Another password manager in C language because why not ;-)
My objective is to get a simple program able to be compile without extern library link for any POSIX operating system. I have just used the ncurses library for security reasons and for a better user interface.
- A main password protects informations
- The shape of the main password is controlled by a password policy
- Each information is encrypted with AES 256 (CBC mode) and save in a local file
- Each couple of secret information is controlled by an integrity value (HMAC based on SHA256)
- The encryption key (256 bits) is never saved and is generated by the AES algorithm applied 10,000 rounds in CBC mode from the main password then it is xor-linked to the hash value of the executable file
- The encryption key is left masked in memory when it is not used
- The encryption key is derive from the user password with the PBKDF2 algorithm
- Confidential information are decrypted only for displaying; before and after that they are left encrypted in memory
- The local file (that contains encrypted information) is writable and readable only by the owner
- A backup file is automatically created if a local file already exists when a new entry is added or an existing entry is edited
- A brute force attack shield do not permits to execute
yatpamaafter less than 60 secondes from the last end of execution
You need a C compiler and the make utility or equivalent.
In a terminal, go to the yatpama directory.
Just type make and you will obtain an executable named yatpama to be placed in a directory accessible from your PATH.
make clean will delete all intermediate files (like .o files).
make delete will delete all executable files.
In a terminal and a directory, a user can:
- Execute
yatpama - Choose a main password at first launch (command
p) - Add a new entry: a couple of secret information (command
a) - List current entries (command
l) - Search and print entries according a pattern (command
s) - Delete an entry (command
d) - Edit an entry (command
e) - Export information to a clear text file (command
x) - Import information from a clear text file (command
i) - Quit
yatpama(commandq)
After adding the first entry, the file named yatpama.data will be created in the current directory. So, a file yatpama.data can exist in each directory if you want with a same or a different main paswword.
Of course, user can change password until a first entry is added. After that, the same password must be used to get clear information.
User is invited to try yatpama with false information until he understands how it works and before using it to store real confidential information.
Each data file yatpama.data is linked to the executable file yatpama used to create the data file in a way that it is impossible to decypher information without the original yatpama version. So, it is an imperative act to export information before installing a new version of yatpama.
User has to follow the next procedure:
-
Before installation, export information to the temporary file (
yatpama_export.txt) (commandx) -
Install the new version of
yatpama -
Execute the new version of
yatpamaIf a data file
yatpama.datais found in the current directory from an old version, user will be notified by a help message then the application will exit itself. User has to rename this fileyatpama.data.oldversionfor example before executing the new version ofyatpama. -
Import information with the new installed
yatpamaversion (commandi) -
Control that the importation is a full success: quit then re-execute
yatpamaand print entries -
Delete the temporary file (
yatpama_export.txt) containing clear information if step 5 is a success (or save it in trusted location).
The backup file yatpama.data.oldversion can be re-used in case there is a problem with the new version. In this case, user has to re-install previous version of yatpama indicated a step 3 then renames yatpama.data.oldversion to yatpama.data.
This project is under GNU General Public License v3.0
-
This project use Tiny AES in C under The Unlicense (files aes.h aes.c test_AE128.c)
-
This project use a modified version of the SHA256 implementation of Brad Conte that is in public domain (files sha256.h sha256.c)