aegisvault 0.4.8

Convert otpauth URI file to Encrypted Aegis vault JSON file

• Documentation for the Aegis vault format can be found here
• The codebase was initially imported from the Gnome Authenticator project.
• This repo is after https://github.com/louib/aegis-vault-rs
• The Encrypted Aegis vault JSON files produced are Vault version 1, Database version 3.
• The included decrypt.py (decrypts an encrypted Aegis JSON file into plain JSON) is from: https://github.com/beemdevelopment/Aegis/raw/refs/heads/master/docs/decrypt.py
• The included showdb.py shows the JSON content of the db field of an encrypted Aegis JSON file.

Documentation

Overall JSON structure for Vault version 1 (current):

{
	"version": 1,
	"header": {},
	"db": {}
}

The db field stores the vault contents, either as a base64-encoded string of the encrypted content, or as an object with a version field, a list of entries, and a list of groups (this object gets encrypted and base64-encoded).

The JSON header field:

{
	"slots": [
		{
			"type": 1,
			"uuid": "62141a6a-5d4c-48ef-bb06-db0c3642a0b8",
			"key": "ce586c1a4520.4.89c740dfd2878f875d18b95facbe4cc812cc31fc3e87bc68f",
			"key_params": {
				"nonce": "9bf72b47e87a165962adddc3",
				"tag": "c51ff5e48b3239e1b474f03319e42564"
			},
			"n": 32768,
			"r": 8,
			"p": 1,
			"salt": "8b115ba456d09adb0667f9a03c663846b35e71f21d24cf1abbaa1c72bd9cf89a",
			"repaired": true,
			"is_backup": false
		}
	],
	"params": {
		"nonce": "0123456789abcdef01234567",
		"tag": "0123456789abcdef0123456789abcdef"
	}
}

JSON header for unencrypted db:

{
	"slots": null,
	"params": null
}

JSON entry:

{
	"type": "totp",
	"uuid": "3ae6f1ad-2e65-4ed2-a953-1ec0dff2386d",
	"name": "Mason",
	"issuer": "Deno",
	"icon": null,
	"info": {
		"secret": "4SJHB4GSD43FZBAI7C2HLRJGPQ",
		"algo": "SHA1",
		"digits": 6,
		"period": 30
	}
}

If a uuid is not provided, it will be generated on import. Other fields in database version 4: note (""), favorite (false), icon_mime (null), icon_hash (null).

JSON groups (db version 3 onwards):

[
	{
		`uuid`: "62141a5a-5d4c-48ef-bb06-db0c3642a0b8",
		`name`: "Group"
	}
]

Install

Install standalone single-binary

wget https://github.com/pepa65/aegisvault/releases/download/0.3.80/aegisvault
sudo mv aegisvault /usr/local/bin
sudo chown root:root /usr/local/bin/aegisvault
sudo chmod +x /usr/local/bin/aegisvault

Install with cargo

If not installed yet, install a Rust toolchain, see https://www.rust-lang.org/tools/install

Direct from crates.io

cargo install aegisvault

Direct from repo

cargo install --git https://github.com/pepa65/aegisvault

Static build (avoiding GLIBC incompatibilities)

git clone https://github.com/pepa65/aegisvault
cd aegisvault
rustup target add x86_64-unknown-linux-musl
cargo rel  # Alias in .cargo/config.toml

The binary will be at target/x86_64-unknown-linux-musl/release/aegisvault

Install with cargo-binstall

Even without a full Rust toolchain, rust binaries can be installed with the static binary cargo-binstall:

# Install cargo-binstall for Linux x86_64
# (Other versions are available at <https://crates.io/crates/cargo-binstall>)
wget github.com/cargo-bins/cargo-binstall/releases/latest/download/cargo-binstall-x86_64-unknown-linux-musl.tgz
tar xf cargo-binstall-x86_64-unknown-linux-musl.tgz
sudo chown root:root cargo-binstall
sudo mv cargo-binstall /usr/local/bin/

Only a linux-x86_64 (musl) binary available: cargo-binstall aegisvault

It will be installed in ~/.cargo/bin/ which will need to be added to PATH!

Usage

aegisvault 0.4.8 - Convert otpauth-URI file to Encrypted Aegis JSON on stdout
Usage: aegisvault <URI_FILE>
Arguments:
  <URI_FILE>  The otpauth-URI input

Options:
  -h, --help     Print help
  -V, --version  Print version

• Unencrypted otpauth-URI files consist of lines with this format (the position of the parameters can be changed): otpauth://TYPE/NAME?secret=SECRET&algorithm=HMAC_ALGORITHM&digits=LENGTH&period=PERIOD&issuer=ISSUER
  • TYPE can be totp/hotp/steam/motp/yandex.
  • NAME should not contain a : (colon) or % (percent), as it messes with URI encoding.
  • SECRET is the base32 RFC3548 seed (without the = padding!) for the OTPs.
  • TYPE, NAME and SECRET are mandatory.
  • HMAC_ALGORITHM is one of: SHA1 (the default), SHA256 or SHA512 (or MD5 for MOTP, with period 10).
  • LENGTH for digits is most often 6 (default), but can be set to 5 (for Steam), 7 (Twitch) or 8 (Microsoft).
  • PERIOD is almost always 30 (the default).
  • HMAC_ALGORITHM, LENGTH and PERIOD should be given but are optional (if not given will be set to their default values).
• The otpauth URI RFC: https://www.ietf.org/archive/id/draft-linuxgemini-otpauth-uri-02.html

License

GPLv3