1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
YAPET - Yet Another Password Encryption Tool 0.6
Rafael Ostertag
$Id: README.sgml.in 2904 2009-09-04 05:11:30Z rafi $
Copyright 2008, 2009 Rafael Ostertag <rafi@guengel.ch>
-------------------------------------------------------------------------------
Table of Contents
Introduction
Supported Platforms
Features
Important Changes
Version 0.6
Installation
Usage
Design
A Word of Caution
License
Introduction
YAPET is a text based password manager using the Blowfish encryption algorithm
to store password and associated information encrypted on disk. Its primary aim
is to provide a safe way to store passwords in a file on disk while having a
small footprint, and compiling and running under today's most popular Unix
Systems.
YAPET does not impose a limit of password records per file and the number of
files the passwords are stored in, although YAPET is only able to display
password records of one file at a time.
For convenience, YAPET provides a search function for password records of the
currently displayed password file.
The password records are protected by a master password. The master password is
used to encrypt and decrypt the password records.
YAPET relies on OpenSSL for encrypting and decrypting password records. The
cipher for encryption and decryption is Blowfish with a 448 bits key.
Supported Platforms
YAPET has been tested to build and run on following platforms:
* FreeBSD
* Sun? Solaris? x86
* Linux
* Cygwin
If you want to use YAPET under Cygwin, you may want to read the README.Cygwin
file.
Features
YAPET features:
* Blowfish encryption (http://www.schneier.com/blowfish.html) with 448 bits
key using the OpenSSL library (http://www.openssl.org/).
* passwords are not kept clear text in memory.
* doesn't depend on graphical user interfaces and their "dependency hell" due
to a text based user interface.
* only dependent of two libraries: OpenSSL (http://www.openssl.org) and
curses or ncurses (http://www.gnu.org/software/ncurses/).
* locks the terminal on inactivity.
* a utility to convert CSV files to the native YAPET format.
* built-in password generator.
Important Changes
Version 0.6
Warning
The file structure of YAPET files has changed in version 0.6. You are strongly
advised to make backup copies of your files before using YAPET 0.6.
A design flaw in YAPET may prevent the exchange of YAPET files between
different processor architectures (64/32 bit) due to varying header sizes in
YAPET files.
All YAPET versions prior YAPET 0.6 are affected by this issue.
Starting with YAPET 0.6, the header size of YAPET files remains stable across
processor architectures, thus exchanging YAPET files is possible unimpeded.
YAPET 0.6 will read and write version 0.5 or earlier files. Reading, deleting,
and/or adding records won't update the file structure to version 0.6. However,
changing the master password (or setting the same password again, for this
matter) using YAPET 0.6 will update the file version to 0.6.
YAPET prior version 0.6 can read and write version 0.6 files, but it might be
observed that the date when the master password was last changed is displayed
incorrectly. YAPET prior 0.5 will update the file structure to pre-version 0.6
upon master password change. See Table1, ?File Compatibility Matrix of YAPET
0.5 or earlier? for an overview of the compatibility issues in YAPET 0.5 or
earlier.
Table1.File Compatibility Matrix of YAPET 0.5 or earlier
+---------------------------------------------------------------------------+
| | File created |
| |---------------------------------------------------|
| | Version 0.5 or earlier | Version 0.6 |
|YAPET running on |-------------------------+-------------------------|
| |Little Endian|Big Endian |Little Endian|Big Endian |
| |-------------+-----------+-------------+-----------|
| |32bit |64bit |32bit|64bit|32bit |64bit |32bit|64bit|
|-----------------------+------+------+-----+-----+------+------+-----+-----|
|Little Endian 32bit^[a]| yes | yes | yes | yes | yes | yes | yes | yes |
|-----------------------+------+------+-----+-----+------+------+-----+-----|
|Little Endian 64bit^[a]| no | yes | no | yes | yes | yes | yes | yes |
|-----------------------+------+------+-----+-----+------+------+-----+-----|
|Big Endian 32bit ^[b] | yes | yes | yes | yes | yes | yes | yes | yes |
|-----------------------+------+------+-----+-----+------+------+-----+-----|
|Big Endian 64bit^[b] | no | yes | no | yes | yes | yes | yes | yes |
|---------------------------------------------------------------------------|
|^[a] AMD, Intel, etc. |
| |
|^[b] PowerPC, SPARC, etc |
+---------------------------------------------------------------------------+
YAPET 0.6 reads and writes any YAPET file regardless of the YAPET version used
to create and the architecture.
Refer to the DESIGN file for further information on this issue.
Installation
YAPET uses a configure script for configuring the build process. Refer to the
INSTALL file in the source tarball yapet-0.6.tar.gz.
Usage
YAPET is kept simple. You should not find it difficult to use. The user
interface has some quirks, though.
See the manual page yapet(1) after installing YAPET for a minimal user guide.
Design
Refer to the DESIGN file which comes along with the source tarball in order to
get an idea of the design of YAPET.
A Word of Caution
Although several precautions were taken to avoid having any passwords stored
clear text in memory, there were occasions when core files contained the master
password. This means that it is possible, though not likely, for a malicious
user to get hold of one or more passwords while YAPET is running.
License
YAPET -- Yet Another Password Encryption Tool
Copyright (C) 2008, 2009 Rafael Ostertag <rafi@guengel.ch>
This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License as published by the Free Software
Foundation, either version 3 of the License, or (at your option) any later
version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
this program. If not, see http://www.gnu.org/licenses/.
Additional permission under GNU GPL version 3 section 7. If you modify this
program, or any covered work, by linking or combining it with the OpenSSL
project's OpenSSL library (or a modified version of that library), containing
parts covered by the terms of the OpenSSL or SSLeay licenses, Rafael Ostertag
grants you additional permission to convey the resulting work. Corresponding
Source for a non-source form of such a combination shall include the source
code for the parts of OpenSSL used as well as that of the covered work.
|
