tome 0.1.0.pre

data/README.md

@@ -0,0 +1,113 @@
+## Tome
+
+Tome is a lightweight password manager with a humane command-line interface. It is meant to be simple and secure.
+
+*Disclaimer* I am not a security expert. I've only had limited formal training in security and cryptography.
+Now that I've scared off all but the bravest, feel free to look [under the hood](#under-the-hood) or
+at the security bits in [crypt.rb](https://github.com/schmich/tome/blob/master/lib/tome/crypt.rb).
+
+## Installation
+
+* Requires [Ruby 1.9.3](http://www.ruby-lang.org/en/downloads/) or newer.
+* *Coming soon* `gem install tome`
+
+## Usage
+
+The first time you run `tome`, you'll be asked to create a master password for your encrypted password database.
+Any operations involving your password database will require this master password.
+
+    > tome set linkedin.com
+    Creating tome database.
+    Master password:
+    Master password (verify):
+    Password:
+    Password (verify):
+    Created password for linkedin.com.
+
+Recalling a password is easy:
+
+    > tome get linkedin.com
+    Master password:
+    p4ssw0rd
+    
+In fact, it's even simpler than that. `tome get` does substring pattern matching to recall a password,
+so this works, too:
+
+    > tome get linked
+    Master password:
+    p4ssw0rd
+
+You can also generate and copy complex passwords without having to remember anything:
+
+    > tome generate last.fm
+    Master password:
+    Generated password for last.fm.
+
+    > tome get last
+    Master password:
+    Password for last.fm:
+    kizWy76F2@G(21c11(9Tf?f@43B!kq
+
+    > tome copy last
+    Master password:
+    Password for last.fm copied to clipboard.
+    
+If you want, you can specify a username with your domain:
+
+    > tome set foo@bar.com baz
+    Master password:
+    Created password for foo@bar.com.
+    
+    > tome get bar
+    Master password:
+    Password for foo@bar.com:
+    baz
+    
+See `tome help` for advanced commands and usage.
+
+## Philosophy
+
+Tome is meant to be simple and secure. Instead of having blind trust in the secure coding practices
+of every website you sign up with, you can use tome to help mitigate your risk and exposure.
+
+**Benefits**
+* Easily maintain unique per-site passwords.
+* Have complex passwords without having to remember them (see `tome generate`).
+* If a website leaks your password or its hash, you can quickly generate another unique complex password.
+* You can keep track of all of the various websites you have accounts with.
+
+**Drawbacks**
+* Single point of failure: if your `.tome` file is compromised, all of your passwords are potentially at risk.
+  The encryption on the `.tome` file is meant to mitigate this danger. Brute-force decryption should take significant
+  computing power and time. To further reduce risk, don't store usernames (e.g. do `tome set gmail.com` instead of `tome set foo@gmail.com`).
+* Dependence on the `.tome` file: if your `.tome` file is lost or corrupt and you forget your passwords, you'll have to reset them.
+* If you want access to your passwords on multiple machines, you'll have to sync the `.tome` file between machines.
+* Trust in *my* secure coding practices: I encourage you to look at the source yourself.
+
+## Under the hood
+
+All account and password information is stored in a single `.tome` file in the user's home directory. This file is
+YAML-formatted and stores the encrypted account and password information as well as the encryption parameters.
+These encryption parameters, along with the master password, are used to decrypt the password information.
+
+Each time the `.tome` file is modified, new encryption parameters (i.e. the salt and IV) are randomly generated
+and used for encryption.
+
+**Password database encryption**
+* Encryption algorithm: symmetric [AES-256](http://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
+  [CBC](http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29)
+  using the [Ruby OpenSSL library](http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/index.html).
+* Key derivation:
+ * [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2)/[HMAC-SHA-512](http://en.wikipedia.org/wiki/SHA-2) with a master password.
+ * [UUID](http://en.wikipedia.org/wiki/UUID)-based random, probabilistically unique [salt](http://en.wikipedia.org/wiki/Salt_%28cryptography%29)
+   from [SecureRandom#uuid](http://www.ruby-doc.org/stdlib-1.9.3/libdoc/securerandom/rdoc/SecureRandom.html#method-c-uuid).
+ * Randomly-generated [IV](http://en.wikipedia.org/wiki/Initialization_vector) from [OpenSSL::Cipher#random_iv](http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-random_iv).
+ * 100,000 [key stretch](http://en.wikipedia.org/wiki/Key_stretching) iterations.
+
+## Contributing
+
+*TODO*
+
+## License
+
+*TODO*

data/bin/tome

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require 'tome'
+tome_filename = File.join(Dir.home, '.tome')
+exit(Tome::Command.run(tome_filename, ARGV))

data/lib/tome.rb

@@ -0,0 +1,4 @@
+require 'tome/tome'
+require 'tome/command'
+require 'tome/crypt'
+require 'tome/version'

data/lib/tome/command.rb

@@ -0,0 +1,595 @@
+require 'io/console'
+require 'passgen'
+require 'clipboard'
+
+module Tome
+  class CommandError < RuntimeError
+  end
+
+  class Command
+    private_class_method :new 
+
+    def self.run(tome_filename, args, stdout = $stdout, stderr = $stderr, stdin = $stdin)
+      command = new()
+      return command.send(:run, tome_filename, args, stdout, stderr, stdin)
+    end
+
+  private
+    def run(tome_filename, args, stdout, stderr, stdin)
+      @out = stdout
+      @err = stderr
+      @in = stdin
+      @tome_filename = tome_filename
+      
+      if args.length < 1
+        usage()
+        return 1
+      end
+
+      begin
+        handle_command(args)
+      rescue CommandError => error
+        @err.puts error.message
+        return 1
+      end
+
+      return 0
+    end
+
+    def handle_command(args)
+      # TODO: Handle 'command --help', e.g. 'tome set --help'.
+
+      command = command_from_arg(args[0])
+
+      if command.nil?
+        raise CommandError, "Unrecognized command: #{args[0]}.\n\n#{$usage}"
+      end
+
+      args.shift
+      send(command, args) 
+    end
+
+    def command_from_arg(arg)
+      commands = {
+        /\A(help|-h|--help)\z/i => :help,
+        /\A(version|ver|-v|--version)\z/i => :version,
+        /\A(set|s)\z/i => :set,
+        /\A(get|g|show)\z/i => :get,
+        /\A(delete|del|d|rm|remove)\z/i => :delete,
+        /\A(generate|gen)\z/i => :generate,
+        /\A(copy|cp)\z/i => :copy,
+        /\A(rename|ren|rn)\z/i => :rename,
+        /\A(list|ls)\z/i => :list
+      }
+
+      commands.each { |pattern, command|
+        return command if arg =~ pattern
+      }
+
+      return nil
+    end
+
+    def help(args)
+      if args.length > 1
+        raise CommandError, "Invalid arguments.\n\n#{$usage}"
+      end
+
+      if args.empty?
+        usage()
+        return
+      end
+
+      command = command_from_arg(args[0])
+
+      if command.nil?
+        raise CommandError, "No help for unrecognized command: #{args[0]}.\n\n#{$usage}"
+      end
+
+      help = {
+        :help => $help_usage,
+        :set => $set_usage,
+        :get => $get_usage,
+        :delete => $delete_usage,
+        :generate => $generate_usage,
+        :copy => $copy_usage,
+        :rename => $rename_usage,
+        :list => $list_usage
+      }
+
+      usage = help[command]
+      if usage.nil?
+        raise CommandError, "No help available for command: #{args[0]}."
+      end
+
+      @out.puts usage
+    end
+
+    def version(args)
+      @out.puts "tome version #{$version}"
+    end
+
+    def set(args)
+      if args.length < 1 || args.length > 2
+        raise CommandError, "Invalid arguments.\n\n#{$set_usage}"
+      end
+      
+      tome = tome_create_connect()
+
+      case args.length
+        # TODO: Validate that first argument is in [username@]domain form.
+
+        # tome set bar.com
+        # tome set foo@bar.com
+        when 1
+          id = args[0]
+          password = prompt_password()
+
+        # tome set bar.com p4ssw0rd
+        # tome set foo@bar.com p4ssw0rd
+        when 2
+          id = args[0]
+          password = args[1]
+      end
+
+      exists = !tome.get(id).nil?
+      if exists
+        confirm = prompt_confirm("A password already exists for #{id}. Overwrite (y/n)? ")
+        if !confirm
+          raise CommandError, 'Aborted.'
+        end
+      end
+
+      created = tome.set(id, password)
+      if created
+        @out.print 'Created '
+      else
+        @out.print 'Updated '
+      end
+
+      @out.puts "password for #{id}."
+    end
+
+    def get(args)
+      if args.length != 1
+        raise CommandError, "Invalid arguments.\n\n#{$get_usage}"
+      end
+      
+      # tome get bar.com
+      # tome get foo@bar.com
+      pattern = args[0]
+
+      tome = tome_connect()
+      matches = tome.find(pattern)
+
+      if matches.empty?
+        raise CommandError, "No password found for #{pattern}."
+      elsif matches.count == 1
+        match = matches.first
+        @out.puts "Password for #{match.first}:"
+        @out.puts match.last
+      else
+        @out.puts "Multiple matches for #{pattern}:"
+        matches.each { |key, password|
+          @out.puts "#{key}: #{password}"
+        }
+      end
+    end
+
+    def delete(args)
+      if args.length != 1
+        raise CommandError, "Invalid arguments.\n\n#{$delete_usage}"
+      end
+
+      tome = tome_connect()
+
+      # tome del bar.com
+      # tome del foo@bar.com
+      id = args[0]
+
+      exists = !tome.get(id).nil?
+      if exists
+        confirmed = prompt_confirm("Are you sure you want to delete the password for #{id} (y/n)? ")
+        if !confirmed
+          raise CommandError, 'Aborted.'
+        end
+      end
+
+      deleted = tome.delete(id)
+
+      if deleted
+        @out.puts "Deleted password for #{id}."
+      else
+        @out.puts "No password found for #{id}."
+      end
+    end
+
+    def generate(args)
+      if args.length != 1
+        raise CommandError, "Invalid arguments.\n\n#{$generate_usage}"
+      end
+      
+      tome = tome_create_connect()
+
+      # tome gen bar.com
+      # tome gen foo@bar.com
+      id = args[0]
+      password = generate_password()
+
+      exists = !tome.get(id).nil?
+      if exists
+        confirm = prompt_confirm("A password already exists for #{id}. Overwrite (y/n)? ")
+        if !confirm
+          raise CommandError, 'Aborted.'
+        end
+      end
+
+      created = tome.set(id, password)
+
+      if created
+        @out.puts "Generated password for #{id}."
+      else
+        @out.puts "Updated #{id} with the generated password."
+      end
+    end
+
+    def copy(args)
+      if args.length != 1
+        raise CommandError, "Invalid arguments.\n\n#{$copy_usage}"
+      end
+
+      # tome cp bar.com
+      # tome cp foo@bar.com
+      pattern = args[0]
+
+      tome = tome_connect()
+      matches = tome.find(pattern)
+
+      if matches.empty?
+        raise CommandError, "No password found for #{pattern}."
+      elsif matches.count > 1
+        message = "Found multiple matches for #{pattern}. Did you mean one of the following?\n\n"
+        error.matches.each { |match|
+          message += "\t#{match}\n"
+        }
+
+        raise CommandError, message
+      else
+        match = matches.first
+        password = match.last
+
+        Clipboard.copy password
+        if Clipboard.paste == password
+          @out.puts "Password for #{match.first} copied to clipboard."
+        else
+          @err.puts "Failed to copy password for #{match.first} to clipboard."
+        end
+      end
+    end
+
+    def list(args)
+      if !args.empty?
+        raise CommandError, "Invalid arguments.\n\n#{$list_usage}"
+      end
+
+      tome = tome_connect()
+
+      count = 0
+      tome.each_password { |id, password|
+        @out.puts "#{id}: #{password}"
+        count += 1
+      }
+
+      if count == 0
+        @out.puts 'No passwords stored.'
+      end
+    end
+
+    def rename(args)
+      if args.count != 2
+        raise CommandError, "Invalid arguments.\n\n#{$rename_usage}"
+      end
+
+      tome = tome_connect()
+
+      old_id = args[0]
+      new_id = args[1]
+
+      overwriting = !tome.get(new_id).nil?
+      if overwriting
+        confirm = prompt_confirm("A password already exists for #{new_id}. Overwrite (y/n)? ")
+        if !confirm
+          raise CommandError, 'Aborted.'
+        end
+      end
+
+      renamed = tome.rename(old_id, new_id)
+      
+      if !renamed
+        raise CommandError, "#{old_id} does not exist."
+      else
+        @out.puts "#{old_id} renamed to #{new_id}."
+      end
+    end
+
+    def generate_password
+      Passgen.generate(:length => 30, :symbols => true)
+    end
+
+    def prompt_password(prompt = 'Password')
+      begin
+        @err.print "#{prompt}: "
+        password = input_password()
+
+        if password.empty?
+          @err.puts 'Password cannot be blank.'
+          raise
+        end
+
+        @err.print "#{prompt} (verify): "
+        verify = input_password()
+
+        if verify != password
+          @err.puts 'Passwords do not match.'
+          raise
+        end
+      rescue
+        retry
+      end
+
+      return password
+    end
+
+    def input_password
+      @in.noecho { |stdin|
+        password = stdin.gets.sub(/[\r\n]+\z/, '')
+        @err.puts
+
+        return password
+      }
+    end
+
+    def prompt_confirm(prompt)
+      begin
+        @out.print prompt
+
+        confirm = @in.gets.strip
+
+        if confirm =~ /\Ay/i
+          return true
+        elsif confirm =~ /\An/i
+          return false
+        end
+      rescue
+        retry
+      end
+    end
+
+    def usage
+      @err.puts "tome version #{$version}"
+      @err.puts
+      @err.puts $usage
+    end
+
+    def tome_connect
+      if !Tome.exists?(@tome_filename)
+        raise CommandError, "Tome database does not exist. Use 'tome set' or 'tome generate' to create a password first."
+      end
+
+      begin
+        @err.print 'Master password: '
+        master_password = input_password()
+        tome = Tome.new(@tome_filename, master_password)
+      rescue MasterPasswordError
+        @err.puts 'Incorrect master password.'
+        retry
+      end
+
+      return tome
+    end
+
+    def tome_create_connect
+      if !Tome.exists?(@tome_filename)
+        @out.puts 'Creating tome database.'
+        master_password = prompt_password('Master password')
+        tome = Tome.create!(@tome_filename, master_password)
+      else
+        tome = tome_connect()
+      end
+    end
+  end
+
+# TODO: Complete these.
+$usage = <<END
+Usage:
+
+    tome set [user@]<domain> [password]
+
+        Create or update the password for an account.
+        Example: tome set foo@gmail.com
+
+    tome generate [user@]<domain>
+
+        Generate a random password for an account.
+        Example: tome generate reddit.com
+
+    tome get <pattern>
+
+        Show the passwords for all accounts matching the pattern.
+        Example: tome get youtube
+
+    tome copy <pattern>
+
+        Copy the password for the account matching the pattern.
+        Example: tome copy news.ycombinator.com
+
+    tome list
+
+        Show all stored accounts and passwords.
+        Example: tome list
+
+    tome delete [user@]<domain>
+
+        Delete the password for an account.
+        Example: tome delete foo@slashdot.org
+
+    tome rename <old> <new>
+
+        Rename the account information stored.
+        Example: tome rename twitter.com foo@twitter.com
+
+    tome help
+
+        Shows help for a specific command.
+        Example: tome help set
+
+    tome version
+
+        Shows the version of tome.
+        Example: tome version
+END
+
+$help_usage = <<END
+tome help
+
+    Shows help for a specific command.
+
+Usage:
+
+    tome help
+    tome help <command>
+
+Examples:
+
+    tome help
+    tome help set
+    tome help help (so meta)
+
+Alias: help, --help, -h
+END
+
+$set_usage = <<END
+tome set
+
+    Create or update the password for an account. The user is optional.
+    If you do not specify a password, you will be prompted for one.
+
+Usage:
+
+    tome set [user@]<domain> [password]
+
+Examples:
+
+    tome set gmail.com
+    tome set gmail.com p4ssw0rd
+    tome set foo@gmail.com
+    tome set foo@gmail.com p4ssw0rd
+
+Alias: set, s
+END
+
+$get_usage = <<END
+tome get
+
+    Show the passwords for all accounts matching the pattern.
+    Matching is done with substring search. Wildcards are not supported.
+
+Usage:
+
+    tome get <pattern>
+
+Examples:
+
+    tome get gmail
+    tome get foo@
+    tome get foo@gmail.com
+
+Alias: get, g, show
+END
+
+$delete_usage = <<END
+tome delete
+
+    Delete the password for an account.
+
+Usage:
+
+    tome delete [user@]<domain>
+
+Examples:
+
+    tome delete gmail.com
+    tome delete foo@gmail.com
+
+Alias: delete, del, d, remove, rm
+END
+
+$generate_usage = <<END
+tome generate
+
+    Generate a random password for an account. The user is optional.
+
+Usage:
+
+    tome generate [user@]<domain>
+
+Examples:
+
+    tome generate gmail.com
+    tome generate foo@gmail.com
+
+Alias: generate, gen
+END
+
+$copy_usage = <<END
+tome copy
+
+    Copy the password for the account matching the pattern.
+    If more than one account matches the pattern, nothing happens.
+    Matching is done with substring search. Wildcards are not supported.
+
+Usage:
+
+    tome copy <pattern>
+
+Examples:
+
+    tome copy gmail
+    tome copy foo@
+    tome copy foo@gmail.com
+
+Alias: copy, cp
+END
+
+$list_usage = <<END
+tome list
+
+    Show all stored accounts and passwords.
+
+Usage:
+
+    tome list
+
+Examples:
+
+    tome list
+
+Alias: list, ls
+END
+
+$rename_usage = <<END
+tome rename
+
+    Rename the account information stored.
+
+Usage:
+
+    tome rename <old> <new>
+
+Examples:
+
+    tome rename gmail.com foo@gmail.com
+    tome rename foo@gmail.com bar@gmail.com
+
+Alias: rename, ren, rn
+END
+end

data/lib/tome/crypt.rb

@@ -0,0 +1,56 @@
+require 'openssl'
+require 'securerandom'
+
+module Tome
+  class Crypt
+    def self.encrypt(opts = {})
+      crypt :encrypt, opts
+    end
+
+    def self.decrypt(opts = {})
+      crypt :decrypt, opts
+    end
+
+    def self.new_iv
+      new_cipher.random_iv
+    end
+
+    def self.new_salt
+      SecureRandom.uuid
+    end
+
+  private
+    def self.new_cipher
+      OpenSSL::Cipher::AES.new(256, :CBC)
+    end
+
+    def self.crypt(method, opts)
+      raise ArgumentError if
+        opts.nil? || opts.empty? || opts[:value].nil? ||
+        opts[:password].nil? || opts[:password].empty? ||
+        opts[:salt].nil? || opts[:salt].empty? ||
+        opts[:iv].nil? || opts[:iv].empty? ||
+        opts[:stretch].nil? || opts[:stretch].nil?
+
+      cipher = new_cipher
+      cipher.send(method)
+
+      cipher.key = crypt_key(opts)
+      cipher.iv = opts[:iv]
+
+      result = cipher.update(opts[:value])
+      result << cipher.final
+      return result
+    end
+
+    def self.crypt_key(opts)
+      password = opts[:password]
+      salt = opts[:salt]
+      iterations = opts[:stretch]
+      key_length = 32 # 256 bits
+      hash = OpenSSL::Digest::SHA512.new
+
+      return OpenSSL::PKCS5.pbkdf2_hmac(password, salt, iterations, key_length, hash)
+    end
+  end
+end

data/lib/tome/tome.rb

@@ -0,0 +1,264 @@
+require 'yaml'
+require 'fileutils'
+
+module Tome
+  class MasterPasswordError < RuntimeError
+  end
+
+  class Tome
+    def self.exists?(tome_filename)
+      return !load_tome(tome_filename).nil?
+    end
+
+    def self.create!(tome_filename, master_password, stretch = 100_000)
+      save_tome(tome_filename, new_tome(stretch), {}, master_password)
+      return Tome.new(tome_filename, master_password)
+    end
+
+    def initialize(tome_filename, master_password)
+      @tome_filename = tome_filename
+      @master_password = master_password
+
+      # TODO: This is suboptimal. We are loading the store
+      # twice for most operations because of this authentication.
+      authenticate()
+    end
+
+    def set(id, password)
+      if id.nil? || id.empty? || password.nil? || password.empty?
+        raise ArgumentError
+      end
+
+      return writable_store do |store|
+        set_by_id(store, id, password)
+      end
+    end
+
+    def get(id)
+      if id.nil? || id.empty?
+        raise ArgumentError
+      end
+
+      return readable_store do |store|
+        get_by_id(store, id)
+      end
+    end
+
+    def find(pattern)
+      if pattern.nil? || pattern.empty?
+        raise ArgumentError
+      end
+
+      return readable_store do |store|
+        get_by_pattern(store, pattern)
+      end
+    end
+
+    def delete(id)
+      if id.nil? || id.empty?
+        raise ArgumentError
+      end
+
+      return writable_store do |store|
+        delete_by_id(store, id)
+      end
+    end
+
+    def rename(old_id, new_id)
+      if old_id.nil? || old_id.empty? || new_id.nil? || new_id.empty?
+        raise ArgumentError
+      end
+
+      return writable_store do |store|
+        rename_by_id(store, old_id, new_id)
+      end
+    end
+
+    def each_password
+      if !block_given?
+        raise ArgumentError
+      end
+
+      readable_store do |store|
+        store.each { |id, info|
+          yield id, info[:password]
+        }
+      end 
+    end
+
+  private
+    def set_by_id(store, id, password)
+      created = !store.include?(id)
+
+      store[id] = {}
+      store[id][:password] = password
+
+      return created
+    end
+
+    def get_by_pattern(store, pattern)
+      find_by_pattern(store, pattern).map { |key, value|
+        { key => value[:password] }
+      }.inject { |hash, item|
+        hash.merge!(item)
+      } || {}
+    end
+
+    def get_by_id(store, id)
+      store[id]
+    end
+
+    def delete_by_id(store, id)
+      same = store.reject! { |key, info|
+        key.casecmp(id) == 0
+      }.nil?
+
+      return !same
+    end
+
+    def find_by_pattern(store, pattern)
+      return {} if pattern.nil?
+
+      # TODO: Better matching. Should allow separated
+      # substring matching. Exact match > solid substrings > separated substrings.
+
+      exact = store.select { |key, info|
+        key.casecmp(pattern) == 0
+      }
+
+      return exact if !exact.empty?
+
+      return store.select { |key, info|
+        key =~ /#{pattern}/i
+      }
+    end
+    
+    def rename_by_id(store, old_id, new_id)
+      if store[old_id].nil?
+        return false
+      else
+        values = store[old_id]
+        store.delete(old_id)
+        store[new_id] = values
+        return true
+      end
+    end
+
+    def self.load_tome(tome_filename)
+      return nil if !File.exist?(tome_filename)
+
+      contents = File.open(tome_filename, 'rb') { |file| file.read }
+      return nil if contents.length == 0
+
+      values = YAML.load(contents)
+      return nil if !values
+
+      # TODO: Throw if these values are nil.
+      # TODO: Verify version number, raise if incompatible.
+      return {
+        :version => values[:version],
+        :salt => values[:salt],
+        :iv => values[:iv],
+        :stretch => values[:stretch],
+        :store => values[:store] 
+      }
+    end
+
+    def load_store(tome)
+      if tome.nil?
+        raise ArgumentError
+      end
+
+      begin
+        store_yaml = Crypt.decrypt(
+          :value => tome[:store],
+          :password => @master_password,
+          :stretch => tome[:stretch],
+          :salt => tome[:salt],
+          :iv => tome[:iv]
+        )
+      rescue ArgumentError
+        # TODO: Should probably be raising an error here.
+        return {}
+      rescue OpenSSL::Cipher::CipherError
+        raise MasterPasswordError
+      end
+
+      store = YAML.load(store_yaml)
+      return store || {}
+    end
+
+    def self.save_tome(tome_filename, tome, store, master_password)
+      if tome.nil? || store.nil? || master_password.nil? || master_password.empty?
+        raise ArgumentError
+      end
+
+      store_yaml = YAML.dump(store)
+
+      new_salt = Crypt.new_salt
+      new_iv = Crypt.new_iv
+
+      encrypted_store = Crypt.encrypt(
+        :value => store_yaml, 
+        :password => master_password,
+        :salt => new_salt,
+        :iv => new_iv,
+        :stretch => tome[:stretch]
+      )
+
+      contents = tome.merge({
+        :version => FILE_VERSION,
+        :store => encrypted_store,
+        :salt => new_salt,
+        :iv => new_iv
+      })
+
+      File.open(tome_filename, 'wb') do |file|
+        YAML.dump(contents, file)
+      end
+    end
+
+    def readable_store()
+      tome = Tome.load_tome(@tome_filename)
+      store = load_store(tome)
+
+      result = yield store
+
+      store = nil
+      GC.start
+
+      return result
+    end
+
+    def writable_store()
+      tome = Tome.load_tome(@tome_filename)
+      store = load_store(tome)
+
+      result = yield store
+
+      Tome.save_tome(@tome_filename, tome, store, @master_password)
+      store = nil
+
+      GC.start
+
+      return result
+    end
+
+    def self.new_tome(stretch)
+      {
+        :store => {},
+        :salt => Crypt.new_salt,
+        :iv => Crypt.new_iv,
+        :stretch => stretch
+      }
+    end
+
+    def authenticate
+      # Force a read.
+      # If the master password is invalid, the access exception will propagate.
+      readable_store { }
+    end
+
+    FILE_VERSION = 1
+  end
+end

data/lib/tome/version.rb

@@ -0,0 +1 @@
+$version = '0.1.0.pre'

metadata

@@ -0,0 +1,101 @@
+--- !ruby/object:Gem::Specification
+name: tome
+version: !ruby/object:Gem::Version
+  version: 0.1.0.pre
+  prerelease: 6
+platform: ruby
+authors:
+- Chris Schmich
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-06-12 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: passgen
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: clipboard
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+- !ruby/object:Gem::Dependency
+  name: ffi
+  requirement: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ~>
+      - !ruby/object:Gem::Version
+        version: '1.0'
+description: Lightweight password manager with a humane command-line interface. Manage
+  your passwords with a single master password.
+email: schmch@gmail.com
+executables:
+- tome
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/tome/command.rb
+- lib/tome/crypt.rb
+- lib/tome/tome.rb
+- lib/tome/version.rb
+- lib/tome.rb
+- bin/tome
+- README.md
+homepage: https://github.com/schmich/tome
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: 1.9.3
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>'
+    - !ruby/object:Gem::Version
+      version: 1.3.1
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.24
+signing_key: 
+specification_version: 3
+summary: Lightweight command-line password manager.
+test_files: []