WARNING pol is a young project, there might be errors, even vulnerabilities --- please help out by testing or reviewing its code.
pol /pɵl/ is a password manager with two important features:
-
A nice commandline interface. Want to generate a password? Just type:
$ pol generate github "my username is John Doo" Enter (append-)password: Copied password to clipboard. Press any key to clear ...
This will generate a new password; copy it to the clipboard and store it under the key github with the note my username is John Doo.
Want to retrieve the password you just stored? Just type:
$ pol copy github Enter password: note: 'my username is John Doo' Copied secret to clipboard. Press any key to clear ...
See below for a description of all commands.
-
Hidden containers. The best way to keep a secret, is being able to deny you are keeping one. Sometimes you are forced to give up your passwords. For instance, by a criminal, government or employer. Luckily a pol safe can have multiple containers. Each container is opened by its own passwords. If someone does not have a password of a container, he cannot prove the existence of the container in any way. Even if he has multiple versions of your safe! Thus if you are forced to open your pol safe, you can give a password to an uninteresting container and keep your real secrets safe.
First, we install pol.
$ sudo apt-get install libgmp3-dev libmcrypt-dev build-essential \
python-dev python-pip
$ sudo pip install pol
$ sudo apt-get install libgmp-dev libmcrypt-dev build-essential python-dev \
python-pip libssl-dev libyaml-dev
$ sudo pip install pol
Install MacPorts. Then run
$ sudo port install gmp mcrypt py-pip py27-mcrypt py27-crypto
$ sudo pip-2.7 install pol
If you get pol: command not found
when you try to run pol
,
add /opt/local/Library/Frameworks/Python.framework/Versions/2.7/bin
to your PATH
. For instance, like this:
$ echo 'export PATH=/opt/local/Library/Frameworks/Python.framework/Versions/2.7/bin:$PATH' >> ~/.profile
You can find compiled binaries, created using pyinstaller, for
OS X here.
Extract the zip somewhere, say /opt/pol
, and add the directory to your PATH
.
Then, we create a new safe with pol init
. pol
will ask you for the
passwords of your containers.
$ pol init
You are about to create a new safe. A safe can have up to six
separate containers to store your secrets. A container is
accessed by one of its passwords. Without one of its passwords,
you cannot prove the existence of a container.
Container #1
Each container must have a master-password. This password gives
full access to the container.
Enter master-password:
A container can have a list-password. With this password you can
list and add entries. You cannot see the secrets of the existing
entries. Leave blank if you do not want a list-password.
Enter list-password [no list-password]:
A container can have an append-password. With this password you
can only add entries. You cannot see the existing entries.
Leave blank if you do not want an append-password.
Enter append-password [no append-password]:
Container #2
Now enter the passwords for the second container.
Leave blank if you do not want a second container.
Enter master-password [stop]:
Enter list-password [no list-password]:
Enter append-password [no append-password]:
Container #3
Enter master-password [stop]:
Generating group parameters for this safe. This can take a while ...
[#####################=========================================================]
449 tried, 63.6/s 56.7% 0:00:18
allocating container #1 ...
allocating container #2 ...
trashing freespace ...
This will generate a new password, copy it to your clipboard and store it under
the key facebook
.
$ pol generate facebook
Enter (append-)password:
Copied password to clipboard. Press any key to clear ...
You might want to add a note. This note is shown when you retrieve the password.
$ pol generate facebook "e-mail: john@doo.org"
Enter (append-)password:
Copied password to clipboard. Press any key to clear ...
If you just want a password, but do not want to store it, omit the key:
$ pol generate
Copied password to clipboard. Press any key to clear ...
If you want to write it to the screen, add --stdout
:
$ pol generate --stdout
$^NxY{&Fsy,&->Gi$RZ}
There are several options to change the style of the password:
# xkcd style password with 40 bits of entropy
$ pol generate --stdout --kind english --entropy 40
dirty papal nephew repair
# alphanumeric password that would take ages to bruteforce with 10 tries per second
$ pol generate --sdtout --kind alphanum --web-crack-time ages
NNrZ9g8Sy
For all options, see pol generate -h
.
To copy a password stored under the key digid
from the safe to
your clipboard, write
$ pol copy digid
Enter password:
note: 'used the e-mail john@doo.org'
Copied secret to clipboard. Press any key to clear ...
To list the entries in a container, use
$ pol list
Enter (list-)password:
Container @280
github 'user: johndoo'
router
facebook 'email: john@doo.org'
bios.notebook
bios.pc
You can filter results as follows
$ pol list bios
Container @280
bios.notebook
bios.pc
To edit all entries in a container, use
$ pol edit
Enter password:
This will open up your default text editor ($EDITOR
) with, in this example:
github #1 user: johndoo
router #2
facebook #3 email: john@doo.org
bios.notebook #4
bios.pc #5
Simply edit the entries, save the file and exit the editor.
pol
will apply the changes. Remove lines to remove entries;
reorder lines to reorder entries and add a line to add an entry.
By default, the secrets are replaced by pointers like #2
.
To change a secret, simply replace the pointer by the secret. For instance:
github mypassword user: johndoo
To show the secrets by default, use pol edit -s
.
You can filter the entries to edit: executing pol edit bios
will present
the following file to edit.
bios.notebook #1
bios.pc #2
With pol edit -m
you can enter multiple passwords to edit entries
of multiple containers. Enter as many passwords as you like and
leave the prompt blank to continue to the editor:
$ pol edit -m
Enter password:
Enter next password [done]:
Enter next password [done]:
You will be presented a file like:
CONTAINER 1
github #1 user: johndoo
router #2
facebook #3 email: john@doo.org
bios.notebook #4
bios.pc #5
CONTAINER 2
supersecret #6
recoverykey #7
Move entries under different headers to move them between containers. It is that simple.
For those who like context-free mumbo-jumbo: pol uses El Gamal rerandomization, scrypt, AES-256 CTR, ECIES on secp160r1, SHA-256, Fortuna and msgpack. For actual details, see FORMAT.md.
The developers of pol are
- Bas Westerbaan
Others have been involved indirectly:
- Bart Jacobs suggested using El-Gamal rerandomization
- Wieb Bosma and Eric Cator have helped approximating the density of the safe primes.
pol
builds on dozens of other (open source) projects, notably:
Finally, the following projects have influenced the design.