/locker

A command-line password manager

Primary LanguageC++BSD 3-Clause "New" or "Revised" LicenseBSD-3-Clause

Locker

Locker is a secure command-line based password and secret manager. It is built on top of common, widely available POSIX and open-source tools.

Features

  • Secure. Uses AES 256-bit encryption.
  • Portable. Built on top of widely available POSIX tools.
  • Shareable password databases. Each database's key is protected by asymmetric, public/private key encryption. A database can be encrypted using multiple public keys, meaning you can share each database with whomever you trust.

Requirements

  • Bash >= 5.0
  • OpenSSL >= 1.1 (or LibreSSL >= 3.1)
  • GNU core utils (grep, awk, sed, etc.)

Usage

Setup

On first use you must initialize Locker and pick a suitable master password...

$ locker init
Pick a password for your private key:
Confirm your password:
Generating RSA private key, 2048 bit long modulus
........................+++++
.............................+++++

By default, your master key will be stored in $HOME/.locker/.

Now create a password database...

$ locker newdb
Database created at /home/me/.locker-db/

Adding and Retreiving Secrets

To add a new secret...

$ locker add secret-name
Enter pass phrase for /home/me/.locker/locker-key:
Enter the secret's contents. Ctrl+D to finish
This is a secret.
Don't look!
<...Ctrl+D...>

To decrypt a secret...

$ locker get secret-name
This is a secret.
Don't look!

To list all the secrets stored in your database...

$ locker
secret-name
...

To search for secrets by name based on a pattern...

$ locker find secret
secret-name
...

How Locker Works

When a new Locker password database is created, a randomly generated database key is created. The database key is then encrypted with your Locker public key, meaning the database encryption key can only be decrypted with your Locker private key. Every secret added to the password database is encrypted using the database key.

When you decide to share the password database with someone you trust, the database key is re-encrypted with their public key (which they must share with you). For each person who can access the password database, the database key will be stored - encrypted by their public key - in the password database itself. This means every person who you share the password database with can decrypt secrets using their own private key. No master passwords are shared amonst users.

Alternatives to Locker

  • Pass - A project that is built on POSIX tools and provides very similar features. Locker takes a lot of inspiration from Pass. Pass uses GPG to provide encryption, which means sharing password databases requires careful key management that can prove complicated for those who are unfamiliar with GPG.
  • 1password - A commercial, paid-for alternative that provides a Linux command-line feature.