kbs2
Warning! kbs2
is alpha-quality software! Using kbs2
means accepting that your secrets may be lost or compromised at any time!
kbs2
is a command line utility for managing secrets.
kbs2
uses the age Rust crate by default, although it can be
configured to use any age-compatible CLI.
Quick links:
- Installation
- Quick start guide
- CLI documentation
- Configuration and customization
- Why another password manager?
- Technical details
- Hacking
- History
Installation
kbs2
is most easily installed via cargo
:
After installation, kbs2
is completely ready for use. See the
Configuration section for some optional changes that you can
make, like switching out the use of the age crate
for an age
-compatible CLI.
Quick start guide
Initialize a new kbs2
configuration:
kbs2 init
will automatically discover an appropriate age CLI and generate a keypair with it.
Create a new login record:
)
List available records:
Pull the password from a record:
# alternatively, pipeline it
|
Remove a record:
kbs2
's subcommands are substantially more featured than the above examples demonstrate;
run each with --help
to see a full set of supported options.
CLI documentation
None yet. Watch this space.
Configuration and customization
Configuration
kbs2
stores its configuration in <config dir>/kbs2/kbs2.conf
, where <config dir>
is determined
by your host system. On Linux, for example, it's ~/.config
.
kbs2.conf
is TOML-formatted, and might look something like this after a clean start with kbs2 init
:
= "RageLib"
= "age1elujxyndwy0n9j2e2elmk9ns8vtltg69q620dr0sz4nu5fgj95xsl2peea"
= "/home/william/.config/kbs2/key"
= "/home/william/.local/share/kbs2"
[]
= 10
= true
= "Clipboard"
age-backend
(default: "RageLib
")
The age-backend
setting tells kbs2
how to operate on age-formatted keypairs and encrypted
records. The supported options are "RageLib"
, "AgeCLI
", and "RageCLI"
:
-
"RageLib"
: Use the age crate for all age operations. This is the default setting, and offers the best performance. -
"AgeCLI"
: Use theage
andage-keygen
binaries for all all age operations. This setting requires thatage
andage-keygen
are already installed; see the age README for instructions. -
"RageCLI"
: Use therage
andrage-keygen
binaries for all age operations. This setting requires thatrage
andrage-keygen
are already installed; see the rage README for instructions.
Customization
kbs2
supports git
-style subcommands, allowing you to easily write your own.
For example, running the following:
$ kbs2 frobulate --xyz
will cause kbs2
to run kbs2-frobulate --xyz
. Custom commands are allowed to read from and
write to the config file under the [commands.<name>]
hierarchy.
The kbs2-ext-cmds repository contains several useful external commands.
Why another password manager?
No good reason. See the history section.
Technical details
Hacking
History
TL;DR: kbs2
is short for "KBSecret 2".
In 2017, I wrote KBSecret as a general purpose secret manager for the Keybase ecosystem.
KBSecret was written in Ruby and piggybacked off of Keybase + KBFS for encryption, storage, and synchronization. It was also extremely flexible, allowing user-defined record types, secret sharing between users and teams, and a variety of convenient and well-behaved CLI tools for integration into my development ecosystem.
Unfortunately, KBSecret was also extremely slow: it was written in obnoxiously metaprogrammed Ruby, relied heavily on re-entrant CLIs, and was further capped by the latency and raw performance of KBFS itself.
Having a slow secret manager was fine for my purposes, but I no longer trust that Keybase (and KBFS) will continue to receive the work they require. I also no longer have the time to maintain KBSecret's (slowly) deteriorating codebase.
kbs2
is my attempt to reproduce the best parts of KBSecret in a faster language. Apart from the
name and some high-level design decisions, it shares nothing in common with the original KBSecret.
It's only named kbs2
because I'm used to typing "kbs" in my terminal.