Pee - A password manager for the command line

What happened so far...

I have used a small little program called pwsafe for managing my online accounts. It has worked for me for years. But as it uses a local data store (which is a feature for me) and I use different machines the files tend to diverge. Up to a while ago I solved this issue through discipline, i.e. remembering which db has been the most recent and distributing that. After a while (years!) and through other circumstances the db files have diverged.

Quite. Substantially.

So one of my new year's resolutions has been to consolidate the password db and do a little early spring cleaning while at it. The pwsafe program comes with an export command to emit the whole thing in plain text. So I can use my usual merging tools.

Or so I thought.

The actual merging has been successful albeit tedious. But afterwards it dawned on me, that pwsafe lacks an import command. As a bonus the export command escapes <,> and & using XML notation, although the output is nowhere near XML... After discovering that I thought about writing a script that would just reenter each password back into a freshly created db.

But then the whole import/export experience drove me away pondering how I would like a password manager to be. During the merge procedure an additional field in the db for a last modification date would have helped a lot, probably would have enabled an interactive merging mode. (pwsafe does come with a merge mode but it isn't documented and I didn't feel adventurous enough.)

None of the alternatives I have investigated where very appealing so I decided to roll my own written -- of course -- in CHICKEN Scheme.

Pee - A password manager for the command line... because you have to

I want reasonably long, random passwords for a given entropy setting. I want to have my passwords in a single, encrypted container file. Pee stores passwords under an account name and one can annotate the password with additional hints, such as password recovery or other "security" questions.

After figuring out a sane encryption scheme I have settled to use tweetnacl seeded with a passphrase hashed with blake2s. The blake2s function is used directly from the C reference implementation using the CHICKEN FFI. The source for this has been included in the repository. The data structure inside is a plain old association list, which makes it nice and easy to serialize (I am using pretty-print and read).

I did not spend a lot of time trying to secure the memory access from other processes running on my machine. Pee will output the password on the console by default. For copy and paste, one should use an external program like xsel.

Pee protects me from my passwords getting stolen as the storage is encrypted. Pee will not protect me against an attacker that can access all of my computer's RAM. Pee will not protect me against keyloggers as the passphrase to my store will be logged.

For the command line utility I rely on the getopt-long egg. That turned out to work exceptionally well and has been easy to use.

As a final challenge I wanted to have a statically linked binary so my passwords are always available even if I re-install chicken master binaries (which happens frequently). I have followed Evan Hanson's excellent guide to compiling statically linked CHICKEN scheme programs with extensions. Doing it all manually is really tedious. The easiest build tool I use is a shell script fetching all needed extensions and invoking csc with the right parameters.

So without further ado I invite you, dear reader, to have a look for yourself and try pee. Please report any issues and criticism you have while reading / using the source code.

The repository can be found at:

May you always choose good passwords!

Code on this site is licensed under a 2 clause BSD license, everything else unless noted otherwise is licensed under a CreativeCommonsAttribution-ShareAlike3.0UnportedLicense