Apart from crucial security fixes, this project is not maintained. Krypton's as-of-yet unnamed successor is going to be written from scratch in pure Rust. OpenSSL is going to be used as the cryptography provider, ensuring trust. Various convenience, integration, and quality-of-life features that I had planned for Krypton will instead go toward its Rust-based successor.
- A Fully Fledged TUI
- A Non-Interactive CLI Variant
- User Defined Key/Value Presets & Account Structure Presets (repeated Emails, usernames, etc)
- Stream cipher support, such as
XChaCha20andAES-GCM, which has certain advantages as well as disadvantages, overAES-CBC.AES-CBCwill always be supported, and will be default, but other options, will be available. Other such options includeTwofish, the since deprecated tripleDES, and the other finalist algorithms for the (A)dvanced (E)ncryption (S)tandard competition. I stress that this is not a security enhancing idea, you should stick with defaults if you do not know precisely what you are doing, or you might end up making the encryption accidentally less secure. - Optional, fine grain control over all aspects of the cryptography, including Argon2 parameters, other key derivation methods, padding systems, multiple-key & multicipher encryption, salting methods, choice of IV.. etc. This is intended for those who want to go a step further, and it isn't advised that you deviate from the defaults if you are unsure.
- Fuzzy finding support for account/entry searching.
- Extended editing commands, and optional VIM motions.
You should also be aware of the fact that Krypton's cryptographic library is not OpenSSL, but rather, a pure Python cryptographic library, PyCryptoDome, which is a well maintained fork of the long since deprecated PyCrypto.
This is still my daily password manager, and it's perfectly usable as it is, however, active development is not being done.
Krypton is an open source command line password manager built in Python, intended for power users with a heavy emphasis on privacy. I created this password manager because I don't trust my credentials in the hands of company servers running proprietary code behind closed doors; I want complete control over my password manager, its security, and where the data ends up. I also find most password managers to be lacking in basic features as a result of oversimplifying user interaction for the sake of appealing to the average consumer - this is not one such password manager.
- You're unfamiliar with the command line, or dislike using it.
- You can't live without a mobile app or browser extension (coming in the future).
- You favor mouse controls over keyboard controls.
- You have an aversion to learning curves.
- You value convenience over privacy.
- You want direct control over how and where your encrypted credentials are stored.
- You don't want to sign up for anything, or give your data to anyone.
- You want more advanced functionality out of your password manager.
- You're more comfortable with a command line, or find it more efficient than a GUI.
- You have Python experience, and want a password manager that can be easily tweaked or extended.
- PyCryptoDome - Cryptography Library
- Pyperclip - Cross-platform Clipboard Access
- Argon2-Cffi - A key derivation algorithm even stronger than bcrypt!
python -m pip install pycryptodome pyperclip argon2-cffi
Data is stored in .vlt vault files, which are AES-256-CBC encrypted JSON files. The initialization vector is always random, however it is not stored anywhere, instead, a minimum of 16 random bytes are injected at the start of the input data whenever encryption is performed, so that the initialization vector never gets XOR'd with the actual input data, and only gets XOR'd with random garbage, that way, decryption is allowed to fail for the first block when no IV is provided. This avoids the hassle of keeping track of the IV, without losing out on security, at the cost of an extra 16 bytes to the input - this is called an "IV Mask". Argon2 is used for key derivation, with a time cost of 16, memory cost of 32MB, parallelism of 4, and ID as the mode.
Here are some examples of how you would do some basic common operations in Krypton. A more comprehensive command reference can be found further down.
This is the command line argument reference for Krypton, automatically generated via argparse. Comand line arguments are not used to directly interact with Krypton; scroll down for the command reference.
usage: krypton.py [-h] --file [VAULT_PATH] [--ivmask [IV_MASK_LENGTH]] [--insecure] [--debug]
options:
-h, --help Show this help message and exit.
--file [VAULT_PATH], -f [VAULT_PATH]
A path pointing to the vault file that should be created or loaded.
--ivmask [IV_MASK_LENGTH], -ivm [IV_MASK_LENGTH]
The amount of random bytes that should be added or stripped from the start of the encryption/decryption output in order to mask the IV; should be
16 at the very least (AES block size).
--insecure, -is When present, this flag makes the program treat the file pointed to by --file as an unencrypted insecure vault, decryption will not be attempted.
This also affects the encryption of newly created vaults.
--debug, -db This flag enables the printing of additional information for debugging purposes.
This is the command reference for Krypton, here you can find all of the relevant commands for interacting with this password manager. You can view a copy of this reference within Krypton by using the help command. This does not include the command line arguments, to view those use the --help or -h argument when running Krypton.
Command Reference Legend
--------
N = Denotes a numerical value, e,g, command [N] (command takes any number as an arugment)
| = Denotes multiple available options (or)
, = Denotes list of command aliases.
[] = Denotes singular parameter, contents indicate type of value.
{...} = Denotes a space-separated sequence of parameters of the same type.
--------
Navigating Krypton:
====================================================================================================
[N] | Navigate to the page of that number. Any number goes.
----------------------------------------------------------------------------------------------------
s, select [N | N-N] | Select the account with the given index, or account+entry if - is used.
| Example 1, selects account with index 12: "select 12"
| Example 2, selects account 12, entry 3: "select 12-3"
----------------------------------------------------------------------------------------------------
cs, clearsel | Deselects any accounts or entries selected using select.
----------------------------------------------------------------------------------------------------
f, filter {terms...} | Applies a display filter to the account list, accounts matching any of
| the provided search terms are whitelisted.
| Example: filter google twitter reddit
----------------------------------------------------------------------------------------------------
cf, clearfilter | Resets the display filter applied using the filter command.
----------------------------------------------------------------------------------------------------
pr, rows [N] | Modify the number of rows displayed per account page.
| Example: rows 10
----------------------------------------------------------------------------------------------------
cp, copy | Copies the entry selected using the select command to the clipboard.
====================================================================================================
Performing Edits In Krypton:
===================================================================================================
a, add | Add a new entry to the selected account, values will be prompted for.
----------------------------------------------------------------------------------------------------
del, delete | Deletes the selected entry from the account it belogns to.
----------------------------------------------------------------------------------------------------
mod, modify | Modifies the selected entry, new value will be prompted for.
----------------------------------------------------------------------------------------------------
aac, addacc | Add a new account to the vault, details will be prompted for.
----------------------------------------------------------------------------------------------------
dac, delacc | Deletes the selected account from the vault.
----------------------------------------------------------------------------------------------------
rand, random [N] {chars..} | Inserts a random password into the selected account entry
| Options: alpha, alphaupper, alphalower, numerical, special, extra
| Example: random 32 alpha numerical special
====================================================================================================
Security Related Commands:
====================================================================================================
make-secure | Turns on encryption for an insecure vault with decryption disabled.
----------------------------------------------------------------------------------------------------
make-insecure | Turns off encryption for a vault with encryption enabled, making it insecure.
----------------------------------------------------------------------------------------------------
ivmask [N] | Sets the length of the IV mask - the amount of random bytes appended/stripped
| from the encryption input/output data in order to guarantee a random output
| for the first round of XOR. Must be a minimum of 16 to be secure, but can
| be set to any size, though a high value will increase the file size.
----------------------------------------------------------------------------------------------------
dumpjson | Dumps the vault stored in RAM into the terminal as raw unencrypted JSON.
| Useful in case you lose filesystem access for whatever reason, and must
| get your credentials out of RAM. One of the two options presented when
| an integrity check fails.
====================================================================================================
Saving, Viewing, Restoring Changes:
====================================================================================================
save | Saves the changes made to the vault back into the same file that was loaded.
| This will not allow you to store the vault to a new location, or use a different
| password than the one that was used to decrypt it in the first place.
----------------------------------------------------------------------------------------------------
write | Writes the vault to any given location on the disk, but does not allow you
| to overwrite files, only new files can be created using this command. This
| also allows you to select a different password than the initial password.
----------------------------------------------------------------------------------------------------
restore, revert | Reverts the state of the vault in RAM to the state it was at when the vault
| was loaded, or the last time that the save command was used.
----------------------------------------------------------------------------------------------------
diff | View an index of everything that was added, removed, or modified since the
| vault was loaded, or the last time that the save command was used.
====================================================================================================
Miscellaneous Commands
====================================================================================================
exit, quit | Self-explanatory, exits the program.
----------------------------------------------------------------------------------------------------
help, ?, what | Shows the command reference that you're viewing right now.
====================================================================================================