Rust-Rooster: rooster — Simple password manager to use in your terminal

Rooster

Rooster is a simple password manager for geeks (it works in the terminal).

Build Status Chat on Discord

asciicast

Supporting Rooster

Rooster is currently being maintained as a side-project, during nights and weekends, next to my full-time job. I am looking for a way to sustain my work on open source. If you find value in what I do and you would like to contribute, please consider:

Features

Rooster has some unique goals:

  • it is easy to maintain so that it never becomes unmaintained
  • it works completely offline by saving your password in a single local file
  • it stores username/password combinations, nothing more, nothing less

Rooster protects your passwords with state-of-the-art cryptography algorithms:

  • scrypt for key derivation (n = 2^12, r = 8, p = 1 by default, customizable)
  • aes-256-cbc for encryption
  • hmac-sha512 for authentication

Supported operating systems include Linux, BSD and OSX. Windows is not supported at this time.

Installation

To install Rooster, run the following commands as root.

On Arch Linux, install Rooster from AUR.

On Void Linux, install Rooster from XBPS.

On Fedora:

dnf update -y
dnf install -y curl gcc unzip pkgconfig libX11-devel libXmu-devel python3 openssl-devel libsodium-devel
curl https://sh.rustup.rs -sSf | sh -s -- -y
source $HOME/.cargo/env
cargo install --root /usr rooster

On CentOS: instructions should be similar to Fedora, but it seems like libsodium is not available on CentOS and I haven't been able to figure out how to install it. If you know, please let me know.

On Debian:

apt-get update -y
apt-get install -y curl gcc unzip pkg-config libxcb-render0-dev libxcb-shape0-dev libxcb-xfixes0-dev libx11-dev libxmu-dev python3 libssl-dev libsodium-dev xsel
curl https://sh.rustup.rs -sSf | sh -s -- -y
source $HOME/.cargo/env
cargo install --root /usr rooster

On Ubuntu 16.04/18.04:

apt update -y
apt install -y curl unzip pkg-config libxcb-render0-dev libxcb-shape0-dev libxcb-xfixes0-dev libx11-dev libxmu-dev python3 libssl-dev libsodium-dev xsel
curl https://sh.rustup.rs -sSf | sh -s -- -y
source $HOME/.cargo/env
cargo install --root /usr rooster

On OSX:

brew install curl libsodium openssl
curl https://sh.rustup.rs -sSf | sh -s -- -y
cargo install --root /usr rooster

For other distributions, the various Docker files can help you find which dependencies you need.

Once you have installed Rooster (see instructions below), you can view documentation with:

rooster --help

Trustless security

For added trustless security, you can restrict the operating system capabilities that Rooster has access to.

For instance, to run Rooster without network access on Linux, you might do this:

# make unshare usable without being root
sudo chmod u+s "`which unshare`"

# run rooster without network
unshare -n rooster

Other operating systems have similar protections.

Automated tests

Rooster has 3 sets of tests:

  • code level tests which you can run with cargo test
  • integration tests which you can run with ./tests-integration.sh
  • build tests for various Linux distributions which you can run with ./tests-build.sh

You'll need to install Docker to run build and integration tests.

Contributors

We welcome contribution from everyone. Feel free to open an issue or a pull request at any time.

Here's a list of existing Rooster contributors:

Thank you very much for your help! ? ❤️

License

The source code is released under the Apache 2.0 license.

Comments

  • some ideas
    some ideas

    Sep 23, 2015

    I hate issues for discussing stuff, but there we go:

    I was trying to build the same thing you've done with rooster, with two big differences

    The library is ultra fast and provides encryption which is going to last. (It's taken from djb's nacl after all), and the main consequence for this one would be having a better key derivation scheme - we definitely don't want to have SHA256 for keys :)

    • using sqlite3 as storage instead of a single flat file

    my reasoning for this one is having a file format which is well documented, stable and with all the bonus points of being almost drop-in compatible with android - which means less hassle for doing the mobile app.

    Thoughts? I'd be more than happy to discuss more on this, since I don't want to duplicate effort :)

    Reply
  • When I mistype my password, the warning message is scarier than necessary
    When I mistype my password, the warning message is scarier than necessary

    Nov 11, 2016

    Hello again!

    Currently when I rooster get github, for example, and mistype my master password, the output looks like this:

    I could not upgrade the Rooster file. This could be because:
    - you explicitly told Rooster not to open the file,
    - your version of Rooster is outdated,
    - your Rooster file is corrupted,
    - your master password is wrong.
    Try upgrading to the latest version of Rooster.
    

    IMO rooster should know which scenario has occurred, and print just the most accurate thing.

    Reply
  • Analytics and tracking
    Analytics and tracking

    Jan 17, 2016

    At some point, Rooster will include an "Analytics" module so that we can use data to make Rooster better. Let's see what this whole "Analytics" thing is about.

    Given the nature of Rooster, including some kind of tracking system inside of it could seem crazy. I get that. Matter of fact, when I am not sure what data is collected about me and/or don't understand what's being done with that data, I usually try to opt-out.

    And, just so you know, when Rooster gets analytics, there will be a way to opt-out.

    However, as with a lot of software projects, knowing what users do with the software helps in making it better. Here are some thing that I think Rooster could benefit from knowing:

    • The Rooster commands you use (rooster list, rooster get, etc): this information could be used to removed unused commands or improve heavily used ones,
    • Your locale: this could be used to translate Rooster documentation for heavily used languages,
    • Your operating system: this could be used to focus testing efforts on those systems for every new release, so as to not lose users,
    • Your version of Rooster: this could be used to drop support for older, unused versions, and focus development resources on what matters most.

    These things will help make Rooster better for every user, including you. So yeah, at some point, Rooster will track how you use it. If you don't want to be tracked, you will be able opt-out.

    Any feedback is welcome.

    Reply
  • Check password strength with
    Check password strength with "rooster weak" command

    Jun 4, 2017

    It would be awesome to have a way to see if we have any weak/hacked passwords in our Rooster file.

    What do you think ? Please post your thoughts here before working on this issue because we have to agree on the solution before we start coding.

    My thoughts:

    • https://crates.io/crates/zxcvbn is a nice crate, but it has a lot of dependencies (ie 3rd party code) and so it's difficult to audit, I don't want us to install crates that have so many dependencies because we lose track of what's inside, which could lead us to install viruses by mistake at some point (we've seen this happen recently with the https://kite.com fiasco and the NPM ecosystem)
    • I think having a way to quickly see which passwords are weak would be a good way to go, for instance rooster weak could show a list of weak passwords
    • I'd like to see if we can find a way to integrate with https://haveibeenpwned.com: this is not easy because it is a online service, and sending any password to it is a no-go. There is an archive of hacked passwords that we could use offline but it is 5Gb so that's a no-go as well. I'm not sure what we can do here. Maybe we could create a command that would fetch the 5Gb file only if the user agrees and then check if any of our passwords have been hacked ? I'd do that for my passwords.
    feature unassigned 
    Reply
  • Retyping master password & GUI
    Retyping master password & GUI

    Sep 23, 2015

    I like to have a long master password, however without GUI I have to retype it for every operation, which is really bothersome. Is there a solution to this?

    Reply
  • Build error in Void linux
    Build error in Void linux

    Oct 29, 2017

    Hi @conradkdotcom

    error: the listed checksum of `/builddir/rooster-2.7.1/vendor/backtrace-sys/src/libbacktrace/config.sub` has changed:
    expected: 3b739084e4b409aacf8531f87b57efa602eccdd17b5cddbc4ae1313a2c866f34
    actual:   82745ce935695e7984a053c155a64b9ad16ece3a07d931cc90ab3fb28b7221af
    

    What's wrong ? Regards.

    Reply