Skip to content

SimonDevelop/rpass

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

version Github Actions GitHub license

rpass

CLI password manager written in Rust.
Vault encrypted with AES-256-GCM, key derivation via Argon2id, temporary session, TOTP, audit, and import/export.

Install

cargo install --path .

Or from the repository:

cargo build --release
# binary: target/release/rpass

Language

CLI messages default to English.

# French UI for this process
export RPASS_LANG=fr
rpass status

# Or persist in config
rpass config set language fr

RPASS_LANG overrides config.language. Values: en / english, fr / french / français.

Quick start

# Create the vault (sets the master password)
rpass init

# Unlock for a session (configurable timeout, default 15 min)
rpass unlock

# Add an entry (password generated automatically)
rpass add github -u me@email.com --tag dev --favorite

# List / search
rpass list
rpass list --tag dev --sort-by date
rpass search github

# Get a password (clipboard copy)
rpass get github
rpass get github --show

# Generate a password
rpass generate --length 24
rpass generate --passphrase --words 6
rpass generate --pronounceable --length 16

# Security audit
rpass audit
rpass check-breach --service github
rpass check-breach --all

# TOTP / 2FA
rpass add-totp github JBSWY3DPEHPK3PXP
rpass totp github

# Backup / export
rpass backup
rpass export --format json -o vault-export.json
rpass import --from chrome-export.csv

# Configuration
rpass config set password_length 24
rpass config set session_timeout 600
rpass config show

# Interactive REPL
rpass interactive

# Lock
rpass lock

Architecture

Module Role
cli clap parsing, command handlers, REPL
crypto Argon2id, AES-GCM, password generation, TOTP, HIBP, strength
vault In-memory CRUD, audit, import/export
storage File persistence, sessions, backups
models Entry, VaultData, EncryptedVault, MasterKey (zeroize)
config TOML config + environment variables
error thiserror error types

Encryption scheme

master password + salt (16 B)
        │
        ▼
   Argon2id (64 MiB, 3 iter)
        │
        ▼
   AES-256 key ──► AES-GCM(unique nonce, VaultData JSON)
        │
        ▼
 .vault file: { salt, nonce, ciphertext+tag, written_at }

After every mutation: re-encrypt + atomic write (tmp + rename).
The key in RAM uses zeroize::ZeroizeOnDrop.

Multiple vaults

rpass init pro
rpass --vault pro add corporate-vpn
rpass config set vault.pro /custom/path/pro.vault

Environment variables

Variable Description
RPASS_VAULT Default vault name
RPASS_VAULT_PATH Vault file path
RPASS_DATA_DIR Data directory
RPASS_CONFIG Path to config.toml
RPASS_TIMEOUT Session timeout (seconds)
RPASS_PASSWORD_LENGTH Default generated password length
RPASS_LANG CLI language: en (default) or fr
RPASS_RUNTIME_DIR Session wrap-key directory (else XDG_RUNTIME_DIR/rpass)
RPASS_CLIPBOARD_WAIT 1 = wait for clipboard clear on get
NO_COLOR Disable terminal colors

Shell completion

# bash
source <(rpass completions bash)

# zsh
rpass completions zsh > "${fpath[1]}/_rpass" && compinit

# fish
rpass completions fish > ~/.config/fish/completions/rpass.fish

Tests

cargo test

Security

  • Argon2id to resist GPU/ASIC brute force
  • AES-256-GCM (authenticated encryption) — fresh random nonce on every write
  • Mode 0600 on vault / session / export files
  • Session: sealed master key + separate wrap key (XDG_RUNTIME_DIR)
  • Write lock (.vault.lock) against concurrent writers
  • Clipboard: best-effort clear; set RPASS_CLIPBOARD_WAIT=1 to force wait
  • HIBP k-anonymity: only a SHA-1 prefix (5 chars) leaves the machine
  • JSON/CSV exports are plaintext — protect them carefully

License

MIT

About

CLI password manager written in Rust

Resources

Stars

0 stars

Watchers

0 watching

Forks

Packages

 
 
 

Contributors