Target use : Securely store and retrieve sensitive strings like passwords for command line use.
Entropy Vaults are cryptographically obscured files intended to store passwords and other sensitive short strings. Every entry is stored as an encrypted entry that contains payload+hash. To retrieve it the program must decrypt every possible entry in the "entropy vault file" to retrieve it.
There is also no index or any method to list or know what entries are present in the file. The idea is that person A could store an entry after person B and be completely unaware that person A has any data in the vault and vise versa.
"Entropy" on wikipedia :
"Entropy is a scientific concept, as well as a measurable physical property, that is most commonly associated with a state of disorder, randomness, or uncertainty."
entrovault -> Entropy vault by Olivier Van RompuySearch Entry : entrovault [-s] [-c] [-p vault_password] [-v vault_name] [-% rounds] keystring Append Entry : entrovault -a [-q] [-p vault_password] [-v vault_name] [-% rounds] keystring Replace Entry : entrovault -r [-q] [-p vault_password] [-v vault_name] [-% rounds] keystring Erase Entry : entrovault -e [-q] [-p vault_password] [-v vault_name] [-% rounds] keystring List Vaults : entrovault -l
Options -s Output string in plain text instead of invisible. -a Append entry -r Replace entry. If not found append -e Erase entry -p Vault password -q Password type payload entry -v Vault name -% Encryption rounds -l List vaults -c Execute content as system commands
Store a password in the vault and retrieve it
You are always required to enter a vault password. This password can be unique per entry, but does not have to be.
This is purely up to the user and the use case. When you append a new entry you are required to confirm the password a second time.
The -q option allows you to enter the payload via a password style input prompt.
$ entrovault -q -a MySecretPassword Enter vault password for MySecretPassword - 1st : Enter vault password for MySecretPassword - 2nd : Payload 1st : Payload 2nd :
Retrieve your password
$ entrovault -s MySecretPassword Enter vault password for MySecretPassword : PASSW0RD
Replace entry
$ entrovault -q -r MySecretPassword Enter vault password for MySecretPassword : Payload 1st : Payload 2nd :
Erase entry
$ entrovault -e MySecretPassword Enter vault password for MySecretPassword : Payload 1st : Payload 2nd :
By default stdin is used as the source for the payload/content unless -q is provided
You can use mixed complexities of encryption with the -% parameter you can choose a customer nr of encryption rounds. Do note that encryption is done in 2 stages, so the current 3 round default actually results in 6 encryption rounds. You can go up to 255, but beware that as the vault file grows it will require exponentially more cpu power to retrieve entries. 2-8 rounds is quite secure, anything above is for experimentation only.
$ git clone https://github.com/oli4vr/entrovault.git $ cd entrovault $ make $ make install
* Make sure ~/bin is in your $PATH
Interactive authentication script :
some_application -username=myuser -password=$(entrovault MySecretPassword) ...do some stuff
* The point here is that you only need to remember the vault password
Use case for -c : Store and execute sensitive commands
$ echo "some_application -username=myuser -password=XYZABC ..." | entrovault -a mycommand $ entrovault -c mycommand
Safely store (expect) login scripts with hard coded passwords
Example Login script with nested jump to a third host :
# vi autologin.sh #!/bin/bash /usr/bin/expect <<EOF set timeout 2 spawn ssh -t -C username@hostname expect "password : " send "PASSW0RD1\r" expect "$ " send "ssh -t -C username2@hostname2\r" expect "password : " send "PASSW0RD2\r" close stdin open /dev/tty interact EOF
Store it in a vault and execute it :
$ entrovault -v sshvault -a ssh/autologin < autologin.sh $ entrovault -v sshvault -c ssh/autologin