Skip to content
/ Purse Public

GnuPG asymmetric password manager


Notifications You must be signed in to change notification settings


Folders and files

Last commit message
Last commit date

Latest commit



86 Commits

Repository files navigation

Purse is a fork of drduh/

Both programs are Bash shell scripts which use GnuPG to manage passwords and other secrets in encrypted text files. Purse is based on asymmetric (public-key) authentication, while is based on symmetric (password-based) authentication.

While both scripts use a trusted crypto implementation (GnuPG) and safely handle passwords (never saving plaintext to disk, only using shell built-ins), Purse eliminates the need to remember a main passphrase - just plug in a YubiKey, enter the PIN, then touch it to decrypt a password to clipboard.


This script requires a GnuPG identity - see drduh/YubiKey-Guide to set one up.

For the latest version, clone the repository or download the script directly:

git clone


Versioned Releases are also available.


Run the script interactively using ./ or symlink to a directory in PATH:

  • w to write a password
  • r to read a password
  • l to list passwords
  • b to create an archive for backup
  • h to print the help text

Options can also be passed on the command line.

Create a 20-character password for userName:

./ w userName 20

Read password for userName:

./ r userName

Passwords are stored with an epoch timestamp for revision control. The most recent version is copied to clipboard on read. To list all passwords or read a specific version of a password:

./ l

./ r userName@1574723600

Create an archive for backup:

./ b

Restore an archive from backup:

tar xvf purse*tar


Several customizable options and features are also available, and can be configured with environment variables, for example in the shell rc file:

Variable Description Default Values
PURSE_TIME seconds to clear password from clipboard/screen 10 any valid integer
PURSE_LEN default generated password length 14 any valid integer
PURSE_COPY copy password to clipboard before write unset (disabled) 1 or true to enable
PURSE_DAILY create daily backup archive on write unset (disabled) 1 or true to enable
PURSE_ENCIX encrypt index for additional privacy; 2 YubiKey touches will be required for separate decryption operations unset (disabled) 1 or true to enable
PURSE_COMMENT unencrypted comment to include in index and safe files unset any valid string
PURSE_CHARS character set for passwords [:alnum:]!?@#$%^&*();:+= any valid characters
PURSE_DEST password output destination, will set to screen without clipboard clipboard clipboard or screen
PURSE_ECHO character used to echo password input * any valid character
PURSE_SAFE safe directory name safe any valid string
PURSE_INDEX index file name purse.index any valid string
PURSE_BACKUP backup archive file name purse.$hostname.$today.tar any valid string

Note For additional privacy, the recipient key ID is not included in metadata (GnuPG throw-keyids option).

See config/gpg.conf for additional GnuPG options.