# vault

**Repository Path**: mirrors_michaelrhodes/vault

## Basic Information

- **Project Name**: vault
- **Description**: Generates safe passwords so you never need to remember them
- **Primary Language**: Unknown
- **License**: Not specified
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2020-09-25
- **Last Updated**: 2026-03-01

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# vault [<img src="https://secure.travis-ci.org/jcoglan/vault.png" />](http://travis-ci.org/jcoglan/vault)

`vault` is a simple password manager. Given a passphrase and the name of a
service, it returns a strong password for that service. You only need to
remember your passphrase, which you do not give to anyone, and `vault` will give
a different password for every service you use. The passphrase can be any text
you like.

Given the same passphrase and service name, the program will generate the same
result every time, so you can use it to look up those impossible-to-remember
passwords when you need them.

According to [Dropbox's zxcvbn password strength
measure](http://dl.dropbox.com/u/209/zxcvbn/test/index.html), if your dictionary
English password takes about a second to crack, those generated by `vault` take
over a million times the age of the observable universe to crack by brute force.


## Why?

I have a terrible memory and like keeping my stuff safe. [Strong
service-specific passwords are hard to remember](http://xkcd.com/936/), and many
services [have stupid restrictions on
passwords](http://me.veekun.com/blog/2011/12/04/fuck-passwords/). I want to
remember one phrase and have a machine deal with making my passwords strong.


## Installation

This program is written in JavaScript. It provides a CLI and a web-based
interface.  The command line interface is available as a Node program. To
install with npm run:

    npm install -g vault

To enable tab-completion for bash, add this to your .bashrc scripts:

    which vault > /dev/null && . "$( vault --initpath )"

If you want to use the web interface provided with vault (like
https://getvau.lt/) you need to serve the static files found in the `web` folder
using your favourite web server.


## Usage

The most basic usage involves passing your passphrase and the service name; when
you pass the `--phrase` or `-p` flag you will be prompted for your passphrase:

    $ vault google -p
    Passphrase: *********
    2hk!W[L,2rWWI=~=l>,E

You can set the desired length using `--length` or `-l`:

    $ vault google -p -l 6
    Passphrase: *********
    Tc8k~8

You can control the character types present in the output, either to disable
certain types or make sure they are present. For example, to get a password with
no symbols in it:

    $ vault google -p --symbol 0
    Passphrase: *********
    Bb4uFmAEUnTPJh23ecdQ

To get a password containing at least one dash and uppercase letter:

    $ vault google -p --dash 1 --upper 1
    Passphrase: *********
    2-[w]thuTK8unIUVH"Lp

Available character classes include:

* `lower`: lowercase letters, `a`-`z`
* `upper`: uppercase letters, `A`-`Z`
* `number`: the digits `0`-`9`
* `space`: the space character ` `
* `dash`: dashes (`-`) and underscores (`_`)
* `symbol`: all other printable ASCII characters

Finally, some sites do not allow passwords containing strings of repeated
characters beyond a certain length. For example, a site requiring passwords not
to contain more than two of the same character in a row would reject the
password `ZOMG!!!` because of the 3 `!` characters. `vault` lets you express
this requirement using `--repeat` or `-r`; this option sets the maximum number
of times the same character can appear in a row.

    $ vault google -p -r 2


## Using your SSH private key

Instead of a simple passphrase, `vault` can use a value signed using your SSH
private key as its input. Use the `--key` or `-k` option:

    $ vault twitter -k

    Which key would you like to use?

    1: james@tesla, AAAAB3NzaC1y...+XRS6wsfyB7D
    2: james@tesla, AAAAB3NzaC1y...B4vwPOArAIKb

    Enter a number (1-2): 1
    \vXY"xP}m7;,./eI{cz<

If you only have one private key, that is used automatically. If you have
several, a menu is displayed as above using snippets from the corresponding
public keys. You will be prompted to unlock the selected key if necessary.

Note that all the prompts shown to you while using `vault` are printed to stderr
and the generated password to stdout, so you can pipe `vault` to `pbcopy` and
you'll just get the password in your clipboard, i.e.:

    $ vault twitter -k | pbcopy

    Which key would you like to use?
    # etc.


## Saving your settings

If you like, you can store your passphrase on disk; `vault` will save it in a
file called `.vault` in your home directory.

The `.vault` file is encrypted with AES-256, using your username as the key by
default. You can set your own key using the `VAULT_KEY` environment variable.
You can also change the location of the file using the `VAULT_PATH` variable,
for example you might set `VAULT_PATH=Dropbox/.vault` to sync it using Dropbox.
If you do this, make sure any files containing the key are NOT also exposed to
third-party services.

To save your passphrase, pass the `--config` or `-c` flag:

    $ vault -c -p
    Passphrase: *********
    $ vault google
    2hk!W[L,2rWWI=~=l>,E

You can also configure character class settings this way:

    $ vault -c --upper 0
    $ vault google -p
    Passphrase: *********
    =hk|,;,>=r'}k=p-u>1p

Both the passphrase and the character class settings can be overridden on a
per-service basis:

    $ vault -c twitter --upper 1 --symbol 0

    $ vault twitter -p
    Passphrase: *********
    Z2juOG1Z31BX1A9ET8Cn

    $ vault google -p
    Passphrase: *********
    =hk|,;,>=r'}k=p-u>1p

If you're using your private key instead of a passphrase, you can save your
`--key` setting. The config file ends up storing the public key, not the private
key or any value derived from it. Next time you run `vault`, the public key is
used to find the corresponding private key from `ssh-agent`.

    $ vault -c -k

    Which key would you like to use?

    1: james@tesla, AAAAB3NzaC1y...+XRS6wsfyB7D
    2: james@tesla, AAAAB3NzaC1y...B4vwPOArAIKb

    Enter a number (1-2): 1

    $ vault twitter
    \vXY"xP}m7;,./eI{cz<

If you'd like to get a plain-text copy of the encrypted settings file, or import
a previously exported settings file, you can use the `--export` and `--import`
flags. `--export` writes the contents of the `.vault` file to the given path,
while `--import` reads the given file and stores it encrypted in your `.vault`
file. This can be used, for example, to change the encryption key:

    $ VAULT_KEY=oldkey vault --export settings.json
    $ VAULT_KEY=newkey valut --import settings.json

Or, you can use it if `vault` changes its encryption algorithm in the future.
Just use your current installation to export the settings, upgrade, then import.

    $ vault --export settings.json
    $ npm install -g vault
    $ vault --import settings.json


## Notes

You can save notes for any of the services you use. Notes are stored in the
service's settings, but are not used for generating passwords. To edit the notes
for a service, use `--config` with `--notes` or `-n`:

    $ vault -c -n google

This opens your `$EDITOR` where you can edit the notes. When you save the file
and close the editor, the updated notes will be saved into your `.vault` file.

When you ask for the password for a service, `vault` will print any notes you
have saved for it. It prints the password to stdout and the notes to stderr, so
you can pipe the password to the clipboard if you like and still the notes
printed in your terminal.

    $ vault google | pbcopy

    The notes will appear here. The password is saved to the clipboard.


## Deleting saved settings

You can delete any saved setting using the `--delete`, `--delete-globals` and
`--clear` options. (`--delete` is aliased as lowercase `-x` and `--clear` as
uppercase `-X`.) `--delete` removes settings for an individual service,
`--delete-globals` removes your global settings and `--clear` deletes all saved
settings.

    $ vault --delete twitter
    This will delete your "twitter" settings. Are you sure? (Y/n): Y

    $ vault --delete-globals
    This will delete your global settings. Are you sure? (Y/n): Y

    $ vault --clear
    This will delete ALL your settings. Are you sure? (Y/n): Y


## How does it work?

`vault` takes your passphrase and a service name and generates a hash from them
using [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2). It then encodes the bits of
this hash using a 94-character alphabet, subject to the given character
constraints. This design means that each password is very hard to break by brute
force, and ensures that the discovery of one service's password does not lead to
other accounts being compromised. It also means you can tailor the output to the
character set accepted by each service. The use of a deterministic hash function
means we don't need to store your passwords since they can easily be
regenerated; this means there's no storage to sync or keep secure.


## License

Copyright (C) 2012-2014 James Coglan

This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later
version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.  See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with
this program.  If not, see <http://www.gnu.org/licenses/>.