{ "info": { "author": "Ken Kundert and Kale Kundert", "author_email": "avendesora@nurdletech.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 5 - Production/Stable", "Environment :: Console", "Intended Audience :: End Users/Desktop", "License :: OSI Approved :: GNU General Public License v3 or later (GPLv3+)", "Natural Language :: English", "Operating System :: POSIX :: Linux", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3.5", "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Topic :: Security :: Cryptography", "Topic :: Utilities" ], "description": "Avendesora Collaborative Password Manager\n=========================================\n\n*Avendesora, the leaf of the Tree of Life is the key.*\n\n.. image:: https://img.shields.io/travis/KenKundert/avendesora/master.svg\n :target: https://travis-ci.org/KenKundert/avendesora\n\n.. image:: https://img.shields.io/coveralls/KenKundert/avendesora.svg\n :target: https://coveralls.io/r/KenKundert/avendesora\n\n.. image:: https://img.shields.io/pypi/v/avendesora.svg\n :target: https://pypi.python.org/pypi/avendesora\n\n.. image:: https://img.shields.io/pypi/pyversions/avendesora.svg\n :target: https://pypi.python.org/pypi/avendesora/\n\n.. IGNORE: pypi statics are broken and unlikely to be fixed\n .. image:: https://img.shields.io/pypi/dm/avendesora.svg\n :target: https://pypi.python.org/pypi/avendesora/\n\n.. image:: https://requires.io/github/KenKundert/avendesora/requirements.svg?branch=master\n :target: https://requires.io/github/KenKundert/avendesora/requirements/?branch=master\n :alt: Requirements Status\n\n:Authors: Ken & Kale Kundert\n:Version: 1.15.0\n:Released: 2019-09-28\n\nAvendesora replaces Abraxas, which are both alternatives to the traditional \npassword vault.\n\nPlease report all bugs and suggestions to avendesora@nurdletech.com\n\nIntroduction\n------------\n\nAvendesora is powerful command-line utility that can securely hold and \nconveniently provide access to a wide variety of information about your \naccounts, including its secrets such as passwords. Account values can be \ndisplayed, copied to the clipboard, or automatically typed into running \napplications such as you web browser or terminal windows. Avendesora can also \nopen accounts in your web browser, automatically recognize which account to use \nbased on the window title, and warn you if the browser is not using encryption \nwhen you go to enter your password.\n\nAccount secrets can be saved in encrypted form, as with password vaults, or \ngenerated from a root secret. Generated secrets have two important benefits. \nFirst, they are produced from a random seed, and so are quite unpredictable. \nThis is important, because the predictability of a passwords can be exploited \nwhen cracking passwords. Second, if a root secret is shared with another \ntrusted party, then you both can generate new shared secrets without passing any \nfurther secrets.\n\nSecrets are generated from a collection of seeds, one of which must be random \nwith a very high degree of entropy. The random seed is referred to as the \n'master seed' or the 'root seed'. It is extremely important that the master \nseed remain completely secure. Never disclose a master seed to anyone except \nfor a person you wish to collaborate with, and then only used the shared master \nseed for shared secrets. All of your private secrets should be generated from \nprivate master seeds. The seeds generally include the master seed, the account \nname, the secret name, and perhaps a version name. For example, imagine having \na Gmail account, then the account name might simply be 'gmail', and the secret \nname might be 'passcode'. In this case, your master seed is combined with the \nwords 'gmail' and 'passcode', the combination is hashed, and then password is \ngenerated with an appropriate recipe that you specify. There are recipes for \npasswords, pass phrases, PINs, security questions, etc. The password itself is \nnot stored, rather it is the seeds that are stored and the password is \nregenerated when needed. Notice that all the seeds except the master seed need \nnot be kept secure. Thus, once you have shared a master seed with \na collaborator, all you need to do is share the remaining seeds and your \ncollaborator can generate exactly the same password. Another important thing to \nnotice is that the generated password is dependent on the account and secret \nnames. Thus if you rename your account or your secret, the password will change. \nSo you should be careful when you first create your account to name it \nappropriately so you don't feel the need to change it in the future. For \nexample, 'gmail' might not be a good account name if you expect to have multiple \nGmail accounts. In this case you might want to include your username in the \naccount name. You can always make the shorter 'gmail' as an account alias so you \ncan still access the account quickly.\n\n\nInstallation\n------------\n\nInstall with::\n\n pip3 install --user avendesora\n\nThis will place avendesora in ~/.local/bin, which should be added to your path.\n\nYou will also need to install some operating system commands. On Fedora use::\n\n yum install gnupg2 xdotool xsel\n\nYou should also install python-gobject. Conceivably this could be installed with \nthe above pip command, but gobject appears broken in pypi, so it is better use \nthe operating system's package manager to install it. See the setup.py file for \nmore information. On Redhat systems use::\n\n yum install python3-gobject\n\nIf you would like to use scrypt as a way of encrypting fields, you will need to \ninstall scrypt by hand using::\n\n pip3 install --user scrypt\n\n\nUpgrading\n---------\n\nAvendesora is primarily a password generator. As a result, there is always \na chance that something could change in the password generation algorithm that \ncauses the generated passwords to change. Of course, the program is thoroughly \ntested to assure this does not happen, but there is still a small chance that \nsomething slips through. To assure that you are not affected by this, you \nshould archive your passwords before you upgrade with::\n\n avendesora changed\n avendesora archive\n\nThe *changed* command should always be run before an *archive* command. It \nallows you to review all the changes that have occurred so that you can verify \nthat they were all intentional. Once you are comfortable, run the *archive* \ncommand to save all the changes. Then upgrade with::\n\n pip3 install -upgrade --user avendesora\n\nFinally, run::\n\n avendesora changed\n\nto confirm that none of your generated passwords have changed.\n\nIt is a good idea to run 'avendesora changed' and 'avendesora archive' on \na routine basis to keep your archive up to date.\n\nUpon updating you may find that Avendesora produces a message that a 'hash' has \nchanged. This is an indication that something has changed in the program that \ncould affect the generated secrets. Again, care is taken when developing \nAvendesora to prevent this from happening. But it is an indication that you \nshould take extra care. Specifically you should follow the above procedure to \nassure that the value of your generated secrets have not changed. Once you have \nconfirmed that the upgrade has not affected your generated secrets, you should \nfollow the directions given in the warning and update the appropriate hash \ncontained in ~/.config/avendesora/.hashes.\n\n\nRequirements\n------------\n\nGPG\n\"\"\"\nTo use Avendesora, you will need GPG and you will need a GPG ID that is \nassociated with a private key. That GPG ID could be in the form of an email \naddress or an ID string that can be found using 'gpg --list-keys'.\n\nIf you do not yet have a GPG key, you can get one using::\n\n $ gpg --gen-key\n\nYou should probably choose 4096 RSA keys. Now, edit ~/.gnupg/gpg-conf and add \nthe line::\n\n use-agent\n\nThat way, you generally need to give your GPG key pass phrase less often. The \nagent remembers the passphrase for you for a time. Ten minutes is the default, \nbut you can configure gpg-agent to cache passphrases for as long as you like.\n\nIf you use the agent, be sure to also use screen locking so your passwords are \nsecure when you walk away from your computer.\n\n\nVim\n\"\"\"\n\nIf you use Vim, it is very helpful for you to install GPG support in Vim. To do \nso first download::\n\n http://www.vim.org/scripts/script.php?script_id=3645\n\nThen copy the file into your Vim configuration hierarchy::\n\n cp gnupg.vim ~/.vim/plugin\n\n\nInitialization\n--------------\n\nTo operate, Avendesora needs a collection of configuration and accounts files \nthat are stored in ~/.config/avendesora. To create this directory and the \ninitial versions of these files, run::\n\n avendesora init -g \n\nFor example::\n\n avendesora init -g bob@nurdletech.com\n\nor::\n\n avendesora init -g 1B2AFA1C\n\nIf you would like to have more than one person access your passwords, you should \ngive GPG IDs for everyone::\n\n avendesora init -g bob@nurdletech.com,rob@nurdletech.com\n\nAfter initialization, there should be several files in ~/.config/avendesora. In \nparticular, you should see at least an initial accounts files and a config file.\n\n\nConfiguration\n-------------\n\nThe config file (~/.config/avendesora/config) allows you to personalize \nAvendesora to your needs. After initializing your account you should take the \ntime to review the config file and adjust it to fit your needs. You should be \nvery thoughtful in this initial configuration, because some decisions (or \nnondecisions) you make can be very difficult to change later. The reason for \nthis is that they may affect the passwords you generate, and if you change them \nyou may change existing generated passwords. In particular, be careful with \n*dictionary_file* and *default_passphase_separator*. Changing these values when \nfirst initializing Avendesora is fine, but should not be done or done very \ncarefully once you start creating accounts and secrets.\n\nDuring an initial configuration is also a convenient time to determine which of \nyour files should be encrypted with GPG. To assure that a file is encrypted, \ngive it a GPG file suffix (.gpg or .asc). The appropriate settings to adjust \nare: *archive_file*, *log_file*, both of which are set in the config file, and \nthe accounts files, which are found in ~/.config/avendesora/.accounts_files. For \nsecurity reasons it is highly recommended that the archive file be encrypted, \nand any accounts file that contain sensitive accounts. If you change the suffix \non an accounts file and you have not yet placed any accounts in that file, you \ncan simply delete the existing file and then regenerate it using::\n\n avendesora init -g \n\nAny files that already exist will not be touched, but any missing files will be \nrecreated, and this time they will be encrypted or not based on the extension \nyou give.\n\n\nUsing Avendesora\n----------------\n\nAvendesora supports a series of commands, the complete list of which can be had \nby running the help command::\n\n > avendesora help\n\nMore information on a command is accessed by adding the name of the command as \nthe second argument to the help command::\n\n > avendesora help name\n\nAs an aid to finding the right help topic the topics that contain a particular \nsearch term are listed by adding the -s or --search command line option::\n\n > avendesora help -s term\n\nIf the first argument is not a command, then it must be the name of an account. \nIn this case, the *credentials* command is run if only the account name is \ngiven, otherwise the *value* command is run (any options to the value command \nshould be given after the account name). The *credentials* command generally \ngives the information you would need to login to an account, typically the \nusername or email and the passcode. The *value* command allows you to request \nthe value of a specific piece of information from the account. So for example::\n\n > avendesora amazon\n email: albert@ricochet.com\n password: XDyfL5it\n\n > avendesora citi pin\n 56713522\n\n > avendesora southwest 0\n questions.0 (First foreign country I visited): contour subtract impel\n\nIf you give a number for the desired value, Avendesora assumes you want the \nanswer to the corresponding security question.\n\n\nAccounts\n--------\n\nAvendesora holds information about your accounts in accounts files. The list of \ncurrent accounts files is contained in ~/.config/avendesora/.accounts_files. \nEach is a possibly encrypted Python file. All information known about \na particular account is contained in the attributes of a class that is created \nfor that account. For example:\n\n.. code-block:: python\n\n class BigBank(Account):\n aliases = 'bb'\n username = 'gman33'\n email = 'gman33@pizza.com'\n urls = 'https://bigbank.com/login'\n passcode = Password(length=12)\n verbal = Passphrase(length=2)\n pin = PIN()\n accounts = {\n 'checking': Hidden('MTIzNDU2Nzg='),\n 'savings': Hidden('MjM0NTY3ODk='),\n 'creditcard': Hidden('ODczMi0yODk0LTI4NjEtMjgxMA=='),\n }\n questions = [\n Question('What city were you born in?'),\n Question('What street did you grow up on?'),\n Question('What was your childhood nickname?'),\n ]\n customer_service = '1-866-229-6633'\n\nEach attribute represents a piece of information that can be requested. For \nexample, a summary of all information can be requested with::\n\n > avendesora values bb\n names: bigbank, bb\n accounts:\n checking: \n creditcard: \n savings: \n customer service: 1-866-229-6633\n email: gman33@pizza.com\n passcode: \n pin: \n questions:\n 0: What city were you born in? \n 1: What street did you grow up on? \n 2: What was your childhood nickname? \n urls: https://bigbank.com/login\n username: gman33\n verbal: \n\nThe attributes have various levels of confidentiality. Simple strings are not \nconsidered sensitive. Those values provided by Python classes inherit the \nconfidentiality of the class. Hide() and Hidden() provides simple concealment. \nGPG() and Scrypt() provides full encryption. And classes like Password(), \nPasswordRecipe(), Passphrase(), PIN() and Question() generate secrets. \nAttributes that are considered sensitive are not shown in the above summary, but \ncan be requested individually::\n\n > avendesora value bb pin\n pin: 7784\n\nAttributes can be simple scalars, such as *pin*. They can be arrays, such as \n*questions*::\n\n > avendesora value bigbank questions.1\n questions.1 (What street did you grow up on?): lockout insulator crumb\n\nOr they can be dictionaries::\n\n > avendesora value bb accounts.checking\n accounts.checking: 12345678\n\nThe passcode attribute is the default scalar attribute::\n\n > avendesora value bb\n passcode: Nj3gpqHNfiie\n\nThe questions attribute is the default array attribute, which is used if the \nrequested field is a number::\n\n > avendesora value bb 0\n questions.0 (What city were you born in?): muffin favorite boyfriend\n\nYou can also use simple scripts as the requested value::\n\n > avendesora value 'username: {username}, password: {passcode}'\n username: gman33, password: Nj3gpqHNfiie\n\nFinally, the attributes themselves may be scripts. For example, if you added the \nfollowing to you account::\n\n cc = Script('{accounts.creditcard} 02/23 363')\n\nThen you could access a summary of your credit card information with::\n\n > avendesora value cc\n 8732-2894-2861-2810 02/23 363\n\n\nAdding And Editing Accounts\n---------------------------\n\nYou add new accounts using the *add* command::\n\n > avendesora add [