| cred - Credentials and secrets management in command line |
cred - Credentials and secrets management in command line
cred SUBCOMMAND SITE [ARGUMENTS]
cred site SITE SUBCOMMAND [ARGUMENTS]
SITE, most often a website name, is a container of one or more properties. But it can be anything you want to tie properties to, typically passwords, keys, pin codes, API tokens as secrets and username, email address, etc. as ordinary properties.
SITE is represented in a directory in the credentials base dir. You may also enter a directory path on the filesystem for SITE. You don't need to create a SITE: it's created automatically when you write in it.
For websites and other services you have more than one account or identity for,
recommended to organize them into sub-directories like: SITE/IDENTITY,
eg: mail.example.net/joe@example.net and mail.example.net/jane@example.net.
Output a bash script to setup tab-completion for the cred command.
Use it by eg: eval "$(cred compscript)"
Display all properties (and their values) of a given site.
Optional parameter is how secrets are displayed:
mask-secrets is the default and replaces a secret string with 5 asterisks (*****) uniformly (so number of chars are not leaked).
hash-secrets replaces secrets by a hash and the checksum algorithm' name
is appended to the hash with a tab, like: <TAB>hash-algo=NAME.
blank-secrets displays the secret property name but leaves the value field empty.
Finally reveal-secrets displays secret strings in clear text just like ordinary properties.
The option subdirs dumps properties from the sub-directories too.
Those properies are considered to be secret at the moment which contain at least one of these words (case insensitive) : pass, key, cvc, secret, pin, code, token, totp (but not totp-issuer).
Generate a new password and put in PASSWORD property; append its old value to the OLDPASSWORDS property; copy the new one to the clipboard.
Manage properties of a given site. See individual instruction descriptions at the subcommands below which are aliases to these prop ... commands.
Open up the $EDITOR (falling back to $VISUAL) to edit the given property's value. =item read PROPERTY
Read the new value from the STDIN (readline is supported if bash does support it, see help read in bash(1)).
Secrets are read in no-echo mode.
Subcommand show shows only non-secrets. Enter reveal to show secrets as well.
By clip you may copy the value to the clipboard.
If you use CopyQ(1), secrets are prevented to get to CopyQ's clipboard items history.
Takes one or more property names and types their values to the window accessible by pressing Alt+Tab on your desktop.
Also presses <TAB> after each string, but does not press <RETURN>.
A single dot (.) is a pseudo PROPERTY name: if it's given, nothing will be typed in its place,
but <TAB> is still pressed after it.
Use it if the form has fields which you don't want to fill in.
Obviously it's useful only with a $DISPLAY.
Depends on xdotool(1).
TOTP property (Timed One-Time Passcode) can be set (simply by cred ... set TOTP, no value needed), delelted, shown, and revealed.
When accessed, cotp(1) programm is called to search a TOTP code with its ISSUER (combined with LABEL, if taking the ISSUER only would be ambiguous)
matching to the selected SITE.
How SITE and ISSUER (LABEL) are matched: If the site has OTP-ISSUER propery, it is searched. Otherwise the site's name itself is takes as ISSUER name. If the site is at more than 1 directory levels deep under the credentials base dir, then only the first path component satisfies the search criteria as well. For example, TOTP codes for a site like "example.com/my-2nd-account" are searched under both "example.com/my-2nd-account" and "example.com" issuers.
If the above filtering yields more than 1 cotp(1) records, it's further filtered by LABEL.
The following properties are tried as LABEL in order: EMAIL, USERNAME, LOGIN.
Once only 1 cotp(1) record is yielded, it is taken as the TOTP code.
Credentials directory is hardcoded to ~/cred.