kbs2
Warning! kbs2 is alpha-quality software! Using kbs2 means accepting that your secrets may be lost or compromised at any time!
kbs2 is a command line utility for managing secrets.
kbs2 uses the age Rust crate by default, although it can be
configured to use any age-compatible CLI.
Quick links:
- Installation
- Quick start guide
- CLI documentation
- Configuration and customization
- Why another password manager?
- Technical details
- Hacking
- History
Installation
kbs2 is most easily installed via cargo:
After installation, kbs2 is completely ready for use. See the
Configuration section for some optional changes that you can
make, like switching out the use of the age crate
for an age-compatible CLI.
Quick start guide
Initialize a new kbs2 configuration:
kbs2 init will automatically discover an appropriate age CLI and generate a keypair with it.
Create a new login record:
)
List available records:
Pull the password from a record:
# alternatively, pipeline it
|
Remove a record:
kbs2's subcommands are substantially more featured than the above examples demonstrate;
run each with --help to see a full set of supported options.
CLI documentation
None yet. Watch this space.
Configuration and customization
Configuration
kbs2 stores its configuration in <config dir>/kbs2/kbs2.conf, where <config dir> is determined
by your host system. On Linux, for example, it's ~/.config.
kbs2.conf is TOML-formatted, and might look something like this after a clean start with kbs2 init:
= "RageLib"
= "age1elujxyndwy0n9j2e2elmk9ns8vtltg69q620dr0sz4nu5fgj95xsl2peea"
= "/home/william/.config/kbs2/key"
= "/home/william/.local/share/kbs2"
[]
= 10
= true
= "Clipboard"
age-backend (default: "RageLib")
The age-backend setting tells kbs2 how to operate on age-formatted keypairs and encrypted
records. The supported options are "RageLib", "AgeCLI", and "RageCLI":
-
"RageLib": Use the age crate for all age operations. This is the default setting, and offers the best performance. -
"AgeCLI": Use theageandage-keygenbinaries for all all age operations. This setting requires thatageandage-keygenare already installed; see the age README for instructions. -
"RageCLI": Use therageandrage-keygenbinaries for all age operations. This setting requires thatrageandrage-keygenare already installed; see the rage README for instructions.
Customization
kbs2 supports git-style subcommands, allowing you to easily write your own.
For example, running the following:
$ kbs2 frobulate --xyz
will cause kbs2 to run kbs2-frobulate --xyz. Custom commands are allowed to read from and
write to the config file under the [commands.<name>] hierarchy.
The kbs2-ext-cmds repository contains several useful external commands.
Why another password manager?
No good reason. See the history section.
Technical details
Hacking
History
TL;DR: kbs2 is short for "KBSecret 2".
In 2017, I wrote KBSecret as a general purpose secret manager for the Keybase ecosystem.
KBSecret was written in Ruby and piggybacked off of Keybase + KBFS for encryption, storage, and synchronization. It was also extremely flexible, allowing user-defined record types, secret sharing between users and teams, and a variety of convenient and well-behaved CLI tools for integration into my development ecosystem.
Unfortunately, KBSecret was also extremely slow: it was written in obnoxiously metaprogrammed Ruby, relied heavily on re-entrant CLIs, and was further capped by the latency and raw performance of KBFS itself.
Having a slow secret manager was fine for my purposes, but I no longer trust that Keybase (and KBFS) will continue to receive the work they require. I also no longer have the time to maintain KBSecret's (slowly) deteriorating codebase.
kbs2 is my attempt to reproduce the best parts of KBSecret in a faster language. Apart from the
name and some high-level design decisions, it shares nothing in common with the original KBSecret.
It's only named kbs2 because I'm used to typing "kbs" in my terminal.