SPHINX – password Store that Perfectly Hides from Itself (No Xaggeration) – is an
information-theoretically secure cryptographic password storage protocol with strong security guarantees,
as described in the 2015 paper “Device-Enhanced Password Protocols with Optimal Online-Offline
Protection” by Jarecki, Krawczyk, Shirvanian, and Saxena (https://ia.cr/2015/1099).
sphinx is the command-line client for the SPHINX protocol, it provides access to all operations over the
life-cycle of a password: init, create, get, change, undo, commit, delete. Additionally it provides also
operations that make this more user-friendly: listing of users associated with a host and export of the
configuration using a qr code.
sphinx not only handles passwords, it is also able to handle (T)OTP 2FA and age keys. Additionally - if
installed - sphinx also provides access to opaquestore(1), a simple tool that allows one to store secrets
that need encrypted storage (like keys, phrases, or other data).
INITIALIZINGACLIENT
sphinx init
This creates a new master key for the client, which is used to address records on the sphinx server and
authorize management operations on those records.
You SHOULD back up and encrypt this master key.
If you want to use sphinx on a different device you want to copy this master key also there. For copying
this (and other settings) to the android client androsphinx we have the qr operation, see below.
This operation also creates a fixed healthcheck record on the server(s).
CREATEPASSWORD
Creating a new password for a site is easy, pass your “master” password on standard input to the client,
and provide parameters like in this example:
echo -n 'my input password' | sphinx create username example.com ulsd 0 ' !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
The parameters to the client are
• Your input password on standard input. Since the input password is not used to input anything, you can
actually use different input passwords for different user/site combinations. (Unlike with traditional
password managers which have one master password that encrypts the whole database)
• create for the operation, then
• username for the username on
• the site example.com then
• the password constraints, see sections PASSWORD RULES and PREDETERMINED PASSWORDS for more info
If the command runs successfully - the resulting new high-entropy output password according to the given
rules is printed to the console.
GETPASSWORD
Getting a password from the sphinx oracle works by running the following command:
echo -n 'my master password' | sphinx get username example.com
You supply your master password on standard input, provide the get operation as the first parameter, your
username as the 2nd and the site as the 3rd parameter. The resulting password is returned on standard
output.
CHANGEPASSWORD
You might want to (or are forced to regularly) change your password, this is easy while you can keep your
master password unchanged (or you can change it too, if you want). The command is this:
echo -en 'my master password\nnew masterpassword' | sphinx change username example.com 'ulsd' 0 ' !"#$%&\'()*+,-./:;<=>?@[\\]^_`{|}~'
You supply your current master password on standard input, and separated by a new-line you also provide
the new master password. The new master password can be the same as the old, but can also be a new
password if you want to change also the master password.
You provide the change operation as the first parameter to the client, your username as the 2nd and the
site as the 3rd parameter. You also can provide similar password generation rule parameters that were
also used to create the original password, in case your account has new password rules and you want/have
to accommodate them. For more information see the PASSWORD RULES and PREDETERMINED PASSWORDS sections
below.
Your new new password is returned on standard output. IMPORTANT this only creates a new output password,
but does not activate it. Running a get operation will still respond with the previous password, to
activate the new password, you need to run a commit operation, see the next section:
COMMITTINGACHANGEDPASSWORD
After changing the password, you will still get the old password when running the get operation. To
switch to use the new password you have to commit the changes with
echo -n 'my master password' | sphinx commit username example.com
Depending on your rwd_keys configuration setting, you might have to provide your input password on
standard input to this operation.
If all goes well, there is no output expected. If anything goes wrong, there is going to be an error
message and a non-zero exit-code.
UNDOINGAPASSWORDCOMMIT
If you somehow messed up and have to go back to use the old password, you can undo committing your
password using:
echo -n 'my master password' | sphinx undo username example.com
Depending on your rwd_keys configuration setting, you might have to provide your master password on
standard input to this operation.
If all goes well, there is no output expected, otherwise there will be an error message and non-zero
exit-code.
DELETINGPASSWORDS
In case you want to delete a password, you can do using the following command:
echo -n "my master password" | sphinx delete username example.com
You provide the delete operation as the first parameter to the client, your username as the 2nd and the
site as the 3rd parameter. This command does not provide any output on the console in case everything
goes well, otherwise an error message and an non-zero exit code will signal a problem.
Depending on your rwd_keys configuration setting, you might have to provide your master password on
standard input to this operation.
QRCODECONFIG
In case you want to use phone with the same sphinx server, you need to export your config to the phone
via a QR code.
sphinx qr
Will display a QR code containing only public information - like the server host and port, and whether
you use rwd_keys. This is mostly useful if you want to share your setup with a friend or family.
If you want to connect your own phone to the setup used with pwdsphinx, you also need to export your
client secret in the QR code:
sphinx qr key
This contains your client secret, and you should keep this QR code confidential. Make sure there is no
cameras making copies of this while this QR code is displayed on your screen.
If for whatever reason you want to display the QR code as an SVG, just append the svg keyword to the end
of the sphinx qr command.
HEALTHCHECK
If you have run the sphinx init command, then this also has created a fixed healthcheck record. You can
simply check if your setup is ok, by running a sphinx healthcheck operation. You can also try doing the
same by running a get operation like this:
echo -n 'all ok?' | env/bin/sphinx get healthcheck "sphinx servers"
It should output “everything works fine”. The difference is, that the health check only fetches the
ratelimiting challenges from all servers and then aborts. While the get request will affect your
ratelimiting difficulty if done to frequently.
PASSWORDRULES
When creating or changing passwords you can specify rules limiting the size and characters allowed in the
output password. This is specified as follows:
The letters ulsd stand in order for the following character classes: - u upper-case letters, - l
lower-case letters, - s symbols and - d for digits.
The s is a short-cut to allow all of the symbols, if you are limited by the server which symbols to use,
you can specify the allowed symbols explicitly. Currently these are the symbols supported (note the
leading space char):
!"#$%&'()*+,-./:;<=>?@[\]^_`{|}~
Be careful, if you specify these on the command-line you’ll have to escape the quotes you use for
enclosing this list and possibly the backslash char that is also part of this list. In the create
username example above the symbols are correctly escaped, in case you need to copy/paste them.
For examples how to use these see the section “CREATE PASSWORD” or “CHANGE PASSWORD”.
DEFAULTRULES
If you do not provide password rules, they will be defaulting to `ulsd' and length as long as possible,
which means 77 characters long passwords using all four character classes, providing 507 bits of entropy,
way too much.
RECOMMENDEDOUTPUTPASSWORDLENGTH
It is recommended to set the output password size to maximum 12 chars in case of ulsd classes enabled.
If you ever have to type in this output password on a TV remote, or in other stressful situations this
will be a big relief. 12 character long passwords with full entropy and consisting of all possible
printable ASCII chars are computationally impossible to bruteforce on current password cracking hardware,
as they provide almost 80 bits of entropy, and 15 characters almost 99 bits of entropy.
PREDETERMINEDOUTPUTPASSWORDS
In case for some reason you cannot use random passwords with your account, or you want to store a
“password” that you cannot change, like a PIN code for example, or a passphrase shared with your
colleagues, you can specify a maximum 77 character long password, that will be generated by the SPHINX
client for you. In that case the command line looks like this (note the same syntax also works for the
change operation)
echo -n 'my master password' | sphinx create username example.com "correct_battery-horse#staple"
In this case you cannot specify neither the accepted character classes, nor the size, nor symbols, these
will be deducted from the predetermined password itself.
Backwardcompatibilitywithv1SPHINXservers/records
If you still have SPHINX records on the server that were generated using v1, - and you want to use them
-, you have to specify this server also in the client section like you had to in v1. If there is no
record found with v2 get operations sphinx will attempt a get request for a v1 style record. If a v1
style record is found, a new v2 style record is created automatically, so no need to check for v1 style
records in this particular case anymore.
Unless you use also other clients that are v1 onl (like androsphinx) v1 records that are upgraded to v2
can be automatically deleted after a successful upgrade, for this set delete_upgraded to true in the
[client] section of your sphinx configuration. This helps server administrators by keeping their “DB”
clean, and having a means to see how many v1 records are still not upgraded.
OUTPUTPLUGINS(TOTP&AGE)
It is possible to “store” TOTP secrets and age secret keys using sphinx. To store such a secret and have
it automatically handled correctly (e.g. TOTP verification code output instead of the secret) just prefix
your username with otp:// for TOTP support and with age:// for age key support. The latter, when queried
will output a correctly formatted age private key.
Currently the following converters are supported:
TOTP
Import a TOTP secret
% getpwd | sphinx create otp://username example.com ABCDEF1234567890
Get a TOTP PIN:
% getpwd | sphinx get otp://username example.com
minisign
Create a new key and store the public key at /tmp/minisig.pub:
% getpwd \
| sphinx create minisig://user example.com >/tmp/minisig.pub
Create and Change SPHINX operations automatically return a public key.
Sign a file filetosign:
% getpwd \
| sphinx get minisig://user example.com \
| pipe2tmpfile minisign -S -s @@keyfile@@ -m filetosign
The Get SPHINX operation returns a private key.
Age
Generate an AGE key and store the public key:
% getpwd \
| sphinx create age://user example.com >/tmp/age.pub
Create and Change SPHINX operations automatically return a public key.
Decrypt a file using an AKE key from SPHINX:
% getpwd \
| sphinx get age://user localhost \
| pipe2tmpfile age --decrypt -i @@keyfile@@ encryptedfile
The Get SPHINX operation returns a private key.
SSH-ED25519
Create key and save public key:
% getpwd \
| sphinx create ssh-ed25519://test asdf >pubkey
Create and Change SPHINX operations automatically return a public key.
Sign a file:
% getpwd \
| sphinx get ssh-ed25519://test asdf \
| pipe2tmpfile ssh-keygen -Y sign -n file -f @@keyfile@@ content.txt > content.txt.sig
The Get SPHINX operation returns a private key.
Verify file with public key:
% ssh-keygen -Y check-novalidate -n file -f /tmp/ssh-ed.pubkey -s /tmp/content.txt.sig </tmp/content.txt
OPAQUE-StoreINTEGRATION
If you have opaque-store (see https://github.com/stef/opaque-store/) installed and configured (see
opaque-stored.cfg(5)) correctly you get a number of additional operations, which allow you to store
traditionally encrypted blobs of information. The following operations will be available if opaque-store
is setup correctly:
echo -n 'password' | sphinx store <keyid> file-to-store
echo -n 'password' | sphinx read <keyid>
echo -n 'password' | sphinx replace [force] <keyid> file-to-store
echo -n 'password' | sphinx edit [force] <keyid>
echo -n 'password' | sphinx changepwd [force] <keyid>
echo -n 'password' | sphinx erase [force] <keyid>
echo -n 'password' | sphinx recovery-tokens <keyid>
echo -n 'password' | sphinx unlock <keyid> <recovery-token>
HowdoesOPAQUE-StoreSPHINXintegrationwork
In all OPAQUE-Store operations we first execute a SPHINX get operation, that calculates the password
which is used with OPAQUE. This means that the input passwords for OPAQUE will be the strongest possible
and essentially un-bruteforcable on their own (without SPHINX). Of course online bruteforce attacks are
still possible going through SPHINX. But OPAQUE is able to detect wrong passwords and thus can lock your
record after a pre-configured amount of failed attempts. Of course this does not apply to the operator
of an OPAQUE server, who can circumvent the locking of records. And thus:
AWARNING:don’tletoneentitycontrolenoughofyourSPHINXandOPAQUE-Storeservers
As you can see every opaque-store op needs a password on standard input. This password is run through
SPHINX, and the output password is used in the OPAQUE protocol as the input password. This also means,
that if you use a single server setup for both SPHINX and OPAQUE-Store, the two servers should not be
controlled by the same 3rd party entity, otherwise this entity is able to offline-bruteforce your SPHINX
master password. If you use either of these services in a threshold setup, and these threshold servers
are controlled by different entities, you should be ok, as long as no one controls a threshold number of
oracles/servers.
OPAQUE-StoreCLIParametersKeyId
Every operation provided by the OPAQUE-Storage (O-S) integration needs a “keyid” parameter, this
references your record stored by O-S. Internally the client uses the configuration value id_salt,
together with the name of the O-S server to hash the keyid parameter into a record id for the O-S Server.
This means, that if you lose or change your id_salt parameter or the name of the O-S server, all your
record ids will be different and inaccessible. So it is a good idea to make a backup of your
configuration file containing these. Note this id_salt doesn’t really have to be secret, although it
does provide another layer of security-by-obscurity if you do so.
Forcedoperations
In the case that you are using a threshold setup, some operations (replace, edit, changepwd and erase)
require that all servers successfully participate in the operation. This is to avoid, that the records
on temporarily unavailable servers remain unchanged and lead later possibly to corruption. If you are
sure however that this is ok, you can provide a force parameter on the CLI which reduces the number of
servers successfully participating to the value of your threshold configuration setting.
Storeanencryptedblob
getpwd | sphinx store <keyid> file-to-store
This simply does what it promises, stores the file-to-store encrypted on the OPAQUE-Store server, using a
password derived from SPHINX. Note that this command outputs also a recovery-token, which you should
keep safe in case your record gets locked.
Retrievinganencryptedopaquestoreblob
getpwd | sphinx read <keyid>
Straightforward, no surprise. This gets your previously stored record and displays it on standard
output.
Overwriteanencryptedopaquestoreblob
getpwd | sphinx replace [force] <keyid> file-to-store
Whatever has been stored at keyid is now overwritten by an encrypted file-to-store. This only works, if
there is already something stored at keyid. All servers must cooperate in this, if one or more are
unavailable this will fail, unless force is specified and the threshold is matched, in which case the
servers unavailable will be corrupted from this point on.
Editaopaquestoreblob
getpwd | sphinx edit [force] <keyid>
This operation fetches the file stored at keyid loads it into your editor (specified by the EDITOR
environment variable) and stores the changes and saved file back on the same keyid overwriting the
original.
Changeyourpasswordonanopaquestoreblob
getpwd | sphinx changepwd [force] <keyid>
This operation does a full change of passwords and keys. Even if you don’t change your own password that
you provide to getpwd, SPHINX will change it’s own key, and thus change the output password which will be
used for the password in OPAQUE-store finally resulting in a whole new and fresh encryption key for your
file which gets re-encrypted with that.
Deleteastoredopaquestoreblob
getpwd | sphinx erase [force] <keyid>
Nothing surprising here, does what it promises, deletes the stored blob referenced by the keyid.
Getarecoverytoken
getpwd | sphinx recovery-tokens <keyid>
If your record is not locked, this operation gets you an additional recovery token.
Unlockalockedopaquestoreblob
getpwd | sphinx unlock <keyid> <recovery-token>
If for some reason (someone online-bruteforcing your record, or you forgetting your master password) your
record becomes locked by the servers, you can unlock it using a recovery token. This will also
automatically retrieve the record - unless you supply the wrong password again.
Install Now
PNG Icons
Emojis
