prs

A secure, fast & convenient password manager CLI using GPG and git to sync.

prsis a secure, fast and convenient password manager for the terminal. It featuresGPGto securely store your secrets and integrates gitfor automatic synchronization between multiple machines. It also features a built-in password generator, recipient management, history tracking, rollbacks, housekeeping utilities, Tomb support and more.

No demo visible here? View it onasciinema.

prsis heavily inspired bypassand uses the same file structure with some additions.prstherefore works alongside withpassand all other compatible clients, extensions and migration scripts.

• Features
• Usage
• Requirements
• Install
• Build
• Security
• FAQ
• Help
• License

Features

• Fully featured fast & friendly command line tool
• Temporary copy secrets to clipboard
• Uses the battle-testedGPGto secure your secrets
• Automatic synchronization withgitincluding history tracking
• Supports multiple machines with easy recipient management
• Easily edit secrets using your default editor
• Supports smart aliases, property selection
• Compatible withpass*
• Supports Linux, macOS, Windows, FreeBSD and others, supports X11 and Wayland
• Supports multiple cryptography backends (more backends & crypto in the future)
• SeamlessTombsupport to prevent metadata leakage*
• Support for TOTP tokens for two-factor authentication
• Scriptable with-y,-f,-Iflags
• Accurate & useful error reporting

prsincludes some awesome tweaks and optimizations:

• Greatly improved synchronisation speed throughgitwith connection reuse*
• Super fast interactive secret/recipient selection throughskim
• Prevents messing with your clipboard, no unexpected overwrites or clipboard loss
• When using Tomb, it is automatically opened, closed and resized for you
• Commands have short and conventional aliases for faster and more convenient usage
• Uses security best practices (secrets: zeroed,mlock,madvice,no format,etc)

Usage

#Show useful commands (based on current password store state)
prs

#Easily add, modify and remove secrets with your default editor:
prs add site/gitlab.com
prs edit site/gitlab.com
prs duplicate my/secret extra/secret
prsaliasmy/secret extra/alias
prs move my/secret extra/secret
prs remove site/gitlab.com

#Or generate a new secure password
prs generate site/gitlab.com

#Temporary show or copy secrets to clipboard:
prs show
prs show site/gitlab.com
prs copy
prs copy site/gitlab.com

#Manually synchronize password store with remote repository or do some housekeeping
prs sync
prs housekeeping
prs housekeeping run
prs housekeeping recrypt

#Manage recipients when using multiple machines
prs recipients add
prs recipients list
prs recipients remove
prs recipients generate
prs recipientsexport

#Commands support shorter/conventional commands and aliases
prs a secret#add
prs c#copy
prs s#show
prs rm#remove
prs yeet#remove

#List all commands and help
prshelp

Requirements

• Linux, macOS, FreeBSD, Windows (other BSDs might work)
• A terminal 😎
• And:

Recommended

• Run:git,gnupg,gpgme
  • Ubuntu, Debian and derivatives:apt install git gpg libgpgme11 tomb
  • CentOS/Red Hat/openSUSE/Fedora:yum install git gnupg gpgme
  • Arch:pacman -S git gnupg gpgme tomb
  • Alpine:apk add git gnupg gpgme
  • macOS:brew install gnupg gpgme
  • Windows:scoop install git gpg fzf
• Build:git,gnupg,gpgmedev packages and dev utilities
  • Ubuntu, Debian and derivatives:apt install git gpg build-essential pkg-config python3 xorg-dev libx11-xcb-dev libdbus-1-dev libgpgme-dev tomb
  • CentOS/Red Hat/openSUSE/Fedora:yum install git gnupg gpgme-devel pkgconfig python3 xorg-x11-devel libxcb-devel
  • Arch:pacman -S git gnupg gpgme pkgconf python3 xorg-server libxcb tomb
  • Alpine:apk add git gnupg gpgme-dev pkgconfig
  • macOS:brew install gnupg gpgme
  • Windows:scoop install git gpg fzf

Specific

Specific features or crates require specific dependencies as shown below.

The listed dependencies might be incorrect or incomplete. If you believe there to be an error, please feel free to contribute.

[Required] Minimal requirements

• Run & build:gpgandgit
  • Ubuntu, Debian and derivatives:apt install git gpg
  • CentOS/Red Hat/openSUSE/Fedora:yum install git gnupg
  • Arch:pacman -S git gnupg
  • Alpine:apk add git gnupg
  • macOS:brew install gpg
  • Windows:scoop install git gpg fzf

[Recommended] Feature: GPGME backend

--feature=backend-gpgme

• Run:gpgme& build tools
  • Ubuntu, Debian and derivatives:apt install libgpgme11
  • CentOS/Red Hat/openSUSE/Fedora:yum install gpgme
  • Arch:pacman -S gpgme
  • Alpine:apk add gpgme
  • macOS:brew install gpgme
  • Windows:not supported
• Build: _gpgmedev package
  • Ubuntu, Debian and derivatives:apt install build-essential pkg-config libgpgme-dev
  • CentOS/Red Hat/openSUSE/Fedora:yum install pkgconfig gpgme-devel
  • Arch:pacman -S pkgconf gpgme
  • Alpine:apk add pkgconfig gpgme-dev
  • macOS:brew install gpgme
  • Windows:not supported

[Recommended] Feature: Clipboard

--feature=clipboard

• Run:
  • Ubuntu, Debian and derivatives:apt install xorg libx11-xcb-dev wl-clipboard
  • CentOS/Red Hat/openSUSE/Fedora:yum install pkgconfig xorg libxcb wl-clipboard
  • Arch:pacman -S pkgconf xorg-server python3 libxcb wl-clipboard
  • Alpine:?
  • macOS:none
  • Windows:none
• Build:
  • Ubuntu, Debian and derivatives:apt install build-essential pkg-config python3 xorg-dev libx11-xcb-dev
  • CentOS/Red Hat/openSUSE/Fedora:yum install pkgconfig python3 xorg-x11-devel libxcb-devel
  • Arch:pacman -S pkgconf xorg-server python3 libxcb
  • Alpine:?
  • macOS:none
  • Windows:none

Note:xorg,libx11-xcbare only required at runtime when using X11. wl-clipboardare only required at runtime when using Wayland.

[Recommended] Feature: Notifications

--feature=notify

• Run:
  • Ubuntu, Debian and derivatives:somethingsupporting notifications with libnotify
  • CentOS/Red Hat/openSUSE/Fedora:somethingsupporting notifications with libnotify
  • Arch:somethingsupporting notifications with libnotify
  • Alpine:somethingsupporting notifications with libnotify
  • macOS:none
  • Windows:none
• Build:gpgmedev package
  • Ubuntu, Debian and derivatives:apt install libdbus-1-dev
  • CentOS/Red Hat/openSUSE/Fedora:yum install dbus-libs
  • Arch:pacman -S dbus
  • Alpine:apk add dbus
  • macOS:none
  • Windows:none

Feature: Tomb

--feature=tomb

• Run:tomb
  • Ubuntu, Debian and derivatives:apt install tomb
  • CentOS/Red Hat/openSUSE/Fedora:installation
  • Arch:pacman -S tomb
  • Alpine:installation
  • macOS:not supported
  • Windows:not supported

Client: GTK3 client

crate:prs-gtk3@./gtk3

• Run:gtk3
  • Ubuntu, Debian and derivatives:apt install libgtk-3-0 libgl1-mesa0
  • CentOS/Red Hat/openSUSE/Fedora:yum install gtk3
  • Arch:pacman -S gtk3
  • Alpine:apk add gtk+3.0 --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main
  • macOS:brew install gtk+3
  • Windows:not supported
• Build:gtk3dev packages
  • Ubuntu, Debian and derivatives:apt install libgtk-3-dev libgl1-mesa-dev
  • CentOS/Red Hat/openSUSE/Fedora:yum install gtk3-devel
  • Arch:pacman -S gtk3
  • Alpine:apk add gtk+3.0-dev --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main
  • macOS:brew install gtk+3
  • Windows:not supported

Install

Becauseprsis still in early stages, only limited installation options are available right now. Feel free to contribute.

Make sure you meet and install the 'Run'requirements.

See the operating system/distribution specific instructions below:

• Linux
• macOS
• Windows
• Other

Linux (all distributions)

Limited installation options are currently available. See the list below. Alternatively you may install it manually using the prebuilt binaries.

Only 64-bit (x86_64) packages and binaries are provided. For other architectures and configurations you maycompile from source.

More packages options will be coming soon.

Linux: Arch AUR packages

»prs(compiles from source, latest release)
»prs-git(compiles from source, latestmastercommit)

yay -S prs
#or
aurto add prs
sudo pacman -S prs
#or using any other AUR helper

prs --help

Linux: Prebuilt binaries

Check out thelatest releaseassets for Linux binaries.
Use theprs-v*-linux-x64-staticbinary, to minimize the chance for issues. If it isn't available yet, you may use an artifact from a previous versioninstead, until it is available.

Make sure you meet and install therequirementsbefore you continue.

You must make the binary executable, and may want to move it into /usr/local/binto make it easily executable:

#Rename binary to prs
mv./prs-*./prs

#Mark binary as executable
chmod a+x./prs

#Move binary into path, to make it easily usable
sudo mv./prs /usr/local/bin/

prs

macOS

prscan be installed usinghomebrew.
Alternatively you maycompile from source.

Make sure you'vehomebrewinstalled, then run:

brew install prs
prs

Note: this package isn't automatically updated on release, feel free to contribute here.

Windows

Using thescooppackageis recommended.
Alternatively you may install it manually using the prebuilt binaries.

If you're using theWindows Subsystem for Linux,it's highly recommended to install theprebuilt Linux binaryinstead.

Only 64-bit (x86_64) binaries are provided. For other architectures and configurations you maycompile from source.

Windows: scoop package

Make sure you'vescoopinstalled, then run:

scoop install prs
prs

Windows: Prebuilt binaries

Check out thelatest releaseassets for Windows binaries. Use theprs-v*-windowsbinary. If it isn't available yet, you may use an artifact from a previous versioninstead, until it is available.

You can useprsfrom the command line in the same directory:

.\prs.exe

To make it globally invokable asprs,you must make the binary available in your systemsPATH.

Other

Find the latest binaries on the latest release page:

• GitHub
• GitLab
• GitLab package registryforprs

Note: for Linux the GNU (not musl) binary is recommended if it works, because it has better clipboard/notification support.

#download binary from any source above

#make executable
chmod a+x./prs

#optional: make globally executable
mv./prs /usr/local/bin/prs

./prs --help

Build

To build and installprsyourself, you need the following:

• Rust 1.65 or newer (MSRV)
• The 'Build'requirements.

Not all features are supported on macOS or Windows. The default configuration should work. When changing compile time features, make sure to check for compatibility. Seecompiler features.

Compile and install

To compile and installprswith the default features follow these steps:

• Compile and install it directly from cargo:

  #Compile and install from cargo
  cargo install prs-cli -f
  
  #Start using prs
  prs --help

• Or clone the repository and install it withcargo:

  #Clone the project
  git clone https://github.com/timvisee/prs.git
  cdprs
  
  #Compile and install
  cargo install --path cli -f
  
  #Start using prs
  prs --help
  
  #or run it directly from cargo
  cargo run --release --package prs-cli -- --help
  
  #or invoke release binary directly
  ./target/release/prs --help

Compile features / use flags

Different use flags are available forprsto toggle whether to include various features and cryptography backends. The following features are available, some of which are enabled by default:

Feature	In	Enabled	Description
alias	prc-cli	Default	Support for secret aliases (partially supported on Windows)
clipboard	prs-cli	Default	Clipboard support: copy secret to clipboard
notify	prs-cli,prs-gtk3	Default	Notification support: notify on clipboard clear
tomb	all	Default	Tomb support for password store (only supported on Linux)
totp	prs-cli	Default	TOTP token support for 2FA
backend-gpgme	all		GPG crypto backend using GPGME (not supported on Windows)
backend-gnupg-bin	all	Default	GPG crypto backend using GnuPG binary
select-skim	prc-cli	Default	Interactive selection with skim (ignored on Windows)
select-skim-bin	prs-cli		Interactive selection through externalskimbinary
select-fzf-bin	prs-cli	Default	Interactive selection through externalfzfbinary

To enable features during building or installation, specify them with --features <features...>when usingcargo. You may want to disable default features first using --no-default-features. Here are some examples:

#Default set of features with backend-gnupg-bin, install or build, one of
cargo install --path cli --features backend-gnupg-bin
cargo build --path cli --release --features backend-gnupg-bin

#No default features, except required, one of
cargo install --path cli --no-default-features --features backend-gpgme
cargo install --path cli --no-default-features --features backend-gnupg-bin

#With alias, clipboard and notification support, one of
cargo install --path cli --no-default-features --features backend-gpgme,alias,clipboard,notify
cargo install --path cli --no-default-features --features backend-gnupg-bin,alias,clipboard,notify

Security

Security is backed bygpgwhich is used all over the world and has been battle-tested for more than 20 years.

In summary,prsis secure to keep your deepest secrets when assuming the following:

• You keep the password store directory (~/.password-store) safe
• When using sync withgit:you keep your remote repository safe
• You use secure GPG keys
• Your machines are secure

The content of secrets is encrypted and secured. Secrets are stored as encrypted GPG files. Some metadata is visible without decryption however. The name of a secret (file name), modification time (file modification time) and encrypted size (file size) are visible when you have access to the password store directory. To protect against this metadata leakage you may use a Tomb.

Security best practices are used inprsto prevent accidentally leaking any secret data. Sensitive data such as plaintext, ciphertext and others are referred to as 'secret' here.

Secrets are/use:

• Zeroed on drop
• Locked to physical memory, cannot leak to swap/disk (mlock)
• Locked into memory, cannot be dumped/not included in core (madvice)
• Not written to disk to edit (if possible)
• String formatting is blocked
• Constant time comparison to prevent time based attacks
• Minimally cloned

The protection against leaking secrets has its boundaries, notably:

• prs showprints secret data to stdout
• prs editmay store secrets in a secure temporary file on disk if secure locations such as (/dev/shm) are not available, it then opens it in your default editor, and removes it afterwards
• prs copycopies secret data to your clipboard, and clears it after 20 seconds

Reference:XKCD 538

Note:prsdoes not provide any warranty in any way, shape or form for damage due to leaked secrets or other issues.

FAQ

Isprssecure? How secure isprs?

Please read theSecuritysection.

How do I use sync with git?

If you already have a remote password store repository that is compatiblewithprs,clone it using:

#Clone existing remote password store, automatically enables sync
prs clone MY_GIT_URL

#List secrets
prs list

If you do not have a remote password store repository yet, create one (an empty private repository on GitHub or GitLab for example), and run the following:

#Initialize new password store (if you haven't done so yet)
prs init

#Initialize sync functionality (if you haven't done so yet)
prs sync init

#Set your remote repository URL and sync to push your password store
prs sync remote MY_GIT_URL
prs sync

When sync is enabled on your password store, all commands that modify your secrets will automatically keep your remote store in sync.

To manually trigger a sync because you edited a secret on a different machine, run:

prs sync

How do I useprson multiple machines and sync between them?

Note: adding and using your existing password store on a new/additional machine requires you to have access to a machine that already uses the store during setup.

First, you must have a password store on one machine. Create one (withprs init) if you don't have any yet. You must set up sync with a remote git repository for this passwords store, see theHow do I use sync with gitsection.

To use your existing password store on a new machine, installprsand clone your remote password store:

#On new machine: clone existing password store from git remote
prs clone MY_GIT_URL

Then add a recipient to the password store for your new machine. I highly recommend to use a new recipient (GPG key pair) for each machine (so you won't have to share secret GPG keys). Add an existing secret GPG key as recipient, or generate a new GPG key pair, using:

#On new machine: add existing recipient or generate new one
prs recipients add --secret
#or
prs recipients generate

Your new machine can't read any password store secrets yet, because they are not encrypted for its recipient yet. Go back to an existing machine you already use the store on, and re-encrypt all secrets to also encrypt them for the new recipient:

#On existing machine: re-encrypt all secrets
prs housekeeping recrypt --all

This may take a while. Once done, sync on your new machine to pull in the updated secrets:

#On new machine: pull in all re-crypted secrets
prs sync

#You're done!
prs list

How do I useprson mobile?

prsitself does not support mobile, but there are compatible clients you can use to use your password store on mobile.

SeeCompatible Clientsonpasss website.

Can I recover my secrets if I lost my key?

No, if you lose all keys, there is no way to recover your secrets.

You might lose your key (recipient, GPG secret key) if your machine crashes or if you reinstall its operating system.

If you are using the same password store on multiple machines with git sync, you can still read the secrets on your other machines. To re-add the machine you lost your key on, remove the password store from it and see thissection.

What is Tomb?

Tombis a file encryption system. It can be used withprsto protect against metadata leakage of your password store.

When using Tomb withprs,your password store is stored inside an encrypted file.prsautomatically opens and closes your password store Tomb for you as needed. This makes it significantly harder for malicious programs to list your password store contents.

This feature is inspired by pass-tomb,which is apass extension for Tomb support. Inprsthis functionality is built-in.

Note: Tomb is only supported on Linux.

How to use Tomb?

prshas built-in support forTombon Linux systems. Please make sure prsis compiled with thetombfeature,and that Tomb is installed.

To initialize a Tomb for your current password store, simply invoke:

#Initialize tomb, this may take some time
prs tomb init

#Read tomb status
prs tomb status

To initialize a new password store in a Tomb, first initialize the password store then initialize the Tomb:

#Initialize new password store
prs init

#...

#Initialize tomb, this may take some time
prs tomb init

If you already have a Tomb created withpass-tomb,no action is required. prshas seamless support for it, and it should automatically manage it for you. Invokeprs tomb statusto confirm it is detected.

How to use Tomb on multiple machines?

A Tomb is local on your machine and is not synced. To use a Tomb on multiple machines you must initialize it on each of them.

Simply runprs tomb initon machines you don't use a Tomb on yet, and after cloning your password store on a new machine.

Isprscompatible withpass?

Yes.

prsuses the same file structure aspass.Otherpassclients should be able to view and edit your secrets.

prsdoes add additional files and settings, someprsfeatures may not work with otherpassclients.

While the backing file structure is compatible, the command-line interface is not and differs frompass.This is to remove ambiguity and to improve overall usability.

See a list of compatiblepassclientshere.

Help

$ prs help

prs 0.5.1
Tim Visee <[email protected]>
Secure, fast & convenient password manager CLI with GPG & git sync

Usage: prs [OPTIONS] [COMMAND]

Commands:
show Display a secret
copy Copy secret to clipboard
generate Generate a secure secret
add Add a secret
edit Edit a secret
duplicate Duplicate a secret
alias Alias/symlink a secret
move Move a secret
remove Remove a secret
list List all secrets
grep Grep all secrets
init Initialize new password store
clone Clone existing password store
sync Sync password store
slam Aggressively lock password store & keys preventing access (emergency)
totp Manage TOTP tokens
recipients Manage store recipients
git Invoke git command in password store
tomb Manage password store Tomb
housekeeping Housekeeping utilities
help Print this message or the help of the given subcommand(s)

Options:
-f, --force Force the action, ignore warnings
-I, --no-interact Not interactive, do not prompt
-y, --yes Assume yes for prompts
-q, --quiet Produce output suitable for logging and automation
-v, --verbose... Enable verbose information and logging
-s, --store <PATH> Password store to use [env: PASSWORD_STORE_DIR=]
--gpg-tty Instruct GPG to ask passphrase in TTY rather than pinentry
-h, --help Print help
-V, --version Print version

License

This project is released under the GNU GPL-3.0 license. Check out theLICENSEfile for more information.

The library portion of this project is licensed under the GNU LGPL-3.0 license. Check out thelib/LICENSEfile for more information.