On Fri, Jan 07, 2022 at 01:44:51PM -0800, Sean Kamath wrote: > > On Jan 7, 2022, at 13:38, Crystal Kolipe <kolip...@exoticsilicon.com> wrote: > > > > On Fri, Jan 07, 2022 at 01:23:30PM -0800, Sean Kamath wrote: > >> gpg < file.gpg > > > > Why gpg and not openssl? > > 21 years of muscle memory? > > But that is a good point. . . Hrm.
OK, so I decided to see how easily this could be implemented using just what's in the OpenBSD base install. Passphrase manager in 584 bytes: #!/bin/sh F="$HOME/.pwm/secrets" mkdir -m 700 ~/.pwm 2> /dev/null if [[ -z "$1" ]] ; then exit ; fi read P?'Passphrase? ' if [[ ! -e $F ]] ; then echo FiLeMaGiC | openssl enc -k "$P" -chacha -out $F ; fi typeset -L16 name=$1 openssl enc -k "$P" -d -chacha -in $F -out "$F"_ head -1 "$F"_ | grep -q FiLeMaGiC || { echo "Wrong passphrase!" ; rm "$F"_ ; exit ; } grep "^$name" "$F"_ && { rm "$F"_ ; exit ; } echo $name not found, creating new entry: N=`openssl rand -base64 - 12 | cut -b 1-16` echo "$name"$N echo "$name"$N | cat "$F"_ - | openssl enc -k "$P" -chacha -out $F rm "$F"_ It's quite simple, you call it with one argument, which is your reference for the place that the passphrase corresponds to. If it already exists in the database, it's printed. If not, a new passphrase is created: $ ./pwm bank Passphrase? foobar bank not found, creating new entry: bank pFjrBm8hEuUcupj0 $ ./pwm email_provider Passphrase? foobar email_provider not found, creating new entry: email_provider VKLuZTUcQjkh+jLc $ ./pwm bank Passphrase? foobar bank pFjrBm8hEuUcupj0 $ ./pwm bank Passphrase? baz Wrong passphrase! $ hexdump -C .pwm/secrets 00000000 53 61 6c 74 65 64 5f 5f c0 dc ac 04 28 5f 68 96 |Salted__....(_h.| 00000010 7c 27 c3 c8 c8 ed 32 81 c3 e1 5a cb 73 41 78 0d ||'....2...Z.sAx.| 00000020 e8 30 39 ce 49 91 eb 1c 87 51 84 59 15 93 05 87 |.09.I....Q.Y....| 00000030 c8 56 1e fe 77 21 f3 d3 b0 6e 60 ea 06 fd 6a 4c |.V..w!...n`...jL| 00000040 c0 ca 60 dd dd ee 47 3b a2 e8 43 2d 2c 5f ed e0 |..`...G;..C-,_..| 00000050 a9 e4 e7 be b8 91 48 b5 36 da 9c 91 |......H.6...| It's obviously not intended for serious use, but it demonstrates the principle that there isn't always a need to go rushing to the ports tree for simple tasks. A lot of good tools are already in the base install.