented to the user as password suggestions by sala set.

Under the hood

Sala uses GnuPG’s symmetric encryption. All encrypted files are in the GnuPG plain text (armor) format.

When the password store is initialized, a very long, truly random key is generated and stored to the file .salakey. Only this “master key” is encrypted with your master passphrase. All the other files in the store are encrypted with the master key.

Installation

Install sala by invoking:

pip install sala

To install from source, invoke:

python setup.py install

Requirements:

Suggested packages:

  • pwgen: With the default configuration, if pwgen is installed, it’s used to suggest good passwords to the user

Release history

Version 1.1

Released 2011-02-02

  • Add support for Python 2.5

  • Read configuration from $XDG_CONFIG_HOME/sala.conf, too

Version 1.0.1

Released on 2011-01-19

  • Distribute README.rst, LICENSE and CHANGES with the source tarball.

Version 1.0

Released on 2011-01-18

  • Initial release.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sala-1.1.tar.gz (6.7 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page