Home-grown password manager

5 Feb 2022

In 2024 I switched to pass when I switched from MacOS to Raspberry Pi 5 as my daily driver.

I have been thinking about pass by Jason A. Donenfeld of WireGuard fame for a while. Inspired by its elegance, simplicity and structure, but concerned by my own lack of rigour in managing GPG keys for vault security, I chose to roll my own, but without compromising security or usability.

spm is simply an encrypted, mountable volume that contains a passwords-list in a plain-text file. The passwords-list file is a free-format. To enable better querying, I have chosen the following structure — a four-line block (and each block is separated by a single empty line. See an example (for demo purposes) below:

# Telstra
user (or num): my_unique_username
pass (or pin): my_secret_password
url: https://www.my.telstra.com.au/myaccount/home

spm is created in the following two steps:

Create a passwords-list file spm.md; save it within a folder, say, spm.
With MacOS’s Disk Utility, create a new image from spm folder — with (a) AES 256 encryption, and (b) read-write options. (The password used to encrypt will be the vault’s master password.)

spm can either be read using a text editor or via command-line with grep. (All of the following is optional for those like me who prefer the Terminal.)

Prep for command-line

Create a function, say in a file like .bash_func:

function spm() {
    if [ -z "$1" ]; then
        echo "Please provide a search term."
        return 1
    fi

    local result=$(grep -A 3 "$1" /Volumes/spm/spm.md)
    if [ -z "$result" ]; then
        echo "No matching results found."
        return 1
    fi

    echo "$result"
}

In the .zshrc file ensure it has access to .bash_func file like so:

# Source all files in ~/.bash_func and ~/.aliases
for file in "$HOME"/.{bash_func,aliases}; do
    if [ -r "$file" ] && [ -f "$file" ]; then
        source "$file"
    fi
done
unset file

Restart Terminal, and this command is ready at your finger tips.

Querying password(s)

Mount spm.dmg. If for instance, spm.dmg is stored on ~/Documents, then run
```
open ~/Documents/spm.dmg
```
Enter master password at GUI prompt. (Common sense suggests it is unwise to check the box labelled “Remember password in my keychain”.) This will mount a volume on Desktop /Volumes/spm in MacOS.
Now in Terminal (recommend running it in “Secure Keyboard Entry”), query spm like the example below (it’s case-sensitive):
```
spm "Telstra"
```
This will produce the above example block to refer to, copy, paste, etc.

Once done using spm, (a) eject the spm volume from Desktop with Cmd + E, and (b) close Terminal window.

spm.dmg file is portable, and I think can be carried in a portable drive without compromising its integrity.

Adding or updating new password(s)

To add new (or update) passwords, just mount spm.dmg, edit the spm.md file and add (or edit) a block of details, save file, and eject spm volume.