kasefet 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: ef83c9b70e27855bb629f577ac6fd37de8b5477d
+  data.tar.gz: b2b865ac6e19bcb17cc5143c5c3f0e0b7554f3e2
+SHA512:
+  metadata.gz: ddd53fc18dd123c69c9b4113765b72c06d0240eede4efb976b10a7dec3b7886d2aa00ae2b9d1f7c6a90f9dfb2f032c853246bcb574255f8daff075edf3771182
+  data.tar.gz: 813b83d332a7bd0817d746978811ace68885ddfe9bf4d897f85a71871d1edf439b914a39425f563c77c8c6650129e232eb54226802e5c15e5d488d671afbf380

data/.gitignore

@@ -0,0 +1,9 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/

data/.travis.yml

@@ -0,0 +1,4 @@
+language: ruby
+rvm:
+  - 2.3.0
+before_install: gem install bundler -v 1.10.6

data/DESIGN.md

@@ -0,0 +1,73 @@
+# Key-value flat file system
+
+We reuse this concept in several places, so here's the generic concept. I need to design a system of files that will survive a naive synchronization program like rsync, syncthing, or dropbox. The basic idea is to namespace everything by hexdigest (inspired by git). We need to go a step further, and allow multiple values to not overwrite each other. The way to do this is to mark each value with the timestamp it was created and the source of the value. For example, this means the key `kasefet.name_salt` would have values stored in the directory `db/c39d7d6b239c2e20a31672ed979fed2b45c88748d06ba3be6bff85767b5d3d`, like this:
+
+```
+root
+|--db
+   |--c39d7d6b239c2e20a31672ed979fed2b45c88748d06ba3be6bff85767b5d3d
+      |--20160224.184012.laptop
+      |--20160223.140554.phone
+```
+
+Device names can either be configured locally, or set via stable digest from the uname, or just use the hostname (may cause issues in VM images). The accuracy of the name can be configured (pid, tid), but should be stable throughout the lifetime of a system.
+
+To select the value for a given key, just look for the last file in the directory (lexicographically). If the format YYYYMMDD-HHMMSS.device.extension is followed, then there should only be conflicts if two devices edited the value at the exact same time. In such a case, the device name itself is used as a tie breaker. Additional precision may be used, but the level of precision should not change throughout the lifetime of a system.
+
+This is stable enough for most purposes (and well within my use cases, assuming clock drift is below change velocity).
+
+I leave it as an exercise to the sync program to correctly identify deleted values, although keeping the history of a value is typically preferred. Please note that editing a file directly should NEVER happen. Once a file is written, it should never change (This can be enforced with a digest of the content in the filename).
+
+## Encryption
+
+When encrypting files in such a format, I like to keep them prefixed to the encrypted content and then the auth tag. Note that the first version only supports AES-256-GCM.
+
+# File format
+
+A kasefet wallet has the following layout:
+
+```
+wallet
+|--key
+|--index
+|  |--index
+|--metadata (flat file kv directory)
+|--ksft (flat file kv directory)
+```
+
+## key file
+
+The key file contains the master encryption key for the wallet. This key is used to encrypt the flatfile kv values. When encrypted, the keyfile has this format:
+
+```
++------------------------------------------------------+
+| pbkdf2 salt (if any) | iv | auth_tag | encrypted key |
++------------------------------------------------------+
+```
+
+### Rotating credentials
+
+When rotating credentials, it is recommended to simply reencrypt the keyfile with a new passphrase, and ensure consensus.
+
+## index directory
+
+The index directory holds a single file, which is the index of logical key names to physical key names. If more than one file is in this directory, it's a strong hint that the index needs to be rebuilt (sync programs that stick extra files everywhere are a plague on mankind)
+
+## metadata directory
+
+The metadata file contains wallet-level settings (optionally with an extension if not a simple key=value format file).
+
+ Should be encrypted. The standard way to test if a password is correct is to attempt to decrypt and parse this file, looking for the kasefet.wallet_version key.
+
+Required keys are:
+
+```
+kasefet.wallet_version
+kasefet.name_salt
+```
+
+## ksft directory
+
+Key names shouldn't be exposed, so we salt the keyname before pushing it into the flatfile kv driver. I'm on the fence if values should be moved when a key is renamed, or if the key should stay constant (maintained through an index file that knows how to map keys to digests)
+
+The content of these files varies, and I'm not sure what format I'll use. It'll be more or less free text, that much I do know.

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in kasefet.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2016 Steven Karas
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/PHILOSOPHY.md

@@ -0,0 +1,38 @@
+# The name
+
+Kasefet is the hebrew word for "safe", (the locked box meaning of safe). Seemed as good as any, and wasn't taken on rubygems
+
+# A bit of history
+
+In the beginning, I used Keepass as part of PortableApps. I found quickly that this wasn't ideal, since it didn't work easily on Ubuntu (just because it doesn't crash, doesn't mean it's good). At the time, I thought it would be enough to simply leave the database in a shared mount between the two (I was dual booting for a while). After that, I put the database on Dropbox and started to access it from my phone. That didn't go over well. Dropbox would sometimes update and move the file out from underneath the android app, and cause other issues. Worse, it would sometimes do this after I had already added new credentials to the database from my phone (leaving me with conflicted copies at best, or sometimes just making them "disappear").
+
+After a while, I came to the conclusion that the file format just wasn't good, and that there had to be a better way to do it, but I also took stock of how much time it would take me to do this, and decided against it.
+
+The final impetus for me to start this project came when I started working on a new side project, but didn't want to mix credentials from different scopes into the same database. Worse, I wanted to share a portion of my password wallet, but not all of it. All of this pointed towards the need to "layer" multiple wallets together.
+
+# Goals for Kasefet
+
+- System integration
+  - autotype
+  - clipboard
+- Dumb sync
+  - Flat files make this possible
+- Support for using multiple wallets simultaneously
+- Best practice encryption
+- CLI and GUI interfaces
+- Cross platform support (Ubuntu, Mac, and Android, because that's what I use)
+- API access (as in, run a server with the files, and access the credentials via the api)
+
+It's a big project, and I doubt I'll get very far on my own, but like I've always said: "Aim for the sky, and hit the tree"
+
+# Personal time
+
+I don't have a ton of time to dedicate to this project, so here are my weekend goals (I only have a single day on the weekend to give, and maybe not even that):
+
+1. gem structure + edit files
+2. encryption
+3. layer multiple wallets
+4. clipboard integration (mac)
+5. clipboard (ubuntu)
+6. autotype (mac)
+7. autotype (ubuntu)

data/README.md

@@ -0,0 +1,59 @@
+# Kasefet
+
+Kasefet is a password wallet built around flat files.
+
+NOTE: This version of kasefet is not meant to be highly secure. It is a reference implementation
+
+## Current Status
+
+Kasefet is currently a work in progress. This is the todo list for version 1.0, and is based entirely on my own requirements:
+
+ - [x] Flat file wallet
+ - [x] SSL encrypted wallet
+ - [ ] support for multiple wallets
+ - [x] editor integration
+ - [ ] clipboard integration (Mac)
+ - [ ] autotype (Mac)
+ - [ ] clipboard integration (Ubuntu)
+ - [ ] autotype (Ubuntu)
+
+## Installation
+
+```
+$ gem install kasefet
+```
+
+## Usage
+
+```
+# Create a simple record of username:password under the name "Gmail"
+$ kasefet add Gmail example@example.com:sekret
+
+# Open the record for Facebook in an editor
+$ kasefet edit Facebook
+
+# Print the contents of the Gmail credential file to STDOUT
+$ kasefet show Gmail
+```
+
+```
+# Create a new wallet (default format is encrypted)
+$ kasefet new --format=plain ~/my-new-wallet
+
+# Add another wallet to search through
+$ kasefet addwallet ~/my-new-wallet
+```
+
+## Development
+
+After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake test` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment. Run `bundle exec kasefet` to use the gem in this directory, ignoring other installed copies of this gem.
+
+To install this gem onto your local machine, run `bundle exec rake install`. To release a new version, update the version number in `version.rb`, and then run `bundle exec rake release`, which will create a git tag for the version, push git commits and tags, and push the `.gem` file to [rubygems.org](https://rubygems.org).
+
+## Contributing
+
+Bug reports and pull requests are welcome on GitHub at https://github.com/stevenkaras/kasefet.
+
+## License
+
+The gem is available as open source under the terms of the [MIT License](http://opensource.org/licenses/MIT).

data/Rakefile

@@ -0,0 +1,10 @@
+require "bundler/gem_tasks"
+require "rake/testtask"
+
+Rake::TestTask.new(:test) do |t|
+  t.libs << "test"
+  t.libs << "lib"
+  t.test_files = FileList['test/**/*_test.rb']
+end
+
+task :default => :test

data/bin/console

@@ -0,0 +1,14 @@
+#!/usr/bin/env ruby
+
+require "bundler/setup"
+require "kasefet"
+
+# You can add fixtures and/or initialization code here to make experimenting
+# with your gem easier. You can also use a different console, if you like.
+
+# (If you use this, don't forget to add pry to your Gemfile!)
+# require "pry"
+# Pry.start
+
+require "irb"
+IRB.start

data/bin/setup

@@ -0,0 +1,7 @@
+#!/bin/bash
+set -euo pipefail
+IFS=$'\n\t'
+
+bundle install
+
+# Do any other automated setup that you need to do here

data/exe/kasefet

@@ -0,0 +1,6 @@
+#!/usr/bin/env ruby
+
+$LOAD_PATH.unshift File.expand_path('../../lib', __FILE__)
+require "kasefet/cli"
+
+Kasefet::CLI.new.start

data/kasefet.gemspec

@@ -0,0 +1,26 @@
+# coding: utf-8
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'kasefet/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = "kasefet"
+  spec.version       = Kasefet::VERSION
+  spec.authors       = ["Steven Karas"]
+  spec.email         = ["steven.karas@gmail.com"]
+
+  spec.summary       = %q{flat file-oriented password wallet}
+  spec.description   = %q{Kasefet is a password wallet built around flat files}
+  spec.homepage      = "https://github.com/stevenkaras/kasefet"
+  spec.license       = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0").reject { |f| f.match(%r{^(test|spec|features)/}) }
+  spec.bindir        = "exe"
+  spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ["lib"]
+
+  spec.add_development_dependency "bundler", "~> 1.10"
+  spec.add_development_dependency "rake", "~> 10.0"
+  spec.add_development_dependency "thunder", "~> 0.7"
+  spec.add_development_dependency "minitest"
+end

data/lib/kasefet/cli.rb

@@ -0,0 +1,94 @@
+require "thunder"
+
+require "kasefet/config"
+require "kasefet/wallet"
+
+class Kasefet
+  class CLI
+    GlobalConfigLocations = [
+      "~/.kasefet",
+      "~/.config/kasefet",
+    ]
+
+    DefaultWalletLocation = "~/.wallet"
+
+    include Thunder
+
+    def load_config(options)
+      config_file = options[:config]
+      config_file ||= GlobalConfigLocations.find { |file| File.exist?(File.expand_path(file)) }
+      config_file ||= File.expand_path(GlobalConfigLocations.first)
+      @config = Kasefet::Config.new(config_file)
+    end
+
+    def load_wallet
+      wallet_dir = @config["wallet"]
+      wallet_dir = @config["wallet"] = File.expand_path(DefaultWalletLocation) unless wallet_dir
+      @wallet = Kasefet::Wallet.new(directory: wallet_dir)
+    end
+
+    def determine_editor
+      [
+        ENV["VISUAL"],
+        ENV["EDITOR"],
+        "vi",
+        "nano",
+        "ed"
+      ].find do |editor|
+        next unless editor
+        # TODO: do some cursory checks to determine if this editor exists
+        true
+      end
+    end
+
+    desc "edit KEYNAME", "open the contents of KEYNAME in an editor, and save the changes"
+    def edit(keyname, *content, **options)
+      load_config(options)
+      load_wallet
+
+      require 'tmpdir'
+      require 'pathname'
+      Dir.mktmpdir do |tmpdir|
+        tmpdir = Pathname.new(tmpdir)
+        content = @wallet.load(keyname)
+        File.binwrite(tmpdir + keyname, content)
+
+        # invoke the editor
+        editor = determine_editor()
+        result = system(*editor.split(" "), (tmpdir + keyname).to_s)
+
+        if result.nil?
+          puts "Failed to launch editor: `#{editor}`"
+        elsif !result
+          puts "`#{editor}` exited with error status: #{$?}. Not saving contents"
+        else
+          new_content = File.binread(tmpdir + keyname)
+          @wallet.store(keyname, new_content)
+        end
+      end
+    end
+
+    desc "add KEYNAME CONTENTS...", "store the given CONTENTS in KEYNAME"
+    def add(keyname, *content, **options)
+      load_config(options)
+      load_wallet
+
+      content = content.join(" ")
+
+      @wallet.store(keyname, content)
+
+      return content
+    end
+
+    desc "show KEYNAME", "print the contents of KEYNAME to stdout"
+    def show(keyname, **options)
+      load_config(options)
+      load_wallet
+
+      content = @wallet.load(keyname)
+
+      puts content
+      return content
+    end
+  end
+end

data/lib/kasefet/config.rb

@@ -0,0 +1,81 @@
+class Kasefet
+  class Config
+    def initialize(file)
+      @file = file
+      @settings = {}
+      return unless File.exists?(file)
+      load
+    end
+
+    attr_accessor :file
+
+    def [](key)
+      return key.split(".").reduce(@settings) { |hash, segment| hash ? hash[segment] : nil }
+    end
+
+    def []=(key, value)
+      last_segment = key.split(".")[0..-2].reduce(@settings) { |hash, segment| hash[segment] ||= {} }
+      last_segment[key.split(".")[-1]] = value
+    end
+
+    def load
+      case File.extname(@file)
+      when ".yaml", ".yml"
+        require 'yaml'
+        @settings = YAML.load(File.read(file))
+      when ".json"
+        require 'json'
+        @settings = JSON.parse(File.read(file))
+      else
+        # try the key=value format
+        content = File.read(file)
+        content.split("\n").each do |line|
+          key, value = line.split("=")
+          value = value.to_i if value =~ /\d+/
+          if self[key]
+            self[key] = [self[key]] unless self[key].is_a? Array
+            self[key] << value
+          else
+            self[key] = value
+          end
+        end
+      end
+    end
+
+    def save
+      case File.extname(@file)
+      when ".json"
+        require 'json'
+        File.write(@file, @settings.to_json)
+      when ".yaml", ".yml"
+        require 'yaml'
+        File.write(@file, @settings.to_yaml)
+      else
+        to_write = flatten_hash(@settings).map do |key, value|
+          if value.is_a? Array
+            value.map do |array_value|
+              "#{key}=#{array_value}"
+            end.join("\n")
+          else
+            "#{key}=#{value}"
+          end
+        end.join("\n")
+        File.write(@file, to_write)
+      end
+    end
+
+    def flatten_hash(hash)
+      hash.reduce({}) do |result, pair|
+        key, value = pair
+        if value.is_a? Hash
+          flatten_hash(value).each do |suffix, subvalue|
+            result["#{key}.#{suffix}"] = subvalue
+          end
+        else
+          result[key] = value
+        end
+        result
+      end
+    end
+  end
+end

data/lib/kasefet/encrypted_flat_kv.rb

@@ -0,0 +1,64 @@
+require 'socket'
+
+require 'kasefet/flat_kv'
+
+class Kasefet
+  # FlatKV where values are stored encrypted on the disk
+  class EncryptedFlatKV < Kasefet::FlatKV
+    CipherIVLength = 12
+    CipherAuthTagLength = 16
+
+    def initialize(cipher_key:, **options)
+      super(**options)
+      @cipher = OpenSSL::Cipher.new("aes-256-gcm")
+      @cipher_key = cipher_key
+    end
+
+    attr_accessor :cipher_key
+
+    def reencrypt_all_values!(new_key)
+      old_key = @cipher_key
+
+      Dir[@root + "*" + "*" + "*"].each do |encrypted_file|
+        old_encrypted_value = File.binread(encrypted_file)
+        value = decrypt_value(old_encrypted_value, old_key)
+        new_encrypted_value = encrypt_value(value, new_key)
+        File.binwrite(encrypted_file, new_encrypted_value)
+      end
+      @cipher_key = new_key
+    end
+
+    def encrypt_value(value, cipher_key)
+      @cipher.encrypt
+      @cipher.key = cipher_key
+      iv = @cipher.random_iv
+      @cipher.iv = iv
+      @cipher.auth_data = ""
+      encrypted_value = @cipher.update(value) + @cipher.final
+      encrypted_value = @cipher.auth_tag + encrypted_value
+      encrypted_value = iv + encrypted_value
+      return encrypted_value
+    end
+
+    def decrypt_value(encrypted_value, cipher_key)
+      @cipher.decrypt
+      @cipher.key = cipher_key
+      @cipher.iv = encrypted_value[0...CipherIVLength]
+      encrypted_value = encrypted_value[CipherIVLength..-1]
+      @cipher.auth_tag = encrypted_value[0...CipherAuthTagLength]
+      encrypted_value = encrypted_value[CipherAuthTagLength..-1]
+      value = @cipher.update(encrypted_value) + @cipher.final
+      return value
+    end
+
+    def [](key)
+      encrypted_value = super(key)
+      return nil if encrypted_value.nil?
+      return decrypt_value(encrypted_value, @cipher_key)
+    end
+
+    def []=(key, value)
+      super(key, encrypt_value(value, @cipher_key))
+    end
+  end
+end

data/lib/kasefet/flat_kv.rb

@@ -0,0 +1,52 @@
+require 'openssl'
+require 'pathname'
+require 'socket'
+require 'fileutils'
+
+class Kasefet
+  # Flat file key value storage
+  #
+  # Flat-file based key-value storage engine that is designed to be compatible with naive sync programs
+  class FlatKV
+    # @option [String] :root The root directory of the FlatKV store
+    # @option [String] :device_name The device name to use to identify the writer
+    # @option [String] :extension The default extension to use for the value files
+    def initialize(root:, device_name: Socket.gethostname, extension: "")
+      @root = Pathname.new(root)
+      @extension = extension
+      @device_name = device_name
+    end
+
+    attr_accessor :root, :extension, :device_name
+
+    def extension=(value)
+      value = ".#{value}" unless value.start_with?(".")
+      @extension = value
+    end
+
+    def [](key)
+      value_file = file_for_key(key)
+      return nil unless value_file
+      return File.binread(value_file)
+    end
+
+    def []=(key, value)
+      key_dir = dir_for_key(key)
+      FileUtils.mkdir_p(key_dir)
+      value_file_name = Time.now.strftime("%Y%m%d.%H%M%S%6N.") + @device_name + @extension
+      File.binwrite(key_dir + value_file_name, value)
+    end
+
+    def file_for_key(key)
+      key_dir = dir_for_key(key)
+      files = Dir.glob(key_dir + "*#{@extension}")
+      return nil if files.empty?
+      return files.last
+    end
+
+    def dir_for_key(key)
+      digest = OpenSSL::Digest::SHA256.hexdigest(key)
+      return @root + digest[0..1] + digest[2..-1]
+    end
+  end
+end

data/lib/kasefet/master_key.rb

@@ -0,0 +1,94 @@
+require "openssl"
+
+class Kasefet
+  class MasterKey
+    PBKDF2SaltLength = 32
+    CipherKeyLength = 32
+    CipherIVLength = 12
+    CipherAuthTagLength = 16
+
+    def passphrase_to_key(passphrase, salt)
+      return OpenSSL::PKCS5.pbkdf2_hmac_sha1(passphrase, salt, 20000, CipherKeyLength)
+    end
+
+    def store_key_with_passphrase(passphrase)
+      cipher = OpenSSL::Cipher.new("aes-256-gcm")
+      salt = SecureRandom.random_bytes(PBKDF2SaltLength)
+      master_key = passphrase_to_key(passphrase, salt)
+      cipher.encrypt
+      cipher.iv = iv = cipher.random_iv
+      cipher.key = master_key
+      cipher.auth_data = ""
+      encrypted_key = cipher.update(@key) + cipher.final
+      encrypted_key = cipher.auth_tag + encrypted_key
+      encrypted_key = iv + encrypted_key
+      encrypted_key = salt + encrypted_key
+      File.binwrite(@file, encrypted_key)
+    end
+
+    def store_key_with_keyfile(keyfile)
+      cipher = OpenSSL::Cipher.new("aes-256-gcm")
+      master_key = File.binread(keyfile)
+      cipher.encrypt
+      cipher.iv = iv = cipher.random_iv
+      cipher.key = master_key
+      cipher.auth_data = ""
+      encrypted_key = cipher.update(@key) + cipher.final
+      encrypted_key = cipher.auth_tag + encrypted_key
+      encrypted_key = iv + encrypted_key
+      File.binwrite(@file, encrypted_key)
+    end
+
+    def load_key_with_keyfile(keyfile)
+      master_key = File.binread(keyfile)
+      cipher = OpenSSL::Cipher.new("aes-256-gcm")
+      cipher.decrypt
+      cipher.iv = @key[0...CipherIVLength]
+      @key = @key[CipherIVLength..-1]
+      cipher.auth_tag = @key[0...CipherAuthTagLength]
+      @key = @key[CipherAuthTagLength..-1]
+      cipher.key = master_key
+      @key = cipher.update(@key) + cipher.final
+    end
+
+    def load_key_with_passphrase(passphrase)
+      cipher = OpenSSL::Cipher.new("aes-256-gcm")
+      cipher.decrypt
+      salt = @key[0...PBKDF2SaltLength]
+      @key = @key[PBKDF2SaltLength..-1]
+      cipher.iv = @key[0...CipherIVLength]
+      @key = @key[CipherIVLength..-1]
+      cipher.auth_tag = @key[0...CipherAuthTagLength]
+      @key = @key[CipherAuthTagLength..-1]
+      cipher.key = passphrase_to_key(passphrase, salt)
+      @key = cipher.update(@key) + cipher.final
+    end
+
+    def initialize(file, passphrase: nil, keyfile: nil)
+      @file = file
+
+      # read in the key
+      if File.exist?(@file)
+        @key = File.binread(@file)
+        if passphrase
+          load_key_with_passphrase(passphrase)
+        elsif keyfile
+          load_key_with_keyfile(keyfile)
+        end
+      else
+        # this is a new wallet, generate a random key
+        cipher = OpenSSL::Cipher.new("aes-256-gcm")
+        @key = cipher.random_key
+        if passphrase
+          store_key_with_passphrase(passphrase)
+        elsif keyfile
+          store_key_with_keyfile(keyfile)
+        else
+          File.binwrite(@file, @key)
+        end
+      end
+    end
+
+    attr_accessor :key
+  end
+end

data/lib/kasefet/version.rb

@@ -0,0 +1,3 @@
+class Kasefet
+  VERSION = "0.1.0"
+end

data/lib/kasefet/wallet.rb

@@ -0,0 +1,48 @@
+require "fileutils"
+require "pathname"
+require "securerandom"
+require "kasefet/encrypted_flat_kv"
+require "kasefet/master_key"
+
+class Kasefet
+  class Wallet
+    VERSION = 1
+    METADATA_DIR = "metadata"
+    CREDENTIALS_DIR = "ksft"
+    KSFT_SALT_LENGTH = 16
+
+    def initialize(directory:, passphrase: nil, keyfile: nil)
+      @root = Pathname.new(directory)
+      FileUtils.mkdir_p(@root)
+
+      @master_key = Kasefet::MasterKey.new(@root + "key")
+
+      @metadata = Kasefet::EncryptedFlatKV.new(root: @root + METADATA_DIR, cipher_key: @master_key.key)
+
+      @wallet_version = @metadata["kasefet.wallet_version"]
+      if @wallet_version.nil?
+        @wallet_version = @metadata["kasefet.wallet_version"] = VERSION.to_s
+        @metadata["kasefet.name_salt"] = SecureRandom.random_bytes(KSFT_SALT_LENGTH)
+      end
+      @wallet_version = @wallet_version.to_i
+      raise "Unknown Kasefet Wallet version: #{@wallet_version}" unless @wallet_version <= VERSION
+
+      @name_salt = @metadata["kasefet.name_salt"]
+      @credentials = Kasefet::EncryptedFlatKV.new(root: @root + CREDENTIALS_DIR, cipher_key: @master_key.key)
+    end
+
+    attr_accessor :root
+
+    def salted_keyname(name)
+      return "#{@name_salt}/#{name}/#{@name_salt}"
+    end
+
+    def load(name)
+      return @credentials[salted_keyname(name)]
+    end
+
+    def store(name, creds)
+      @credentials[salted_keyname(name)] = creds
+    end
+  end
+end

data/lib/kasefet.rb

@@ -0,0 +1,5 @@
+require "kasefet/version"
+
+class Kasefet
+  # Your code goes here...
+end

metadata

@@ -0,0 +1,121 @@
+--- !ruby/object:Gem::Specification
+name: kasefet
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- Steven Karas
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2016-03-07 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.10'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: thunder
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '0.7'
+- !ruby/object:Gem::Dependency
+  name: minitest
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+description: Kasefet is a password wallet built around flat files
+email:
+- steven.karas@gmail.com
+executables:
+- kasefet
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".travis.yml"
+- DESIGN.md
+- Gemfile
+- LICENSE.txt
+- PHILOSOPHY.md
+- README.md
+- Rakefile
+- bin/console
+- bin/setup
+- exe/kasefet
+- kasefet.gemspec
+- lib/kasefet.rb
+- lib/kasefet/cli.rb
+- lib/kasefet/config.rb
+- lib/kasefet/encrypted_flat_kv.rb
+- lib/kasefet/flat_kv.rb
+- lib/kasefet/master_key.rb
+- lib/kasefet/version.rb
+- lib/kasefet/wallet.rb
+homepage: https://github.com/stevenkaras/kasefet
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: flat file-oriented password wallet
+test_files: []