Skip to main content

Synchronize password databases

Project description

A Password synchronization tool

Actions Status

Nobody can be held liable for any damages cause by this tool. Always make a backup before using this tool.

pwsync is a low level command line tool that synchronizes password databases.

pwsync grew from a personal need to simplify credential usage for online services (e.g. for web shops, banks, cloud services, ...) on different platforms (Ubuntu, iPad, Android mobile, ...). Keepass feels outdated for such use-cases. Bitwarden (and alikes) simplify authentication thanks to its browser extension. Due to the personal use case, pwsync only supports Keepass database files and Bitwarden online database. But anybody can add support for other cloud password services if their (public) REST API is known with a Pull Request.

These properties of the password database features are handled (the lowest common denominator):

  • a hierarchical classification with folder/group
  • a credential's title/description
  • a username (an empty username is not supported)
  • a password
  • (per credential) notes
  • one url (without the matching capabilities of Bitwarden)
  • a one time pass code (TOTP which Keepass stores in its attributes property as pws_totp)
  • a favorite flag (Keepass stores this in its attributes property as pws_fav)
  • an organization (required when using collections, which Keepass stores as pws_org in its attributes property)
  • multiple collections (which Keepass keeps in its attributes property as pws_col)
  • a specific sync flag that, if missing, will ignore a password database entry during synchronization (Keepass keeps this in its attributes property as pws_sync)

Support for fields, icons, expiration date, the automatic creation of organizations, changes on a credential's collection set, Bitwarden's reprompt, Bitwarden's multiple urls and matching patterns, privately hosted Bitwarden etc. is currently missing!

Usage

It is important to familarize oneself with pwsync first! Use the toy Keepass password database files in the demo directory (passphrase is pw). Read this documentation to its very end.

# main use-case: synchronize changes from a local Keepass database to an online Bitwarden database.
# for all entries that have their _pws_sync_ flag set.
pwsync --from demo/from.kdbx --to bitwarden

# Similar but use the 2 toy Keepass password database files
# make a backup into a "to.kdbx.backup" first!
# see below for an example of typical output.
pwsync --from demo/from.kdbx --to demo/to.kdbx

# a description of all options
pwsync -h

Installation

pwsync depends on the Bitwarden command line client tool. This tool and its installation description can be found here.

npm install -g  @bitwarden/cli@1.19.1
# get git, python (here version 3.8) and build tools
sudo apt install -y --upgrade git build-essential python3.8-venv python3.8-dev

# clone the pwsync repo locally
git clone https://github.com/aptly-io/pwsync.git
cd pwsync

# prepare a virtual env. to avoid conflicts with existing python installation(s)
python3.8 -m venv .venv
. .venv/bin/activate

# upgrade pip and setuptools
python -m pip install --upgrade pip setuptools build

As user

Install the script and try-out the installation with the command command shown in Usage.

python -m pip install --upgrade .

As developer

# use an "editable" install together with tools for source code formatting, linting and testing
python -m pip install --upgrade -e .[dev]

# and/or with tools for building a distribution
python -m pip install --upgrade .[build]

# install a git pre-commit hooks according to .pre-commit-config.yaml
pre-commit install

Development

# format the source code (configuration in pyproject.toml) (done by pre-commit hook)
python -m black pwsync/*.py tests/*.py

# linting and source code analysis (ran in pre-commit hook)
python -m pylint pwsync tests || echo "FAILED"
python -m pylama pwsync/*.py

# tests with an xml coverage report for pwsync
# the test_bwc requires an online account; provide the credentials in env. vars.
export TEST_BW_CLIENT_ID=
export TEST_BW_CLIENT_SECRET=
export TEST_BW_MASTER_PASSWORD=
python -m pytest -s -vvv --cov=pwsync --cov-report=xml:cov.xml tests || echo "FAILED"

# for distribution
# for the proper version to be generated, use the main branch with a tag like v0.1b5
python -m build

# upload on testpypi
twine check --strict dist/* # basic check

# do a minimal test of the package in a new venv
deactivate
python3.8 -m venv .venv_install
. .venv_install/bin/activate
python -m pip install dist/pwsync-0.1b5-py3-none-any.whl
which pwsync
pwsync --from demo/from.kdbx --to demo/to.kdbx
deactivate
rm -rf .venv_install

# finally upload
python -m twine upload --repository testpypi dist/*

Technical details

The supported password databases use different technology and implementation: Keepass is file based while Bitwarden is a cloud service. To recognize equivalent password entries between the databases, pwsync identifies entries by certain property value(s). By default the folder and title property values are used. (this can be customized with the --id command line option).

The synchronization goes in 1 direction: only the to database could get modified due to differences with the from database. There are 3 modification types:

  • create: adds a new password entry in the to database because it exists only in the from database.
  • delete: removes an entry from the to database because it does not exist in the from database.
  • update: changes an entry in the to database because it is different for the equivalent entry in the from database.

A conflict is when the to password entry has a more recent modification time than its equivalent entry in the from database. Conflicts are skipped by pwsync; one has to manually address these.

Changing the property value used for password entry identification (e.g. the title) in one database, causes a create/delete modification!

To synchronize, pwsync depends on:

  • The python diffsync module: determines the differences between two password databases.
  • The python pykeepass module: modifies a Keepass_ file.
  • Bitwarden's official(?) command line client: modifies a Bitwarden online password database.

An curated dump of the console output is shown below:

  • The passphrase to open the Keepass file is prompted.
  • Since the output would be too large, parts are cut out.
  • There are no conflicts in this example.
  • There are 7 updates (7 entries in from.kdbx are different and more recent than to.kdbx).
  • For easier interpretation, differences are highlighted in red and green.
    • in the first example, the username changed from name to Name updated.
    • secrets are obviously hidden
  • There are 11 new and removed entries (only 1 of each is shown). What exactly is added and removed in the entry is show (again in green and red respectively). The 1 create and delete entry shown, are very similar; in fact these differ only in their title. This is the reason pwsynmc sees these as different entries (as explained higher)!

image

License

pwsync is necessarily GPL3 since it (currently) depends upon the GPL3 python module pykeepass.

Copyright 2022 Francis Meyvis (pwsync@mikmak.fun)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pwsync-0.2b3.tar.gz (142.3 kB view details)

Uploaded Source

Built Distribution

pwsync-0.2b3-py3-none-any.whl (37.8 kB view details)

Uploaded Python 3

File details

Details for the file pwsync-0.2b3.tar.gz.

File metadata

  • Download URL: pwsync-0.2b3.tar.gz
  • Upload date:
  • Size: 142.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.63.0 importlib-metadata/4.11.2 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.9.10

File hashes

Hashes for pwsync-0.2b3.tar.gz
Algorithm Hash digest
SHA256 b9fd360e9a0264d6aab223593cb2198d81e03d65a0d5729c612bc8dea4663d71
MD5 ee7a3c23789492c7cbdb3e6ab3485b8f
BLAKE2b-256 00ef7e850364f2e926c69ec065c441053fb9f57907dd0fced161fd98828d7905

See more details on using hashes here.

File details

Details for the file pwsync-0.2b3-py3-none-any.whl.

File metadata

  • Download URL: pwsync-0.2b3-py3-none-any.whl
  • Upload date:
  • Size: 37.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/32.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.8 tqdm/4.63.0 importlib-metadata/4.11.2 keyring/23.5.0 rfc3986/2.0.0 colorama/0.4.4 CPython/3.9.10

File hashes

Hashes for pwsync-0.2b3-py3-none-any.whl
Algorithm Hash digest
SHA256 4cf7afda6d8f8602c8b4f04ff5dee52468a16d7061941abc7baeea2664a456a7
MD5 79082c5dca67c487cbdc0ea3dbbc745f
BLAKE2b-256 15872f9e33870216f1004b17140f93d1c2d15274c29a521001fde6092bdcd529

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page