commit 20a755b977dcfaf5be88243847c1730720fbf79f from: Alex Arx via: Alex Arch date: Sun Mar 16 08:11:17 2025 UTC initial transition from gpm to secstore The name 'gpm' has several problems: - There already *is* a Linux program called 'gpm' - The utility is now much more general, and no longer forces you to use gpg - Although the primary use is still passwords, it can handle multi-line and binary files, so the 'pm' part is not very correct either The utility has been renamed to 'secstore', and some transition (env variable names, invocation changes, etc.) has been made. This version is *not* compatible with any versions of gpm, and never will be. commit - ca70700ed21b39d87999d27df889121d54dfaf35 commit + 20a755b977dcfaf5be88243847c1730720fbf79f blob - 372418686f1931995eb2d6be7e1dca9a342d4cdc (mode 755) blob + /dev/null --- examples/igpm +++ /dev/null @@ -1,92 +0,0 @@ -#!/bin/sh - -selector=${SELECTOR:-fzf} -justprint=false -allenable=true -tmux=tmux -primary=primary -clipboard=clipboard -out=out - -while getopts COPTcopt name; do - case $name in - C) clipboard= ;; - O) out= ;; - P) primary= ;; - T) tmux= ;; - [copt]) - if $allenable; then - allenable=false - tmux= - primary= - clipboard= - out= - fi - - case $name in - c) clipboard=clipboard ;; - o) out=out ;; - p) primary=primary ;; - t) tmux=tmux ;; - esac - ;; - ?) echo "usage: igpm [-COPTcopt] [file ...]" >&2; exit 1 ;; - esac -done -shift $((OPTIND - 1)) - -test -n "$TMUX" || tmux= -test -n "$DISPLAY" || { primary=; clipboard=; } - -clip="$tmux $primary $clipboard $out" -nclip=0 -for c in $clip; do nclip=$((nclip + 1)); done -[ $nclip -gt 0 ] || { echo "nowhere to copy" 2>&1; exit 1; } -[ $nclip -eq 1 ] || clip="$(printf %s\\n $clip | $selector)" - -case $clip in -tmux) - test "$tmux" || exit 1 - GPM_COPY_INCMD='tmux loadb -b _gpm -' - GPM_COPY_OUTCMD='tmux showb -b _gpm' - GPM_COPY_DELCMD='tmux deleteb -b _gpm' - ;; -primary) - test "$primary" || exit 1 - GPM_COPY_INCMD=xclip - GPM_COPY_OUTCMD='xclip -o' - GPM_COPY_DELCMD='xclip &2; exit 1 ;; + esac +done +shift $((OPTIND - 1)) + +test -n "$TMUX" || tmux= +test -n "$DISPLAY" || { primary=; clipboard=; } + +clip="$tmux $primary $clipboard $out" +nclip=0 +for c in $clip; do nclip=$((nclip + 1)); done +[ $nclip -gt 0 ] || { echo "nowhere to copy" 2>&1; exit 1; } +[ $nclip -eq 1 ] || clip="$(printf %s\\n $clip | $selector)" + +case $clip in +tmux) + test "$tmux" || exit 1 + GPM_COPY_INCMD='tmux loadb -b _gpm -' + GPM_COPY_OUTCMD='tmux showb -b _gpm' + GPM_COPY_DELCMD='tmux deleteb -b _gpm' + ;; +primary) + test "$primary" || exit 1 + GPM_COPY_INCMD=xclip + GPM_COPY_OUTCMD='xclip -o' + GPM_COPY_DELCMD='xclip -# -# Permission to use, copy, modify, and distribute this software for any -# purpose with or without fee is hereby granted, provided that the above -# copyright notice and this permission notice appear in all copies. -# -# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - -use strict; -use warnings; - -use File::Basename; -use File::Path 'make_path'; -use Getopt::Std; -use IPC::Open2; -use POSIX qw(setsid); -use Text::ParseWords; - -use Digest::SHA 'sha256'; - -our ($opt_g, $opt_d, $opt_r); -my $gpg; - -# usage: print usage information to stderr and exit with error. -sub usage { - die -"usage: gpm [-g command] [-d dir] add [-Nnm] name\n" . -" gpm [-g command] [-d dir] copy [-Nnm] [-d delcmd] [-i incmd]\n" . -" [-o outcmd] [-s time] name\n" . -" gpm [-d dir] rm name ...\n" . -" gpm [-g command] [-d dir] show [-Nn] name\n" . -" gpm [-d dir] mv from to\n" . -" gpm [-d dir] ls\n"; -} - -# getflags: put environment flags at the start of @ARGV -sub getflags { - my ($var) = @_; - unshift(@ARGV, shellwords $ENV{$var} // '') if defined $var && $var ne ''; -} - -# shellquote: return string suitable for using as an argument for sh -sub shellquote { - my ($s) = @_; - $s =~ s/'/'\\''/g; - return "'" . $s . "'"; -} - -# getrecipient: return string to be used with gpg's -r option. -# -# Past versions of gpm (written in shell) required explicit recipient, set by -# option -r, or the GPM_RECIPIENT environment variable. This is completely -# unnecessary now, due to GPM_GPG and -g, but legacy syntax is still maintained. -sub getrecipient { - return shellquote($opt_r // $ENV{GPM_RECIPIENT}); -} - -# ckpath $path -# -# Return 1 if $path doesn't start with /, or contain .. files, and 0 otherwise. -sub ckpath { - my ($p) = @_; - return $p !~ m,^/, && $p ne ".." && $p !~ m,^\.\./, && $p !~ m,/\.\./, - && $p !~ m,/\.\.$,; -} - -# cklegacy $f -# -# Returns the correct path for $f (with or without the .gpg suffix), or dies -# if no such file exists. -sub cklegacy { - my ($f) = @_; - if (!-f $f) { - my $f2 = $f . ".gpg"; - -f $f2 or die "neither $f, nor $f2 exist as regular files\n"; - return $f2; - } - return $f; -} - -# prunetree $d: remove empty directories, starting from $d, and going up. -sub prunetree { - for (my ($d) = @_; $d ne "."; $d = dirname $d) { - rmdir $d or last; - } -} - -# add -# -# Encrypt the secret from stdin, and store the ciphertext in file specified -# on the command line. -sub add { - our ($opt_N, $opt_n, $opt_m); - my ($r, $sec) = (getrecipient(), ''); - - getopts('Nnm') or usage(); - $#ARGV >= 0 or usage(); - - my $cmd = $ENV{GPM_ENCCMD} // - "$gpg -e" . (defined $r ? " -r $r" : "") . " --"; - - my $outfile = $ARGV[0]; - ckpath $outfile or die "bad path: $outfile\n"; - - -e $outfile and die "$outfile already exists\n"; - - if (-t STDIN && !$opt_m) { - open TTY, "/dev/tty" || die "couldn't open /dev/tty: $!\n"; - system "stty -echo"; - - print "Secret:"; - $sec = ; - print "\n"; - print "Repeat:"; - my $sec2 = ; - print "\n"; - if ($opt_n && !$opt_N) { - chomp $sec; - chomp $sec2; - } - - system "stty echo"; - close TTY; - die "Sorry\n" if $sec ne $sec2; - undef $sec2; - } else { - while () { $sec .= $_; } - } - - my $pid = open2(my $reader, my $writer, $cmd); - print $writer $sec; - undef $sec; - close $writer; - my $out = ''; - while (<$reader>) { $out .= $_; } - waitpid $pid, 0; - $? == 0 or exit 1; - - my $d = dirname $outfile; - make_path $d, {mode => 0700}; - umask 0377; - unless (open FH, ">$outfile") { - prunetree $d; - die "couldn't open $outfile for writing: $!\n"; - } - unless (print FH $out) { - prunetree $d; - die "couldn't write to $outfile: $!\n"; - } -} - -# ls -# -# Produce a listing of files in the gpm directory, using the GPM_LSCMD -# environment variable if defined. -sub ls { - my $cmd = $ENV{GPM_LSCMD}; - - unless (defined $cmd) { - opendir my $dh, "." or die "couldn't open directory .: $!\n"; - while (readdir $dh) { - if ($_ ne "." && $_ ne ".." && -d $_) { - $cmd = "find . -type f | sed 's,^\./,,'"; - last; - } - } - $cmd = "ls" unless defined $cmd; - } - system $cmd; - $? == 0 or exit 1; -} - -# mv: safely rename $ARGV[0] to $ARGV[1]. -sub mv { - $#ARGV >= 1 || usage(); - my ($from, $to) = @ARGV; - - ckpath $from or die "bad path $from\n"; - ckpath $to or die "bad path $to\n"; - -e $to and die "$to already existst\n"; - $from = cklegacy $from; - - make_path(dirname $to, {mode => 0700}); - rename $from, $to; - prunetree(dirname $from); -} - -# rm: unlink arguments, asking each time. -sub rm { - $#ARGV >= 0 || usage(); - for (@ARGV) { - my $f = $_; - unless (ckpath $f) { - print STDERR "bad path $f\n"; - next; - } - $f = cklegacy $f; - print "Really remove $f? "; - =~ m/^[Yy]/ and unlink $f; - prunetree(dirname $f); - } -} - -# get: decrypt file, and return plaintext. -sub get { - my ($Nflag, $nflag) = @_; - $#ARGV >= 0 or usage(); - my $file = $ARGV[0]; - my $cmd = $ENV{GPM_DECCMD} // "$gpg -d --"; - - ckpath $file or die "bad path $file\n"; - - open(my $freader, "<", $file) or die "Can't open < $file: $!"; - my $pid = open2(my $cmdreader, my $cmdwriter, $cmd); - print $cmdwriter $_ while (<$freader>); - close $cmdwriter; - close $freader; - my $out = ''; - while (<$cmdreader>) { $out .= $_; } - waitpid $pid, 0; - $? == 0 or exit 1; - chomp($out) if ($nflag && !$Nflag); - - return $out; -} - -# show: decrypt file, and print plaintext to stdout. -sub show { - our ($opt_N, $opt_n); - getopts('Nn') or usage(); - print(get $opt_N, $opt_n); -} - -# copy: decrypt file, and copy to GPM_COPY_INCMD, delete with GPM_COPY_DELCMD -# after GPM_COPY_SLEEP seconds if necessary. -sub copy { - our ($opt_N, $opt_n, $opt_d, $opt_i, $opt_o, $opt_s); - - getopts('Nnd:i:o:s:') or usage(); - $#ARGV >= 0 or usage(); - - my $delcmd = $opt_d // $ENV{GPM_COPY_DELCMD} // "xclip /dev/null'); - open(STDERR, '>/dev/null'); - POSIX::setsid(); - sleep $sleep; - system($delcmd) if - (sha256(`$outcmd`) eq $pw); - } - } else { - waitpid $pid, 0; - exit $?; - } -} - -getopts('g:d:r') or usage(); - -$#ARGV >= 0 or usage(); -my $cmd = $ARGV[0]; -shift @ARGV; - -$gpg = $opt_g // $ENV{GPM_GPG} // "gpg"; -$gpg = $opt_g // $ENV{GPM_GPG} // "gpg"; - -my $gpmd = $opt_d // $ENV{GPM_DIR}; -unless (defined $gpmd) { - if (defined $ENV{XDG_DATA_HOME}) { - $gpmd = $ENV{XDG_DATA_HOME} . "/gpm"; - } elsif (defined $ENV{HOME}) { - $gpmd = $ENV{HOME} . "/.gpm"; - } else { - die "couldn't determine the gpm directory\n"; - } -} - -make_path $gpmd, {mode => 0700}; -chdir $gpmd or die "couldn't change directory to $gpmd: $!\n"; - -for ($cmd) { -if (/^a/) { add(getflags "GPM_ADD"); last; } -if (/^c/) { copy(getflags "GPM_COPY"); last; } -if (/^l/) { ls(getflags "GPM_LS"); last; } -if (/^m/) { mv(getflags "GPM_MV"); last; } -if (/^r/) { rm(getflags "GPM_RM"); last; } -if (/^s/) { show(getflags "GPM_SHOW"); last; } - usage(); -} blob - /dev/null blob + 8937fb813de98de4c00a4fdeb9eeea1c86aab67b (mode 755) --- /dev/null +++ secstore @@ -0,0 +1,313 @@ +#!/usr/bin/perl + +# Copyright (c) 2023-2025 Alex Arch +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +use strict; +use warnings; + +use File::Basename; +use File::Path 'make_path'; +use Getopt::Std; +use IPC::Open2; +use POSIX qw(setsid); +use Text::ParseWords; + +use Digest::SHA 'sha256'; + +our $opt_d; + +# usage: print usage information to stderr and exit with error. +sub usage { + die "usage: secstore [-d dir] command [arg ...]\n"; +} + +# getflags: put environment flags at the start of @ARGV +sub getflags { + my ($var) = @_; + unshift(@ARGV, shellwords $ENV{$var} // '') if defined $var && $var ne ''; +} + +# shellquote: return string suitable for using as an argument for sh +sub shellquote { + my ($s) = @_; + $s =~ s/'/'\\''/g; + return "'" . $s . "'"; +} + +# ckpath $path +# +# Return 1 if $path is not empty, doesn't start with /, or contain .. or ., +# and 0 otherwise. +sub ckpath { + my ($p) = @_; + return $p ne '' && $p !~ m,^/, && $p !~ m/\.\.?/ && $p !~ m,^\.\.?/, && + $p !~ m,/\.\.?/, && $p !~ m,/\.\.?$,; +} + +# prunetree $d: remove empty directories, starting from $d, and going up. +sub prunetree { + for (my ($d) = @_; $d ne "."; $d = dirname $d) { + rmdir $d or last; + } +} + +# secstore_add +# +# Encrypt the secret from stdin, and store the ciphertext in file specified +# on the command line. +sub secstore_add { + our ($opt_N, $opt_n); + my ($cmd, $sec) = ($ENV{SECSTORE_ENCCMD} // 'gpg -e --', ''); + + local *usage = sub { + die "usage: secstore add [-Nn] name\n"; + }; + + getopts('Nn') && scalar(@ARGV) == 1 or usage(); + + my $outfile = $ARGV[0]; + ckpath $outfile or die "bad path: $outfile\n"; + + -e $outfile and die "$outfile already exists\n"; + + if (-t STDIN) { + open TTY, "/dev/tty" || die "couldn't open /dev/tty: $!\n"; + system "stty -echo"; + + print "Secret:"; + $sec = ; + print "\n"; + print "Repeat:"; + my $sec2 = ; + print "\n"; + if ($opt_n && !$opt_N) { + chomp $sec; + chomp $sec2; + } + + system "stty echo"; + close TTY; + die "Sorry\n" if $sec ne $sec2; + undef $sec2; + } else { + while () { $sec .= $_; } + } + + my $pid = open2(my $reader, my $writer, $cmd); + print $writer $sec; + undef $sec; + close $writer; + my $out = ''; + while (<$reader>) { $out .= $_; } + waitpid $pid, 0; + $? == 0 or exit 1; + + my $d = dirname $outfile; + make_path $d, {mode => 0700}; + umask 0377; + unless (open(FH, ">$outfile") && print(FH $out)) { + prunetree $d; + die "couldn't write to $outfile: $!\n"; + } +} + +# secstore_list +# +# Produce a listing of files in the gpm directory, using the SECSTORE_LSCMD +# environment variable if defined. +sub secstore_list { + my $cmd = $ENV{SECSTORE_LSCMD}; + + unless (defined $cmd) { + opendir my $dh, "." or die "couldn't open directory .: $!\n"; + while (readdir $dh) { + if ($_ ne "." && $_ ne ".." && -d $_) { + $cmd = "find . -type f | sed 's,^\./,,'"; + last; + } + } + $cmd = "ls" unless defined $cmd; + } + system $cmd; + $? == 0 or exit 1; +} + +# secstore_move: safely rename $ARGV[0] to $ARGV[1]. +sub secstore_move { + local *usage = sub { + die "usage: secstore move from to\n"; + }; + scalar(@ARGV) == 2 || usage(); + my ($from, $to) = @ARGV; + + ckpath $from or die "bad path $from\n"; + ckpath $to or die "bad path $to\n"; + -e $to and die "$to already existst\n"; + + make_path(dirname $to, {mode => 0700}); + rename $from, $to; + prunetree(dirname $from); +} + +# secstore_remove: unlink arguments, asking each time. +sub secstore_remove { + local *usage = sub { + die "usage: secstore remove name [name ...]\n"; + }; + scalar(@ARGV) >= 1 || usage(); + for (@ARGV) { + my $f = $_; + unless (ckpath $f) { + print STDERR "bad path $f\n"; + next; + } + print "Really remove $f? "; + =~ m/^[Yy]/ and unlink $f; + prunetree(dirname $f); + } +} + +# get: decrypt file, and return plaintext. +sub get { + my ($Nflag, $nflag, $file) = @_; + my $cmd = $ENV{SECSTORE_DECCMD} // "gpg -dq --"; + + ckpath $file or die "bad path: $file\n"; + -f $file or die "no such file: $file\n"; + + open(my $freader, "<$file") or die "Couldn't open <$file: $!\n"; + my $pid = open2(my $cmdreader, my $cmdwriter, $cmd); + print $cmdwriter $_ while (<$freader>); + close $cmdwriter; + close $freader; + my $out = ''; + while (<$cmdreader>) { $out .= $_; } + waitpid $pid, 0; + $? == 0 or exit 1; + chomp($out) if ($nflag && !$Nflag); + + return $out; +} + +# secstore_print: decrypt file, and print plaintext to stdout. +sub secstore_print { + our ($opt_N, $opt_n); + local *usage = sub { + die "usage: secstore print [-Nn] name ..."; + }; + getopts('Nn') && scalar(@ARGV) == 1 or usage(); + print(get $opt_N, $opt_n, $ARGV[0]); +} + +# copy: decrypt file, and copy to SECSTORE_COPY_INCMD, delete with +# SECSTORE_COPY_DELCMD after SECSTORE_COPY_SLEEP seconds if necessary. +sub secstore_copy { + our ($opt_N, $opt_n, $opt_d, $opt_i, $opt_o, $opt_s); + local *usage = sub { + die +"usage: secstore copy [-Nn] [-d delcmd] [-i incmd] [-o outcmd] [-s sleeptime]\n" . +" name\n" + }; + + getopts('Nnd:i:o:s:') && scalar(@ARGV) == 1 or usage(); + + my $delcmd = $opt_d // $ENV{SECSTORE_COPY_DELCMD} // "xclip /dev/null'); + open(STDERR, '>/dev/null'); + POSIX::setsid(); + sleep $sleep; + system($delcmd) if + (sha256(`$outcmd`) eq $pw); + } + } else { + $pw = ''; + waitpid $pid, 0; + exit $?; + } +} + +getopts('d:') or usage(); + +scalar(@ARGV) >= 1 or usage(); +my $cmd = $ARGV[0]; +shift @ARGV; + +my $secstore_dir = $opt_d // $ENV{SECSTORE_DIR}; +unless (defined $secstore_dir) { + if (defined $ENV{XDG_DATA_HOME}) { + $secstore_dir = $ENV{XDG_DATA_HOME} . "/secstore"; + } elsif (defined $ENV{HOME}) { + $secstore_dir = $ENV{HOME} . "/.secstore"; + } else { + die "couldn't determine the secstore directory\n"; + } +} + +make_path $secstore_dir, {mode => 0700}; +chdir $secstore_dir or die "couldn't change directory to $secstore_dir: $!\n"; + +for ($cmd) { +if (/^add$/) { + secstore_add(getflags "SECSTORE_ADD"); +} elsif (/^(cp|copy)$/) { + secstore_copy(getflags "SECSTORE_COPY"); +} elsif (/^(ls|list)$/) { + secstore_list(getflags "SECSTORE_LIST"); +} elsif (/^(mv|move)$/) { + secstore_move(getflags "SECSTORE_MOVE"); +} elsif (/^print$/) { + secstore_print(getflags "SECSTORE_PRINT"); +} elsif (/^(rm|remove)$/) { + secstore_remove(getflags "SECSTORE_REMOVE"); +} else { + die "unknown command: " . $cmd . "\n" +} +} blob - c76d3c2a3348814bae7bf9a3eab0a09a73b04e45 (mode 644) blob + /dev/null --- gpm.1 +++ /dev/null @@ -1,228 +0,0 @@ -.\" Copyright (c) 2023 Alex Arx -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd November 16, 2024 -.Dt GPM 1 -.Os -.Sh NAME -.Nm gpm -.Nd general secret (or password) manager -.Sh SYNOPSIS -.Nm -.Op Fl d Ar dir -.Ar command -.Op Ar arg ... -.Sh DESCRIPTION -The utility -.Nm -is a secret manager. -Secrets are stored in a directory tree as files, encrypted with -.Xr gpg 1 -or a custom command (see -.Sx ENVIRONMENT ) . -.Nm -provides several commands for manipulating secrets. -Commands may be specified by their shortest unique prefix (all characters -after are ignored). -Commands may accept additional arguments. -Commands may be preceeded by global options as follows: -.Bl -tag -width Ds -.It Fl d Ar dir -The directory to store and retrieve secrets from. -Overrides -.Ev GPM_DIR . -.El -.Pp -The -.Nm -commands are as follows: -.Bl -tag -width Ds -.It Xo -.Cm add -.Op Fl Nnm -.Ar name -.Xc -Create a new secret -.Ar name . -The new secret is read from stdin. -If used from a TTY without the -.Fl m -flag, a single line is read twice, and not echoed. -Otherwise, an arbitrary amount of lines is read normally once. -If -.Fl n -is specified without -.Fl N -chop off any last newline character of input. -.Pp -Options in the -.Ev GPM_ADD -environment variable are passed to -.Nm -.Cm add -automatically, before any options specified on the command line. -.It Xo -.Cm copy -.Op Fl Nn -.Op Fl d Ar delcmd -.Op Fl i Ar incmd -.Op Fl o Ar outcmd -.Op Fl s Ar time -.Ar name -.Xc -Copy the secret -.Ar name -by piping it to -.Ar incmd . -After -.Ar time -seconds, run -.Ar delcmd -if -.Ar outcmd -prints plaintext secret -.Ar name -on standard output. -Without -.Fl d , i , o -or -.Fl s , -the values of -.Ev GPM_COPY_DELCMD , GPM_COPY_INCMD , GPM_COPY_OUTCMD -and -.Ev GPM_COPY_SLEEP -are used. -The default values are -.Ql xclip +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd February 15, 2025 +.Dt SECSTORE 1 +.Os +.Sh NAME +.Nm secstore +.Nd manage secure (or secret) storage +.Sh SYNOPSIS +.Nm +.Op Fl d Ar dir +.Ar command +.Op Ar arg ... +.Sh DESCRIPTION +The utility +.Nm +is a secret manager. +Secrets are stored in a directory tree as files, encrypted with +.Xr gpg 1 +or a custom command (see +.Sx ENVIRONMENT ) . +.Nm +provides several commands for manipulating secrets. +Commands may be specified by their shortest unique prefix (all characters +after are ignored). +Commands may accept additional arguments. +Commands may be preceeded by global options as follows: +.Bl -tag -width Ds +.It Fl d Ar dir +The directory to store and retrieve secrets from. +Overrides +.Ev GPM_DIR . +.El +.Pp +The +.Nm +commands are as follows: +.Bl -tag -width Ds +.It Xo +.Cm add +.Op Fl Nnm +.Ar name +.Xc +Create a new secret +.Ar name . +The new secret is read from stdin. +If used from a TTY without the +.Fl m +flag, a single line is read twice, and not echoed. +Otherwise, an arbitrary amount of lines is read normally once. +If +.Fl n +is specified without +.Fl N +chop off any last newline character of input. +.Pp +Options in the +.Ev SECSTORE_ADD +environment variable are passed to +.Nm +.Cm add +automatically, before any options specified on the command line. +.It Xo +.Cm copy +.Op Fl Nn +.Op Fl d Ar delcmd +.Op Fl i Ar incmd +.Op Fl o Ar outcmd +.Op Fl s Ar time +.Ar name +.Xc +Copy the secret +.Ar name +by piping it to +.Ar incmd . +After +.Ar time +seconds, run +.Ar delcmd +if +.Ar outcmd +prints plaintext secret +.Ar name +on standard output. +Without +.Fl d , i , o +or +.Fl s , +the values of +.Ev SECSTORE_COPY_DELCMD , SECSTORE_COPY_INCMD , SECSTORE_COPY_OUTCMD +and +.Ev SECSTORE_COPY_SLEEP +are used. +The default values are +.Ql xclip