A secure, terminal-based vault for storing notes and passwords with tagging support. This project demonstrates secure coding practices using only Python standard libraries.
- Secure Storage: Uses PBKDF2 for key derivation and a demo XOR-based stream cipher (for demonstration purposes).
- Tagging: Organize entries with tags.
- Batch Mode: Import and check entries from CSV files.
- Security Controls:
- Secure input masking.
- Audit logging with redaction.
- Brute-force protection (lockout after 3 failed attempts).
- Password strength estimation.
- Clone the repository.
- Install the package:
pip install .
pip install terminal-vaultvault initUpdate your current username and password (requires login).
vault userReset your password while keeping the same username (requires login).
vault reset-passwordReset both username and password using the auto-generated CSV backup (does NOT require login). Warning: This overwrites the current vault with data from the backup file.
vault reset-credentialsvault add --title "My Secret" --tags "personal,finance"# Filter by tag
vault get --tag "personal"
# Search by title or content
vault get --search "Secret"vault check entries.csvvault reportReveal all vault content in a plain text JSON file. Warning: The output file is unencrypted. It will be deleted automatically on the next run.
vault show-plainImportant
Encryption: This tool uses a demonstration encryption scheme (XOR stream cipher) because the requirements restricted usage to Python Standard Libraries only (no cryptography or PyCryptodome). DO NOT USE FOR HIGH-VALUE SECRETS IN PRODUCTION.
- Key Derivation: Uses
hashlib.pbkdf2_hmacwith SHA-256 and 100,000 iterations. - Memory Safety: Python strings are immutable, so secrets may persist in memory until garbage collected.
- Side Channels: No specific protection against timing attacks or power analysis.
src/: Source code.tests/: Unit tests.vault.log: Audit log (redacted)..vault_lockout: Lockout state file.