Since March, I've been working on a password manager. Most of the password
managers that are purportedly small and simple just outsource their cryptography
elsewhere, often to some large program like gpg2. I wanted something simple
and self-contained, which only depended on libc. I was happy with the interface
of pash, but I wanted to replace the
cryptographic backend.
I wanted to use a master password to encrypt a database of passwords, so I needed a cipher and a key derivation function. This is a standard use-case for something like libsodium. However, I opted not to use it, because it isn't designed to be self-contained, and just dropped into projects. For a while I used a ChaCha20 (cipher) implementation extracted from BearSSL, and the reference implementation of Argon2 (KDF). At some point, I was pointed to Monocypher, which was exactly what I was looking for: a libsodium like library in a single header and source file. Incidentally, it also uses ChaCha20 and Argon2.
npm comes with a few programs to serve as a full replacement for a gpg2
based password manager. First is npm-core which encrypts and decrypts
password files. Next are npm-agent and npmc, which are a password-caching
agent and a client to interface with the password caching agent from a shell.
Finally, we have npm which is the pash password manager, but adapted to use
the npm programs instead of gpg2.
I have been using it as my password manager for several weeks now, and it works well. I think the next step is documentation.
The code can be found here: https://git.nihaljere.xyz/npm/log.html