Install
April 13, 2025 ยท View on GitHub
pwd.sh is a Bash shell script to manage text-based secrets, such as passwords.
It uses GnuPG to symmetrically (i.e., using a passphrase) encrypt and decrypt plaintext files.
Each secret is individually encrypted to a randomly-named file in the safe directory. An encrypted index is used to map usernames to the respective secret file. Both the index and secret files can be decrypted with GnuPG without requiring pwd.sh.
Install
For the latest version, clone the repository or download the script directly:
git clone https://github.com/drduh/pwd.sh
wget https://raw.githubusercontent.com/drduh/pwd.sh/master/pwd.sh
Versioned Releases are also available.
Use
Run the script interactively using ./pwd.sh or symlink to a directory in PATH:
wto create a secretrto access a secretlto list all secretsbto create a backup archivehto print the help text
Options can also be passed on the command line.
Create a 20-character password for userName:
./pwd.sh w userName 20
Read password for userName:
./pwd.sh r userName
Passwords are stored with an epoch timestamp for revision control. The most recent version is copied to clipboard on read. To list all passwords or read a specific version of a password:
./pwd.sh l
./pwd.sh r userName@1574723600
Create an archive for backup:
./pwd.sh b
Restore an archive from backup:
tar xvf pwd*tar
Configure
Several customizable options and features are also available, and can be configured with environment variables, for example in the shell rc file:
| Variable | Description | Default | Available options |
|---|---|---|---|
PWDSH_CLIP | clipboard to use | xclip | pbcopy on macOS |
PWDSH_CLIP_ARGS | arguments to pass to clipboard command | unset (disabled) | -i -selection clipboard to use primary (control-v) clipboard with xclip |
PWDSH_TIME | seconds to clear password from clipboard/screen | 10 | any valid integer |
PWDSH_LEN | default password length | 14 | any valid integer |
PWDSH_COPY | copy password to clipboard before write | unset (disabled) | 1 or true to enable |
PWDSH_DAILY | create daily backup archive on write | unset (disabled) | 1 or true to enable |
PWDSH_CHARS | character set for passwords | [:alnum:]!?@#$%^&*();:+= | any valid characters |
PWDSH_COMMENT | unencrypted comment to include in index and safe files | unset | any valid string |
PWDSH_DEST | password output destination, will set to screen without clipboard | clipboard | clipboard or screen |
PWDSH_ECHO | character used to echo password input | * | any valid character |
PWDSH_SAFE | safe directory name | safe | any valid string |
PWDSH_INDEX | index file name | pwd.index | any valid string |
PWDSH_BACKUP | backup archive file name | pwd.$hostname.$today.tar | any valid string |
PWDSH_PEPPER | file containing Pepper | unset (disabled) | any valid file path |
See config/gpg.conf for additional GnuPG options.
Also see drduh/Purse - a fork which integrates with YubiKey instead of using a passphrase.
Pepper
The Pepper is an additional string appended to the safe passphrase to improve its strength. When the PWDSH_PEPPER option is set to a valid path, a secret value is generated and displayed once, then saved to the respective file.
The Pepper should be written down (for example, transcribed with passphrase.html or passphrase.txt template) and stored in a secure, durable location for backup.
This feature may enable use of a more memorable - and possibly weaker passphrase - for convenience, while still guarding backups against passphrase brute-force attempts (provided the Pepper is backed up separately).
The Pepper feature is opt-in and has no effect unless explicitly enabled.
Warning
The Pepper is not included in backup archives! Without the Pepper, the safe will not be accessible with the safe passphrase alone!