Long story short, I desperately needed a password manager, but didn’t want to go with a big, online-vault style thing as I consider such a thing dangerous. Now, there are many open-source local filesystem-based solutions out there, but I didn’t want to just entrust my passwords to foreign code either.

So I made yet another one, qass (pass was taken).

It stores all login data with encrypted passwords as YAML files. These can be edited either via the CLI, or by hand (and then synced later). It encrypts with AES-GCM-SIV, and has layers of common-sense measures to minimize impact even if part of the plaintext store is accidentally exposed.

For instance, getting a cleartext password out of the store doesn’t bother with clipboards or such, but emulates keyboard inputs to type it in. This hopefully minimizes the number of side channels.

I used egui to make a simple GUI for quick password retrieval, which has some comfort features, while still trying to minimize info leakage about the store.

I deliberately tried to keep it all simple, so when someone like me comes around, they can audit the entirety of qass in a couple of hours, install it, and get on with their lives. Beats creating Yet Another Password Manager, right? ...Right?

The only reason it’s not 1.0.0 is that I want to add some env var support, like multiple store paths, custom keystrokes, etc. But I’m not in a hurry with that, since the current revision already suits my needs.