1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
|
.TH ICEVAULT "1" "March 2015" "icevault" "User Commands"
.SH NAME
IceVault \- IceVault client user interface
.SH SYNOPSIS
.B icevault\fR [\fIOPTIONS\fR] [\fBfill\fR] \fIscheme\fR://\fIhostname\fR/\fIidentity\fR
.br
.B icevault\fR [\fIOPTIONS\fR] \fBinsert\fR [\fIidentity\fR]
.br
.B icevault\fR [\fIOPTIONS\fR] \fBdump\fR \fIscheme\fR://\fIhostname\fR/\fIidentity\fR
.br
.B icevault\fR [\fIOPTIONS\fR] \fBclip\fR \fIscheme\fR://\fIhostname\fR/\fIidentity\fR
.br
.B icevault\fR [\fIOPTIONS\fR] \fBedit\fR \fIscheme\fR://\fIhostname\fR/\fIidentity\fR
.SH DESCRIPTION
.B icevault\fR is an external password/login manager for Firefox. Its
threat model is arguably more secure than the builtin manager's, as the
browser is not granted direct access to the list of known HTML forms nor
their content: instead, managing forms is delegated to a separate
process, the \fBicevault\fR client, and the filling is done by manual
request.
Communication between the \fBicevault\fR client and the browser is done
via a UNIX socket, which the browser creates upon startup; usual UNIX
permissions can (and should) be used to restrict access to the socket.
Further isolation can be achieved by using different UIDs for the
browser and the \fBicevault\fR client.
Each form is stored in a separate file, encrypted separately with
\fIgpg\fR(1); cleartext are never stored on disk. Form history can be kept
track of by adding the encrypted files to a VCS as binary blobs. File
paths are of the form ".../\fIscheme\fR/\fIhostname\fR/\fIidentity\fR"
where \fIidentity\fR is an arbitrary user-chosen value (allowing
multiple identities for a given site); since the URI of the active tab
can be retrieved from the socket and since the URI of a stored form can
be recovered from its file path, phishing attacks are easily detected.
Like Firefox's builtin password manager, IceVault has some heuristics to
detect signup and password changing pages. In these cases, and if the
password fields are left blank, the (new) password is randomly chosen
using \fIpwgen\fR(1).
.SH COMMANDS
.TP
.B fill\fR \fIscheme\fR://\fIhostname\fR/\fIidentity\fR
If the scheme (resp. hostname) of the active tab of the active window is
not \fIscheme\fR (resp. \fIhostname\fR) the program assumes a phishing
attempt and aborts. Otherwise, the \fIidentity\fR file is decrypted and
used to fill a visible form on the browser.
Form selection is done by matching on the base URI; it fallbacks to the
first form containing a password; and further fallbacks to the first
form with a non-empty field.
Changes to the \fIidentity\fR are detected and can be saved on demand.
If \fIidentity\fR has a single password whereas the webpage has 2 (resp.
3), a signup (resp. password changing) page is assumed, and a new
password is randomly generated using \fIpwgen\fR(1) if the fields are
left blank.
.TP
.B insert\fR [\fIidentity\fR]
Create a new \fIscheme\fR://\fIhostname\fR/\fIidentity\fR URI available
for further \fBfill\fR and other commands.
Store the first visible form on the active tab of the active window which
contains a password (or the first visible form with a non-empty field if
no visible form has a password). If \fIidentity\fR is omitted, it
defaults to the value of the last textual value before the first
password (or the first textual value if the selected form has no
password).
If the webpage has 2 (resp. 3), a signup (resp. password changing) page
is assumed, and a new password is randomly generated using
\fIpwgen\fR(1) if the fields are left blank.
.TP
.B dump\fR \fIscheme\fR://\fIhostname\fR/\fIidentity\fR
Decrypt the \fIidentity\fR file and dump its content on the standard
output. Note that while the output is a valid YAML document, original
formatting may not be preserved; in particular, comments and empty lines
are stripped.
.TP
.B clip\fR \fIscheme\fR://\fIhostname\fR/\fIidentity\fR
Decrypt the \fIidentity\fR file and copy the first password to the
clipboard using \fIxclip\fR(1), with a maximum number of pastes of 1.
.TP
.B edit\fR \fIscheme\fR://\fIhostname\fR/\fIidentity\fR
Decrypt the \fIidentity\fR file to a temporary file and opens it using
the editor specified by the EDITOR environment variable. When the
editor exits, the file is reencrypted if the SHA-256 digest of its
content differs. Note that formatting and comments may not be preserved
by subsequent updates of the \fIidentity\fR file.
.SH OPTIONS
.TP
.B \-\-debug
Turn on debug mode.
.TP
.B \-h\fR, \fB\-\-help\fR
Output a brief help and exit.
.TP
.B \-p\fR, \fB\-\-show\-passwords\fR
By default passwords are redacted when printing forms to the standard
output. This flags turns off this behavior.
.TP
.B \-s\fR \fIsockpath\fR, \fB\-\-socket=\fR\fIsockpath\fR
Specify the path of the UNIX socket used to communicate with the
browser. If the path does not start with a slash "/", it is assumed to
be relative to the default Firefox profile (or first profile found if
there is no default profile) in the "~/.mozilla/firefox" directory.
.TP
.B \-\-version
Show the version number and exit.
.SH CONFIGURATION FILE
\fBicevault\fR reads it configuration from
\fI$XDG_CONFIG_HOME/icevault\fR, or \fI~/.config/icevault\fR if
XDG_CONFIG_HOME is unset.
Empty lines and comments (starting with a "#" characters are ignored).
Valid options are:
.TP
.I gpg
The \fIgpg\fR(1) binary to use. (Default: "gpg".)
.TP
.I keyid
The OpenPGP key ID used as encryption recipient. Must be given a
64-bits keyid or full fingerprint.
.TP
.I max-password-length
The maximum length for new passwords. (Default: "32".)
.TP
.I pwgen
The command to use to generate new random passwords. May contain "%d",
which expands to the password's "maxLength" attribute (capped with the
\fImax-password-length\fR option). The command is expected to output to
the standard output, and may add a newline character afterwards, which
is not considered part of the password.
(Default: "pwgen -s -cyn %d".)
.TP
.I socket
The path of the UNIX socket used to communicate with the browser. If
the path does not start with a slash "/", it is assumed to be relative
to the default Firefox profile (or first profile found if there is no
default profile) in the "~/.mozilla/firefox" directory.
(Default: "S.IceVault".)
.TP
.I store
The template mapping \fIscheme\fR://\fIhostname\fR/\fIidentity\fR URIs
to (encrypted) files on disk. Must contain "%s", "%h", and "%i", which
respectively expand to the \fIscheme\fR, \fIhostname\fR and
\fIidentity\fR parts of the URI.
(Default: "$XDG_DATA_HOME/icevault/%s/%h/%i.gpg", or
"~/.data/icevault/%s/%h/%i.gpg" if $XDG_DATA_HOME is unset.)
.SH AUTHOR
Guilhem Moulin <guilhem@fripost.org>
.SH SEE ALSO
\fBgpg\fR(1)
|