GPG-Based Password Wallet
In edit mode, wallet needs to decrypt the wallet file, open the decrypted file in a text editor, and then encrypt the edited file back to the original location. Line 74 uses mktemp to create a temporary directory, into which the wallet file will be decrypted. Line 75 sets $CLEARTEXT_WALLET_FILENAME to be the name of a file inside the temporary directory.
Line 79 runs trap, a bash built-in. The first argument to trap is a command, and this is followed by a list of signals (for example, if someone runs kill on wallet). If wallet receives any of these signals after line 79, wallet will run the trapped command (deleting the decrypted wallet file) prior to exiting. This is an attempt to ensure that the decrypted file isn't left sitting around if wallet terminates unexpectedly.
Line 83 is like what we saw in read-only mode, with the addition of the -o option to gpg. This instructs gpg to write the decrypted file to $CLEARTEXT_WALLET_FILENAME.
If gpg's exit code was 0, wallet renames the encrypted wallet file with a .bak extension (thus preserving a copy, in case something goes wrong) and opens the decrypted file in the text editor $VISUAL. After the editor exits, wallet tells gpg to encrypt the edited plain-text file at $CLEARTEXT_WALLET_FILENAME and to write the encrypted wallet file back to $WALLET_FILENAME. A nonzero exit status from this gpg call means that something went wrong in re-encrypting the wallet file, so wallet makes a copy of the plain-text file in your home directory and prints an error message.
Listing 3. Password Generator Script
#!/bin/bash . ~/bin/functions is_installed openssl DIGEST="sha1" RULER=0 DASH_N="" while getopts 'mrn' OPTION do case $OPTION in m) DIGEST="md5";; r) RULER=1;; n) DASH_N="-n";; ?) printf "usage: %s [ -m ] [ -r ]\n" $( basename $0 ) >&2 exit 2 ;; esac done shift $(($OPTIND - 1)) if [ ! -z $DASH_N ]; then RULER=0 fi DD=$( dd if=/dev/urandom bs=1k count=1 2> /dev/null \ | openssl dgst -$DIGEST ) echo $DASH_N $DD if [ $RULER -eq 1 ]; then echo ' 5| 10| 15| 20| 25| 30| 35| 40|' fi
Listing 3 shows a short shell script that generates very random, impossible-to-remember passwords—perfect for storing in your wallet. mkpass dumps a kilobyte of random data into a digest algorithm to produce an ASCII password. By default, mkpass uses the SHA1 digest algorithm, but it can use MD5 if you supply mkpass's -m command-line option. And, if you give the -r option, mkpass prints a ruler below the password (useful if you need or want a password of a particular length).
If you're a vim user, try adding the following line to your ~/.vimrc file:
map \mkpass i <CR><ESC>k$:r!~/bin/mkpass -n<CR>kJJ
Now when you're running vim (like when you're using wallet in edit mode), typing \mkpass in command mode will insert a password at the cursor location.
wallet is a bash script for managing a password wallet. It's written to be usable over a text-only interface. Hopefully, this description of the code has helped you add an item or two to your bag of scripting tricks.
Carl Welch is a Web developer and Linux system administrator. He enjoys science fiction, is ambivalent to dentists and dislikes standard light switches. He maintains the lamest blog on planet Earth at mbrisby.blogspot.com.
- March 2015 Issue of Linux Journal: High-Performance Computing
- Not So Dynamic Updates
- April 2015 Video Preview
- Users, Permissions and Multitenant Sites
- New Products
- Flexible Access Control with Squid Proxy
- Security in Three Ds: Detect, Decide and Deny
- DevOps: Everything You Need to Know
- Tighten Up SSH
- Non-Linux FOSS: MenuMeters