npm

Nihal's Password Manager (WIP)
git clone git://git.nihaljere.xyz/npm
Log | Files | Refs | README | LICENSE
commit b18f40507dff6b5438a54e9fdfb89fa356332f88
parent c437e5e4fdcd66efa2d7590674d86202ba957050
Author: Nihal Jere <nihal@nihaljere.xyz>
Date:   Tue,  5 Oct 2021 23:47:04 -0500

add README

Diffstat:

AREADME | 48++++++++++++++++++++++++++++++++++++++++++++++++


1 file changed, 48 insertions(+), 0 deletions(-)

diff --git a/README b/README
@@ -0,0 +1,48 @@
+# Nihal's Password Manager
+
+## Rationale
+
+I normally use `pash`, as my password manager, which uses gpg2 to do all of the
+cryptography. In my setup (and likely the setups of most people who use pash or
+pass), the private key is on the same drive that holds the encrypted passwords.
+So if an attacker gets access to the encrypted passwords, they likely also have
+access to the encrypted private key for encrypting those passwords. The private
+key is probably encrypted using only a master password, so if an attacker gains
+access to this master password, all encrypted passwords are compromised.
+
+If an attacker gains access to the passwords without also gaining access to the
+encrypted private key, public key encryption is advantageous only if the master
+password is sufficiently weak.
+
+So given that the password database is practically only as secure as the master
+password, gpg2 provides little value for this use case.
+
+To replace it, I wrote a program that only performs the cryptographic functions
+necessary for this use case: encrypting and decrypting using a master password.
+It uses Monocypher 3.1.2 for cryptography, which uses XChaCha20 for encryption,
+and Argon2 for key derivation.
+
+## Programs
+
+### npm-core
+
+`npm-core` produces files containing encrypted passwords, and decrypts them. It
+provides the core encryption functionality of `npm` as the name implies.
+
+### npm-agent
+
+`npm-agent` implements password caching over a simple socket protocol. It reads
+a path to a file produced by `npm-core`, containing an encrypted password. Then
+using the master password (requesting it if necessary), it decrypts the content
+of the file and writes it back over the socket.
+
+### npmc
+
+npmc is just an interface for npm-agent usable in a shell. It takes a file path
+to a `npm-core` password file, talks to `npm-agent`, and prints the password it
+returns to stdout.
+
+### npm
+
+The password manager is just a modified version of `pash` where gpg is replaced
+by `npm-core` and `npmc`.