qass 0.3.1

Offline password manager
qass-0.3.1 is not a library.

qass

For the reasonably paranoid.

qass is a simple offline password manager that stores all credentials in a human-readable and freely editable YAML file. The passwords are encrypted using AES-GCM-SIV, and do not linger in memory. Retrieved passwords are not put on clipboards or anywhere else, but are typed directly using simulated keystrokes.

Features

  • CLI and GUI: The CLI exposes all capabilities of qass through a straightforward API. The GUI provides an ergonomic way to retrieve passwords, but is entirely optional.

  • Hierarchical Organization: Organize passwords in a tree structure with path-based access. Password salts are kept in a separate YAML file to mitigate the impact of the primary store's accidental exposure.

  • Auto-typing: Type passwords directly into applications, with active user confirmation to prevent accidental exposure.

  • CSV Import: Import credentials from CSV files exported from browsers or other password managers.

  • Offline: Designed to work entirely offline, keeping your credentials under your control. The password store is a directory of two plain YAML files (user/password pairs + password salts) that can be trivially backed up.

  • Simple: The CLI and internals are 744 lines of Rust in total, comparable to the well-known and loved pass. The GUI is another 384 lines of Rust. This simplicity enables thorough audits of the codebase in a short time. In fact, I implore users to do so before trusting any security-critical software of such impact.

Installation

Via Cargo

cargo install qass

Prebuilt Binaries

Download prebuilt binaries from the Releases page.

From Source

Clone the repository:

git clone https://github.com/boralg/qass.git
cd qass
cargo build --release

If you use Nix, simply build using:

nix build

Usage

Initialize the Password Store

qass init

This creates the ~/.qass directory. The primary store is credentials.yaml. This can contain an arbitrarily nested tree of credentials. Leaves require a username and password field, but extra data can also be included. Paths down the tree are joined with / in the CLI and GUI.

Each encrypted password has a salt associated in salts.yaml. Hidden paths are stored in hidden.yaml.

Add a New Credential

qass add github.com/myusername myusername
# You'll be prompted for the password and master password

Type a Password

qass type github.com/myusername
# Enter master password, focus the target field, then press CONTROL (within a timeout interval) to type the password

List All Services

qass list

Import from CSV

qass import passwords.csv
# The CSV must have 'url', 'username', and 'password' columns

Hiding Sensitive Credentials

Hide credentials behind an additional layer of encryption that hides all fields and pathnames too:

qass hide banking
# All credentials under the banking path will be hidden

Access a hidden credential:

qass type-hidden banking/chase-bank/user
# Requires both the [master password used for hiding] and the [master password used for encrypting the password], in this order

Unhide previously hidden credentials:

qass unhide banking

Syncing and Unlocking

Encrypt cleartext credentials (e.g. after adding them by hand to credentials.yaml, or after using unlock):

qass sync /

Decrypt credentials for plaintext access:

qass unlock /

GUI

This is an egui application that allows for quick searches among your stored credentials, then retrieving passwords. It comes with numerous measures built in to increase the security of not just the passwords, but the credential paths as well.

The master password is handled with a custom-made widget to make sure it's never copied internally, and is zeroed out in memory after use. The credential search is aided by auto-complete, but it's entirely opt-in (at multiple steps), so that you can control which pathnames can external observers see.

To use the GUI:

qass gui
  1. Enter the path to the desired credential. You may press Tab at any point to see suggestions of all paths that start with your input. Only a few are shown at a time, but can be scrolled with the arrow keys. To accept a suggestion, press Tab or Enter. To limit exposure of paths, suggestions only complete the current segment of a path. To go from there, you can show suggestions again with Tab.
  2. When you've entered the desired credential path, press Enter, then enter the master password. To not expose its length, qass doesn't display a password field, but you can still type it in normally.
  3. Once you've entered the master password, press Enter. At this point - just like the CLI - the GUI will prompt you to focus the field you want to enter the password into. After the confirmation keypress, the decrypted password will be automatically typed by qass.

Security Considerations

  • Master passwords are never stored.
  • Passwords are encrypted with AES-GCM-SIV.
  • Key derivation uses Argon2.
  • Short passwords are padded to 32 bytes before encryption so the ciphertext doesn't expose their lengths.
  • Sensitive data is zeroed from memory when no longer needed.
  • All operations are performed locally.
  • The GUI exposes minimal information of the store during its operation.

Contributing

Contributions to qass are welcome! If you have suggestions, encounter issues/vulnerabilities, or want to contribute new features, please open an issue or submit a pull request.