npm: Nihal's Password Manager

Since March, I've been working on a password manager. Most of the password managers that are purportedly small and simple just outsource their cryptography elsewhere, often to some large program like gpg2. I wanted something simple and self-contained, which only depended on libc. I was happy with the interface of pash, but I wanted to replace the cryptographic backend.

I wanted to use a master password to encrypt a database of passwords, so I needed a cipher and a key derivation function. This is a standard use-case for something like libsodium. However, I opted not to use it, because it isn't designed to be self-contained, and just dropped into projects. For a while I used a ChaCha20 (cipher) implementation extracted from BearSSL, and the reference implementation of Argon2 (KDF). At some point, I was pointed to Monocypher, which was exactly what I was looking for: a libsodium like library in a single header and source file. Incidentally, it also uses ChaCha20 and Argon2.

npm comes with a few programs to serve as a full replacement for a gpg2 based password manager. First is npm-core which encrypts and decrypts password files. Next are npm-agent and npmc, which are a password-caching agent and a client to interface with the password caching agent from a shell. Finally, we have npm which is the pash password manager, but adapted to use the npm programs instead of gpg2.

I have been using it as my password manager for several weeks now, and it works well. I think the next step is documentation.

The code can be found here: