rucksack
A terminal-based password manager, generator, and importer/exporter (Firefox, Chrome) backed with a concurrent hashmap
Features
- Password generator (0.1.0)
- Encrypted local storage (0.2.0)
- Concurrent hashmap for use by daemons (0.2.0)
- List secrets, both encrypted and decrypted (0.3.0)
- Supports Firefox and Chrome CSV formats (importing, 0.3.0; exporting, 0.5.0)
- Searching secrets via filtering (0.4.0)
- Reports on password quality, duplicates, etc. (0.5.0)
- Add new records to the DB (and support updates) via CLI subcommands (0.6.0)
- Archived deletes (0.7.0)
- Tags and categories (0.7.0)
- Support public/private keys, certificates, API keys (0.7.0)
- Split repo into rucksack-lib, rucksack-db, and rucksack crates (0.8.0)
- JSON Exports and database restores
- Local network sync
- Firefox Account Sync Client
Installation
cargo install rucksack
Usage
Top-level help:
rucksack help
Output:
rucksack: A terminal-based password manager, generator, and importer/exporter (Firefox, Chrome) backed with a concurrent hashmap
Usage: rucksack [OPTIONS] [COMMAND]
Commands:
add add a new secret
export export the rucksack db
gen generate a secret
import pull in creds from other sources
list list all secrets
rm delete a single record [aliases: delete, remove]
set perform various 'write' operations
show display rucksack-specific information
help Print this message or the help of the given subcommand(s)
Options:
--config-file <config-file> the path to the config file to use or create [default: "/Users/oubiwann/Library/Application Support/rucksack/config.toml"]
--log-level <log-level> override the configured log-level setting [default: ] [possible values: error, warn, info, debug, trace, ]
--completions <SHELL> emit shell tab completions [possible values: bash, elvish, fish, powershell, zsh]
-v, --version Print version information
-h, --help Print help
Password Generator
Use a UUID:
rucksack gen --type uuid
New password: 229ef9b4-b95b-4d91-a6ac-f6b7ef1cfc47
Password score: 88.50
Augmented UUID:
rucksack gen --type uuid++
New password: 4C7360%E-4@60-4?03-b559-491C8A52E750
Password score: 100.00
Random:
rucksack gen --type random
New password: A&6YU?#xk.?)
Password score: 91.22
Lorem-ipsum inspired:
rucksack gen --type lipsum
New password: Esse-maius-amicitia,-nihil.-]9^,
Password score: 100.00
Some systems can't handle special characters, so a flag is available for encoding with base64, with the generated encoding getting scored:
rucksack gen --type lipsum --encode
New password: VmVydW0sLW9waW5vciwtc2NyaXB0b3JlbS10YW1lbi4tLjYrfQ
Password score: 100.00
Or how about a long random token, chock-a-block with tasty entropy?
rucksack gen --type random --length 256 --encode
New password: VFdCQVM-MmVUUUNDTlEpbl4rLztrMlc0cHtMSjVodzs4OTRIK00kK2ZBc0dfcGpCe
zlFIXouY19Hd1R-NSskLV1kXDMpTkQtX1EkcltUOFcyLDRQbmpobnJML1lxQmtDZjg0clhoPUg_JmVS
Pz4pUDpGVjsseWZCPlx4JXtwZS1tekU4eUBHZGRhVlRwOi0oK1IsRHkzO0J0JSFOVSNbXSEsSDwjLFA
ocjtCXT0-XFNYeHI0JkJQdEJ1X0E5YWZFa2Yhc0VSZnYvVyhROC45WF8kak05PWYzLk52UzQoPWQqc3
YlJHpqbS85UXhzKnI6ZlhAPWdRLmZxcVZWQXM4fg
Password score: 100.00
Importing and Exporting
Import login data from Firefox Sync:
rucksack import \
--db-pass abc123 \
--type firefox \
--file ~/Downloads/logins.csv
Logins may be exported to files that can then be used to import into browsers:
rucksack export \
--db-pass abc123 \
--type chrome \
--file /tmp/exported-logins.csv
For both importing and exporting, there are currently two supported types: firefox and chrome.
Adding and Updating via Command
To add a single record via the CLI:
rucksack add \
--url http://example.com \
--user shelly \
--password whyyyyyy
Note that --user and --url are required when adding a new record. A password is required, too: if one is not provided with --password, then you will be prompted:
rucksack add \
--url http://example.com \
--user shelly
Enter db password:
Enter password for record:
There are several types of changes to records that can't be made via an "update" subcommand due to how the data is used in the database. That did't leave too much data left for an "update" command, so the "record type" update was moved into the "set" group, too. The total list of set operations is:
- changing the password
- changing the user (name associated with the password)
- changing the URL
- changing the type of record
As such, these have their own sub commands (under set), as well as their flags and logic.
Changing a password:
rucksack set password \
--url http://example.com \
--user shelly
--password whyyyyyyyyyyyyyyyyyyy
If the password isn't provided, you will be prompted at the terminal:
Enter record password:
Changing a user:
rucksack set user \
--url http://example.com \
--old-user shelly
--new-user clammy
Changing a URL:
rucksack set url \
--old-url http://example.com \
--new-url http://shelly.com \
--user clammy
Changing the record type:
rucksack set type \
--url http://example.com \
--user clammy
--type password
Note that for all of this, should you want to pass the DB password, file, or salt, you will need to make sure those flags come after set but before the following subcommmand.
List Secrets
Show all secrets records:
rucksack list
Enter db password:
Show URLs, names, passwords, and password scores for all secrets:
rucksack list --decrypt
Enter db password:
In both cases a password may be passed with the --db-pass flag. By default, the salt is the value of the USER environment variable, but it may be overridden with the --salt flag.
Note that without --decrypt, only the user and URL are displayed. With --decrypt, those as well as masked password and password score are displayed. To unmask the password, one must also set --reveal.
The default database location depends upon operating system. To see the location for your system, you can run rucksack show db-file. To use another location, the --db flag is available.
The flags --db, --db-pass, and --salt may be set for any subcommand that access the database.
Search / Filter Secrets
Simple filtering is also possible (done using a flag with the list command, with or without sorting):
rucksack list \
--db-pass abc123 \
--filter exa \
--sort-by score \
--decrypt
URL | User / Record | Password | Strength
-----------------------------------------+--------------------------------+----------------------+-----------
https://www.bugworld.com | hexapod123 | ********** | 93
https://accounts.cloud.com | hexapod@thing.systems | ********** | 90
https://entymology.slack.com | 6pod@example.com | ********** | 86
https://bugs.slack.com | Alice "Hexapod" Roberts | ********** | 85
https://twitter.com | TheOtherHexapod | ********** | 83
https://portal-hexapod.testing.app | alice@example.com | ********** | 58
http://localhost:3000 | alice@example.com | ********** | 30
7 records (of 7 total)
It is also possible to perform negative filtering using --exclude. Additionally, --include is provided as an alias for --filter.
You may sort on score (strength), user, or url. If not provided, url sorting is used. Also note that order-by is provided as an alias for sort-by.
Additional Searching
You may also limit results with the following:
- by type of record with
--type - by user-supplied category with
--category - by tags, where
--all-tagswill only match records that have all the supplied tags, and where--any-tagswill match any record that has at least one of the tags listed (both are supplied comma-separated; tags with spaces need to be quoted)
The list of supported types may be shown with: rucksack show types and doesn't need access to the database to do so.
A full list of categories created by the user does need access to the database (so you will be prompted for a password if you don't use the --db-pass flag): rucksack show categories.
Same for user-created tags: rucksack show tags.
Grouping Results
By Password
For use in auditing, sites+user combinations that share the same password can be reported:
rucksack list \
--group-by db-pass \
--decrypt
+========================================================================
Password: ********** (Score: 99)
Records using: 5
Records:
URL | User / Record
-----------------------------------------+-------------------------------
https://smile.amazon.com | alice@example.com
https://smile.amazon.com/ap/signin | alice@example.com
https://www.amazon.com | alice@example.com
https://www.amazon.com/ap/signin | alice@example.com
https://mybank.com | alice@example.com
+========================================================================
Password: ********** (Score: 86)
Records using: 2
Records:
URL | User / Record
-----------------------------------------+-------------------------------
https://blurp.com | alice
https://bleep.net | alice
2 groups (with 7 records out of 16 total)
By User
You may also group by user name (account name):
rucksack list \
--group-by user \
--decrypt
Debugging
If you need to see what version of the database file format your currently using:
rucksack show db-version
Note that this is not necessarily the version of rucksack you're running, rather it will correspond to the version of rucksack that was used when your secrets database was last updated.
Deletions
By default, accounts are not removed; instead, they are flagged as deleted. To delete an account entry:
rucksack rm \
--url http://example.com \
--user clammy
To see the list of records that have been deleted:
rucksack list deleted
All the same flags and filtering used with the list command are available with list deleted.
Related
Other projects on crates.io tagged as #password-manager" ...
Projects of particular interest:
- kbs2 - A secret manager backed by age
- RustCrypto - A Github org collecting a handful of pure-Rust encryption libraries
- Firefox Sync
License
Copyright © 2022-2023, Oxur Group
Apache License, Version 2.0