Manage passwords in a git backed encrypted gnupg database with LDAP support
pwmanager is a python script for storing passwords, searchable by hostname and user, in a gnupg encrypted git backed database. It can encrypt to multiple keys and also fetch keys from LDAP, allowing you to easily and securely share and version control passwords with others. Useful for both personal and group-wide password storage and sharing.
Copyright (C) 2019 Andreas Bofjäll firstname.lastname@example.org, see LICENSE for licensing details.
Where to get it
The latest release is available at PyPI: https://pypi.org/project/pwmanager/
Source code repository is at github: https://github.com/andbof/pwmanager
Quickest and easiest is to install using
pip3 from PyPI as your local user:
pip3 install --user pwmanager
You can also install the latest development version directly from the github repository:
pip3 install --user git+git://github.com/andbof/pwmanager.git
Some options need to be set in the configuration file. A sample
pwmanager.conf.sample) is included in the package. pip3
will install it in the
pwmanager/data subdirectory of the appropriate
site-packages directory. It should be put in
The standard location for your password repository is
pwmanager requires python3 >= 3.4 and some extra packages, see
details. Python 2.x is not supported.
Help on actions is available by appending -h:
pwmanager add -h
Adding the password
secretpass for the account
host.company.com to the database:
pwmanager add host.company.com root secretpass
If you leave out
secretpass, pwmanager will prompt you for the
Retrieving the password stored above:
pwmanager get host.company.com root
pwmanager get matches both the hostname and username as substrings and
if you do not specify a username it will list all accounts, so all of these
will find the above account (and maybe others):
pwmanager get host.company.com roo pwmanager get host.company.com oot pwmanager get host.company.com r pwmanager get host.company.com r pwmanager get host.company.co pwmanager get com pwmanager get h
Synchronizing with others
pwmanager will always update from and push to
origin when there is an
origin git remote configured. git adds
origin automatically if you
clone an already existing repository, but you need to add it manually if you
initialize it yourself or use
To add a remote repository later, use the normal git way:
cd /path/to/datastore git remote add origin URL
In normal operation, pwmanager will, before doing anything, always fetch and
rebase on the latest
origin/master, and will push to
afterwards. It will also retry this up to five times in case multiple people
are in a rebase-race and pushing at the same time. However, if you just added a
new origin remote it's a good idea to manually run:
git fetch origin git rebase origin/master
If any of the two commands above fail, you need to fix whatever git complains about or pwmanager will not work.
How are the passwords stored?
(aka When the script doesn't work and you desperately need a password)
All passwords are stored in separate files, one per password, in your datadir. They are encrypted using GnuPG to all keys you configured to use, so if you have a suitable key available in your local gnupg keyring and you want the password for 'user' on 'host', you can do so by just running gnupg:
gpg -o - -d datadir/host/user.gpg
If this fails, ensure you have your secret key in your gnupg keyring.
Why is every password in a separate file, you ask? Because that enables replacing individual passwords without having access to any secret key. This allows automated password rotation, for example.
gnupg could probably not find your secret key. Make sure your secret key is
available in your standard keyring in
~/.gnupg and that you're running the
latest gnupg 2.x series.
For debian stretch you need to install
If your system defaults to gnupg 1.x and your gnupg 2.x binary is called gpg2,
gpg_path = gpg2 in the
[gnupg] section of
RuntimeError: No recipients to encrypt to!
You haven't added any key fingerprints in
pwmanager.conf and haven't
configured any other data source. There are simply no public keys configured to
"I don't understand how to get the LDAP stuff working at all"
pwmanager currently assumes you have a group (
objectClass: posixGroup) with
memberUid attribute for every member. Those should map to whatever you've
Next, pwmanager assumes the user has the attribute you've set as
which should be the DN of a PGP keyserver compatible entry under
The same LDAP server must be able to act as a PGP compatible keyserver (hint:
gpg --send-keys should work). Also, don't forget to uncomment the
[ldap] header in
pwmanager does not call
mlock(), mostly because doing so would require calling
mlock()for the entire ~5 MB python binary.
pwmanager currently does not support multiple git remotes. That should probably be implemented, for numerous reasons.
|Filename, size||File type||Python version||Upload date||Hashes|
|Filename, size pwmanager-1.4.tar.gz (18.4 kB)||File type Source||Python version None||Upload date||Hashes View hashes|