# Chiff CLI
  [](https://github.com/psf/black) [](https://github.com/chiff-app/chiff-cli/actions/workflows/test.yml) 
Chiff is a tool that allows you to store secrets in the secure storage of your phone and retrieve them when you need them by authorizing a request.
You can pair the app with multiple clients (browser extension or shell).
## Motivation
SSH keys are stored in plaintext on your computer by default, unless you choose a passphrase. However, it can be cumbersome to retype your password every time you need to decrypt your keys. The same applies to credentials for various CLIs. For example, [official AWS CLI documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) recommends to store your credentials in `~/.aws/credentials`.
With Chiff, you can leverage the biometric capabilities and secure storage of your phone to authenticate to services on your computer. You can pair with multiple shells to be able to retrieve credentials there.
## Security model
All sensitive data is stored encrypted on your phone. When needed, it is decrypted (by authenticating to your phone with biometrics) and sent to the browser/cli, where it is filled in the website. An end-to-end encrypted channel is established between browser/cli by scanning a QR-code. This means confidentiality is ensured, even though the server (mainly serving as message broker and backup storage) is modelled as an untrusted entity.
## Related projects
This is the repository for the _CLI_.
For the _Android app_, see [chiff-android](https://github.com/chiff-app/chiff-android) (_Coming soon_).
For the _Browser extension_, see [chiff-browser](https://github.com/chiff-app/chiff-browser) (_Coming soon_).
For the _iOS app_, see [chiff-ios](https://github.com/chiff-app/chiff-ios).
For the _iOS app core_, see [chiff-ios](https://github.com/chiff-app/chiff-ios-core).
## Installation
Package is available on PyPi.
The easiest way is to use [pipx](https://github.com/pypa/pipx): `pipx install chiff`. This should install `chiff` and `chiffd` to your shell.
## Installation from source
After cloning the project, you can build it using [poetry](https://python-poetry.org).
Run `poetry build` to build the source package and wheel binary. Install the script with `pipx install ./`. This should install `chiff` and `chiffd` to your shell.
## Set-up
To set up the ssh-agent, you can run `chiff init`. This sets up `chiffd` as a background script and adds the following to your `~/.ssh/config`:
```
Host *
IdentityAgent "~/Library/Application Support/Chiff/chiff-socket.ssh"
```
You can also set this up manually. For example, if you only want to use Chiff for specific hosts you can set
`IdentityAgent "~/Library/Application Support/Chiff/chiff-socket.ssh"`
for hosts that should use Chiff.
### Get the Chiff app
Get the Chiff app on App Store or Play Store:
[<img src="https://chiff.app/assets/images/app-store.svg" />](https://apps.apple.com/app/id1361749715)
[<img src="https://chiff.app/assets/images/play-store.svg" height="40" />](https://play.google.com/store/apps/details?id=io.keyn.keyn)
Follow the onboarding instructions in the app. When the app asks you to pair with your browser, you can pair with this CLI instead (see [Pairing](#pairing)).
## Usage
### Pairing
The first thing you should do is pair with your phone with `chiff pair`. This generates a QR-code that you can scan with
the Chiff app. After pairing, you can see your accounts with `chiff status`.
You can pair with one app at the same time, so if you want to pair with another phone, run `chiff unpair` to delete the
session.
### Generating an SSH key
You can generate an SSH key on your phone with `chiff ssh-keygen -n <name>`. This sends a request to your phone to generate the key.
Chiff can generate two types of keys:
1. **Ed25519**: This is the default algorithm. The key is backed up on your chiff seed and can be restored. _The key is not generated in the Secure Enclave_.
2. **ECDSA256**: This key can be generated with the `-e` flag and is generated in the Secure Enclave (iOS only). This is more secure, _but the key won't be restored with your backup_.
Pick whatever suits your needs. Generating the key will directly print out the ssh public key, but you can always find this by running `chiff status`.
### Logging in with ssh
Make sure `chiffd` is running and the `IdentityAgent` is set up in your `~/.ssh/config` and the host has a public set in `~/.ssh/authorized_keys`. Then just log in with `ssh user@host` and you should get a push message on your phone. If the key is not present in Chiff, the request is being forwarded to the original `ssh-agent`.
### Retrieving passwords
The Chiff CLI allows you to get passwords and notes from your accounts with `chiff get`. It takes the following arguments:
```bash
-i, --id TEXT The id of the account you want the data for [required]
-n, --notes Return the notes of the account
-j, --format-json Return account in JSON format ({ "username": "example",
"password": "secret", "notes": "important note" |
undefined })
```
By default, it just return the password without any extra output, so it can be easily used in scripts.
The account id is required and can be found by checking the overview with `chiff status`.
### Adding accounts
Add new accounts with `chiff add`. It takes the following arguments:
```bash
-u, --username TEXT The username of the account you want to add [required]
-l, --url TEXT The URL of the account you want to add [required]
-s, --name TEXT The name of the account you want to add [required]
-p, --password TEXT The password of the account you want to add. Will be
prompted for if not provided
-n, --notes TEXT The notes of the account you want to add
```
This will send a request to your phone, where you can authorize the account.
### Updating accounts
Similarly, you can update existing accounts with `chiff update`.
```bash
-i, --id TEXT The id of the account you want the data for [required]
-u, --username TEXT The username of the account you want to update
-l, --url TEXT The URL of the account you want to update
-s, --name TEXT The name of the account you want to update
-p, --password TEXT The password of the account you want to update. Will be
prompted for if argument is not provided
-n, --notes TEXT The notes of the account you want to update
```
The account id is required and can be found by checking the overview with `chiff status`.
### Importing
You can import accounts from a CSV, JSON or kdbx file with `chiff import`.
```bash
-f, --format [csv|json|kdbx] The input format. If data is written to a
.kdbx database, the path to anexisting .kdbx
database file needs to be provided with -p.
[required]
-p, --path PATH The path to where the file should be read
from. [required]
-s, --skip Whether the first row should be skipped. Only
relevant when format is CSV.
```
#### Importing from CSV
Import from a csv file with `chiff import -f csv -p <path>`. You can skip the first row with the `-s` flag. The data is expected to be separated with commas, for example:
```
"title", "url", "username", "password", "notes"
"Google", "https://google.com", "john_doe@gmail.com", "p@ssword", "important note"
```
#### Importing from JSON
Import from a json file with `chiff import -f json -p <path>`. The data is expected to be formatted as follows:
```json
[
{
"title": "Google",
"url": "https://google.com",
"username": "john_doe@gmail.com",
"password": "p@ssword",
"notes": "important note"
}
]
```
#### Importing from kdbx
Import from a json file with `chiff import -f kdbx -p <path>`. You will have to enter your password. Note that Chiff relies on the URL being present and correct, so it's necessary to make sure each account has the URL set, as well as the title, username and password. Notes are optional.
## FAQ
### I'd like to forward requests to another SSH agent
By default, Chiff forwards the requests to the ssh-agent that is present in the `SSH_AUTH_SOCK`, environment variable. If you have changed this in `~/.bashrc` or equivalent, it may not be available to the background process. You can adjust the LaunchAgent plist or systemd service manually to set. For example, if you would like to use Chiff in combination with [secretive](https://github.com/maxgoedjen/secretive), you add the following to `~/Library/LaunchAgents/co.chiff.chiffd.plist`:
```xml
<key>EnvironmentVariables</key>
<dict>
<key>SSH_AUTH_SOCK</key>
<string>/Users/username/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh</string>
</dict>
```
Then reload it with `launchctl load -w ~/Library/LaunchAgents/co.chiff.chiffd.plist`. If the key is present in Chiff, they request will be handled by Chiff. If not, it will be forwarded to the secretive ssh agent.
## Contributing
To contribute, follow these steps:
1. Fork this repository.
2. Create a branch from the `main` branch: `git checkout -b <branch_name>`.
3. Make your changes and commit them: `git commit -m '<commit_message>'`
4. Push to the original branch: `git push origin <project_name>/<location>`
5. Create the pull request to the `main` branch.
Alternatively see the GitHub documentation on [creating a pull request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request).
## License
This project is licensed under the terms of the GNU GPLv3.
Raw data
{
"_id": null,
"home_page": "https://chiff.app",
"name": "chiff",
"maintainer": null,
"docs_url": null,
"requires_python": "<4.0.0,>=3.8.1",
"maintainer_email": null,
"keywords": "security, ssh, password",
"author": "bas-d",
"author_email": "7903735+bas-d@users.noreply.github.com",
"download_url": "https://files.pythonhosted.org/packages/d0/3b/c546e34331547dc6581865544406b009c31e19396a15c7673280a64113a3/chiff-0.3.1.tar.gz",
"platform": null,
"description": "# Chiff CLI\n\n  [](https://github.com/psf/black) [](https://github.com/chiff-app/chiff-cli/actions/workflows/test.yml) \n\n\n\nChiff is a tool that allows you to store secrets in the secure storage of your phone and retrieve them when you need them by authorizing a request.\nYou can pair the app with multiple clients (browser extension or shell).\n\n## Motivation\n\nSSH keys are stored in plaintext on your computer by default, unless you choose a passphrase. However, it can be cumbersome to retype your password every time you need to decrypt your keys. The same applies to credentials for various CLIs. For example, [official AWS CLI documentation](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html) recommends to store your credentials in `~/.aws/credentials`.\n\nWith Chiff, you can leverage the biometric capabilities and secure storage of your phone to authenticate to services on your computer. You can pair with multiple shells to be able to retrieve credentials there.\n\n## Security model\n\nAll sensitive data is stored encrypted on your phone. When needed, it is decrypted (by authenticating to your phone with biometrics) and sent to the browser/cli, where it is filled in the website. An end-to-end encrypted channel is established between browser/cli by scanning a QR-code. This means confidentiality is ensured, even though the server (mainly serving as message broker and backup storage) is modelled as an untrusted entity.\n\n## Related projects\n\nThis is the repository for the _CLI_. \nFor the _Android app_, see [chiff-android](https://github.com/chiff-app/chiff-android) (_Coming soon_). \nFor the _Browser extension_, see [chiff-browser](https://github.com/chiff-app/chiff-browser) (_Coming soon_). \nFor the _iOS app_, see [chiff-ios](https://github.com/chiff-app/chiff-ios).\nFor the _iOS app core_, see [chiff-ios](https://github.com/chiff-app/chiff-ios-core).\n\n## Installation\n\nPackage is available on PyPi.\nThe easiest way is to use [pipx](https://github.com/pypa/pipx): `pipx install chiff`. This should install `chiff` and `chiffd` to your shell.\n\n## Installation from source\n\nAfter cloning the project, you can build it using [poetry](https://python-poetry.org).\nRun `poetry build` to build the source package and wheel binary. Install the script with `pipx install ./`. This should install `chiff` and `chiffd` to your shell.\n\n## Set-up\n\nTo set up the ssh-agent, you can run `chiff init`. This sets up `chiffd` as a background script and adds the following to your `~/.ssh/config`:\n\n```\nHost *\n IdentityAgent \"~/Library/Application Support/Chiff/chiff-socket.ssh\"\n```\n\nYou can also set this up manually. For example, if you only want to use Chiff for specific hosts you can set\n\n`IdentityAgent \"~/Library/Application Support/Chiff/chiff-socket.ssh\"`\n\nfor hosts that should use Chiff.\n\n### Get the Chiff app\n\nGet the Chiff app on App Store or Play Store:\n\n[<img src=\"https://chiff.app/assets/images/app-store.svg\" />](https://apps.apple.com/app/id1361749715)\n[<img src=\"https://chiff.app/assets/images/play-store.svg\" height=\"40\" />](https://play.google.com/store/apps/details?id=io.keyn.keyn)\n\nFollow the onboarding instructions in the app. When the app asks you to pair with your browser, you can pair with this CLI instead (see [Pairing](#pairing)).\n\n## Usage\n\n### Pairing\n\nThe first thing you should do is pair with your phone with `chiff pair`. This generates a QR-code that you can scan with\nthe Chiff app. After pairing, you can see your accounts with `chiff status`.\nYou can pair with one app at the same time, so if you want to pair with another phone, run `chiff unpair` to delete the\nsession.\n\n### Generating an SSH key\n\nYou can generate an SSH key on your phone with `chiff ssh-keygen -n <name>`. This sends a request to your phone to generate the key.\nChiff can generate two types of keys:\n\n1. **Ed25519**: This is the default algorithm. The key is backed up on your chiff seed and can be restored. _The key is not generated in the Secure Enclave_.\n2. **ECDSA256**: This key can be generated with the `-e` flag and is generated in the Secure Enclave (iOS only). This is more secure, _but the key won't be restored with your backup_.\n\nPick whatever suits your needs. Generating the key will directly print out the ssh public key, but you can always find this by running `chiff status`.\n\n### Logging in with ssh\n\nMake sure `chiffd` is running and the `IdentityAgent` is set up in your `~/.ssh/config` and the host has a public set in `~/.ssh/authorized_keys`. Then just log in with `ssh user@host` and you should get a push message on your phone. If the key is not present in Chiff, the request is being forwarded to the original `ssh-agent`.\n\n### Retrieving passwords\n\nThe Chiff CLI allows you to get passwords and notes from your accounts with `chiff get`. It takes the following arguments:\n\n```bash\n -i, --id TEXT The id of the account you want the data for [required]\n -n, --notes Return the notes of the account\n -j, --format-json Return account in JSON format ({ \"username\": \"example\",\n \"password\": \"secret\", \"notes\": \"important note\" |\n undefined })\n```\n\nBy default, it just return the password without any extra output, so it can be easily used in scripts.\nThe account id is required and can be found by checking the overview with `chiff status`.\n\n### Adding accounts\n\nAdd new accounts with `chiff add`. It takes the following arguments:\n\n```bash\n -u, --username TEXT The username of the account you want to add [required]\n -l, --url TEXT The URL of the account you want to add [required]\n -s, --name TEXT The name of the account you want to add [required]\n -p, --password TEXT The password of the account you want to add. Will be\n prompted for if not provided\n -n, --notes TEXT The notes of the account you want to add\n```\n\nThis will send a request to your phone, where you can authorize the account.\n\n### Updating accounts\n\nSimilarly, you can update existing accounts with `chiff update`.\n\n```bash\n -i, --id TEXT The id of the account you want the data for [required]\n -u, --username TEXT The username of the account you want to update\n -l, --url TEXT The URL of the account you want to update\n -s, --name TEXT The name of the account you want to update\n -p, --password TEXT The password of the account you want to update. Will be\n prompted for if argument is not provided\n -n, --notes TEXT The notes of the account you want to update\n```\n\nThe account id is required and can be found by checking the overview with `chiff status`.\n\n### Importing\n\nYou can import accounts from a CSV, JSON or kdbx file with `chiff import`.\n\n```bash\n -f, --format [csv|json|kdbx] The input format. If data is written to a\n .kdbx database, the path to anexisting .kdbx\n database file needs to be provided with -p.\n [required]\n -p, --path PATH The path to where the file should be read\n from. [required]\n -s, --skip Whether the first row should be skipped. Only\n relevant when format is CSV.\n```\n\n#### Importing from CSV\n\nImport from a csv file with `chiff import -f csv -p <path>`. You can skip the first row with the `-s` flag. The data is expected to be separated with commas, for example:\n\n```\n\"title\", \"url\", \"username\", \"password\", \"notes\"\n\"Google\", \"https://google.com\", \"john_doe@gmail.com\", \"p@ssword\", \"important note\"\n```\n\n#### Importing from JSON\n\nImport from a json file with `chiff import -f json -p <path>`. The data is expected to be formatted as follows:\n\n```json\n[\n {\n \"title\": \"Google\",\n \"url\": \"https://google.com\",\n \"username\": \"john_doe@gmail.com\",\n \"password\": \"p@ssword\",\n \"notes\": \"important note\"\n }\n]\n```\n\n#### Importing from kdbx\n\nImport from a json file with `chiff import -f kdbx -p <path>`. You will have to enter your password. Note that Chiff relies on the URL being present and correct, so it's necessary to make sure each account has the URL set, as well as the title, username and password. Notes are optional.\n\n## FAQ\n\n### I'd like to forward requests to another SSH agent\n\nBy default, Chiff forwards the requests to the ssh-agent that is present in the `SSH_AUTH_SOCK`, environment variable. If you have changed this in `~/.bashrc` or equivalent, it may not be available to the background process. You can adjust the LaunchAgent plist or systemd service manually to set. For example, if you would like to use Chiff in combination with [secretive](https://github.com/maxgoedjen/secretive), you add the following to `~/Library/LaunchAgents/co.chiff.chiffd.plist`:\n\n```xml\n<key>EnvironmentVariables</key>\n<dict>\n <key>SSH_AUTH_SOCK</key>\n <string>/Users/username/Library/Containers/com.maxgoedjen.Secretive.SecretAgent/Data/socket.ssh</string>\n</dict>\n```\n\nThen reload it with `launchctl load -w ~/Library/LaunchAgents/co.chiff.chiffd.plist`. If the key is present in Chiff, they request will be handled by Chiff. If not, it will be forwarded to the secretive ssh agent.\n\n## Contributing\n\nTo contribute, follow these steps:\n\n1. Fork this repository.\n2. Create a branch from the `main` branch: `git checkout -b <branch_name>`.\n3. Make your changes and commit them: `git commit -m '<commit_message>'`\n4. Push to the original branch: `git push origin <project_name>/<location>`\n5. Create the pull request to the `main` branch.\n\nAlternatively see the GitHub documentation on [creating a pull request](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request).\n\n## License\n\nThis project is licensed under the terms of the GNU GPLv3.\n",
"bugtrack_url": null,
"license": "GPL-3.0-or-later",
"summary": "Chiff command-line client.",
"version": "0.3.1",
"project_urls": {
"Homepage": "https://chiff.app",
"Repository": "https://github.com/chiff-app/chiff-cli"
},
"split_keywords": [
"security",
" ssh",
" password"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "aba3caefe02291040cab8848da455791c995c3f7e7869cf289231b67964db8e5",
"md5": "6d7f52a7d2e1baed6fd11ef6e8177b63",
"sha256": "d9fe62c1668a0e3b6114b7fa554ed5d6de1f1f0f8adcc4143cbd9220eb7802e1"
},
"downloads": -1,
"filename": "chiff-0.3.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "6d7f52a7d2e1baed6fd11ef6e8177b63",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "<4.0.0,>=3.8.1",
"size": 47221,
"upload_time": "2024-09-07T09:40:05",
"upload_time_iso_8601": "2024-09-07T09:40:05.582848Z",
"url": "https://files.pythonhosted.org/packages/ab/a3/caefe02291040cab8848da455791c995c3f7e7869cf289231b67964db8e5/chiff-0.3.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "d03bc546e34331547dc6581865544406b009c31e19396a15c7673280a64113a3",
"md5": "c44f99d3f7f7990176e42f62fcb6f012",
"sha256": "8ba6fead60b0b038309dae3a9879313d3b2a41728cedfc8ea11e499fca5b1e10"
},
"downloads": -1,
"filename": "chiff-0.3.1.tar.gz",
"has_sig": false,
"md5_digest": "c44f99d3f7f7990176e42f62fcb6f012",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "<4.0.0,>=3.8.1",
"size": 34743,
"upload_time": "2024-09-07T09:40:07",
"upload_time_iso_8601": "2024-09-07T09:40:07.040844Z",
"url": "https://files.pythonhosted.org/packages/d0/3b/c546e34331547dc6581865544406b009c31e19396a15c7673280a64113a3/chiff-0.3.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-09-07 09:40:07",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "chiff-app",
"github_project": "chiff-cli",
"travis_ci": false,
"coveralls": true,
"github_actions": true,
"lcname": "chiff"
}
JSON
