Share your knowledge at the LQ Wiki.
Go Back > Forums > Non-*NIX Forums > Programming
User Name
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.


  Search this Thread
Old 07-17-2017, 11:06 AM   #1
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 169

Rep: Reputation: Disabled
Hydra, a GnuPG based password manager that I'm developing.

How does my code look? Do you think Bash is the appropriate language for what I'm, doing? The reason why I chose to make this is because a problem I saw with Keepassx securing the database with just a single password that you must remember, thus that password would have be considerably short.. And I didn't like the idea of using a single short-length passphrase to protect the rest of my passwords.. But with Hydra, it's designed in a way that you have to unlock a "meta-pass-code" which is a 2000 character long pass for your 8192-bit private key, then use that to unlock the asymmetric layer of encryption that's on you password database. Then when that's unlocked you enter your passphrase you set to unlock the twofish symmetric cipher layer.. And then finally you can have access to your passwords (it's a three step process).. And it allows for a 3fa implementation by simply appending a custom passphrase (that you can remember) to the end of this meta-pass-passcode.. Follow this link for a demo of me showcasing how the setup process for this script works..

Last edited by justmy2cents; 07-17-2017 at 02:50 PM.
Old 07-17-2017, 11:07 AM   #2
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 169

Original Poster
Rep: Reputation: Disabled
WARNING: this script will rm -rf your ~/.gnupg, and bleachbit if installed will also do what it does!
WARNING: this is unstable software!

# Deploy Enciphered Decoy Keys
until [ -d "$var_1" ]; do
read -p "Choose a directory you wish to operate in: " var_1
if [ -d $var_1/Hydra ]; then
find $var_1/Hydra -type f -execdir shred -fuz {} \; && rm -rf $var_1/Hydra && mkdir -m 700 $var_1/Hydra
elif [ ! -d $var_1/Hydra ]; then 
mkdir -m 700 $var_1/Hydra
cd $var_1/Hydra
until [ -f "$var_2" ]; do
read -p "Enter the path of the key template for key generation: " var_2
find ~/.gnupg -type f -execdir shred -fuz {} \; && rmdir .gnupg >/dev/null 2>&1
gpg --enable-large-rsa --batch --gen-key $var_2
gpg --import key.sec && shred -fuz key.sec
clear;read -p "After this dialog type \"addkey\" then select \"RSA sign only\" then when that's done hit \"y\" (yes) for everything else: " var_404
gpg --no-use-agent --edit-key
gpg --export-secret-subkeys > hydra && gpg --delete-secret-key && gpg --import hydra 
pwgen -1syN 1 2000 > ~/decoy_pass.txt
clear;echo "####################~ENTER A NEW PASSWORD FOR YOUR FAKE SUBKEYS~####################"
gpg --edit-key passwd && gpg --export-secret-subkeys > hydra 
shred -fuz ~/decoy_pass.txt
for (( i=0; i<=1000; i++ )); do
touch hydra$i && scp hydra hydra$i
find ~/.gnupg -type f -execdir shred -fuz {} \; && rmdir .gnupg >/dev/null 2>&1
for i in `ls -1`; do
password1=$(pwgen -1syN 10)
echo "$password1" | gpg --no-use-agent -c --cipher-algo twofish --passphrase "$password1" > $i.gpg
shopt -s extglob
shred -fuz !(*.gpg) hydra.gpg
# Setting Up Files In .Despair0 Where Your Passwords Will Be Stored
mkdir -m 700 $var_1/Hydra/.Despair0 && cd $var_1/Hydra/.Despair0
for (( i=0; i<=1000; i++ )); do
touch lock$i
pwgen -1syN 63 160 >/dev/null 2>&1 > * # Filler Text For The Decoy Lock Files In .Despair0
for i in `ls -1`; do
password2=$(pwgen -1syN 1 10)
echo "$password2" | gpg --no-use-agent -c --cipher-algo twofish --passphrase "$password2" > $i.gpg
shopt -s extglob
shred -fuz !(*.gpg)
until [ -f $var_3.gpg ]; do
read -sp "Choose a lock file to contain your secrets: " var_3
shred -fuz $var_3.gpg && pwgen -1syN 63 160 > $var_3 # Your Pre-Generated Passcodes 
echo "Enter a passphrase to encrypt your secrets:" 
gpg --no-use-agent -c --cipher-algo twofish $var_3 && shred -fuz $var_3
# Creation Of The Real Key
cd $var_1/Hydra
mkdir -m 700 $var_1/Hydra/.Despair1 && cd $var_1/Hydra/.Despair1
for (( i=0; i<=1000; i++ )); do
touch lock$i
pwgen -1syN 1 2000 >/dev/null 2>&1 > * # Filler Text For The Decoy Lock Files In .Despair1
for i in `ls -1`; do
password3=$(pwgen -1syN 1 10)
echo "$password3" | gpg --no-use-agent -c --cipher-algo twofish --passphrase "$password3" > $i.gpg
shopt -s extglob
shred -fuz !(*.gpg)
until [ -f $var_4.gpg ]; do
read -sp "Choose a lock file to store your Meta-Key-Passcode: " var_4
shred -fuz $var_4.gpg 
password4=$(pwgen -1syN 1 1990) 
echo "$password4" > $var_4
echo;echo "Enter a passphrase to encrypt your Meta-Key-Passcode:" 
gpg --no-use-agent -c --cipher-algo twofish $var_4 && shred -fuz $var_4
read -p "Please enter a user ID to identify your key: " var_5
for i in `awk -F: '/Email/{print$2}' $var_2`; do
echo "$var_5" | sed "s/$i/$var_5/" $var_2 > $
vi $
gpg --enable-large-rsa --batch --gen-key $
clear; gpg --import key.sec 
until [ "$var_6" = $var_5 ]; do
read -p "ENTER YOUR KEY's UID: then after this dialog type \"addkey\" then select \"RSA sign only\", then when that's done hit \"y\" (yes) for everything else: " var_6
gpg --no-use-agent --edit-key "$var_6"
gpg --no-use-agent --output revo.cert --gen-revoke $var_6
if [ -d ~/MASTER_KEY_PAIR ]; then
find ~/MASTER_KEY_PAIR -type f -execdir shred -fuz {} \; && rmdir ~/MASTER_KEY_PAIR && mkdir -m 700 ~/MASTER_KEY_PAIR
elif [ ! -d ~/MASTER_KEY_PAIR ]; then 
mkdir -m 700 ~/MASTER_KEY_PAIR
mv key.sec revo.cert ~/MASTER_KEY_PAIR
gpg --export-secret-subkeys $var_6 > $var_1/Hydra/hydra && gpg --delete-secret-key $var_6 && gpg --import $var_1/Hydra/hydra 
echo "$password4" > ~/real_pass.txt
clear;echo "####################~ENTER A NEW PASSWORD FOR YOUR REAL SUBKEYS~####################"
gpg --edit-key $var_6 passwd && gpg --export-secret-subkeys > $var_1/Hydra/hydra
# Obfuscation And Encipherment Of The Real Key
clear;cd $var_1/Hydra
until [ -f $var_7.gpg ]; do
read -sp "Choose a hydra file that you wish contain your Subkeys: " var_7
shred -fuz $var_7.gpg && mv hydra $var_7
clear;echo "Enter a passphrase to encrypt your Subkeys"
gpg --no-use-agent -c --cipher-algo twofish $var_7 && shred -fuz $ $var_7 ~/real_pass.txt
# Encipherment Of The Secrets File Via Public Key
cd $var_1/Hydra/.Despair0
for x in *; do
gpg --trust-model always -R $var_6 -o $x.gpg --batch --no-use-agent -e $x
shopt -s extglob
shred -fuz !(*.gpg.gpg) 
# Acid Wash 
bleachbit -oc adobe_reader.cache adobe_reader.mru adobe_reader.tmp amsn.cache amsn.chat_logs amule.logs amule.tmp apt.autoclean apt.autoremove apt.clean \
apt.package_lists audacious.cache audacious.log audacious.mru bash.history beagle.cache beagle.index beagle.logs chromium.cache chromium.cookies \
chromium.current_session chromium.dom chromium.form_history chromium.history chromium.passwords chromium.search_engines chromium.vacuum d4x.history \
deepscan.backup deepscan.ds_store deepscan.thumbs_db deepscan.tmp easytag.history easytag.logs elinks.history emesene.cache emesene.logs epiphany.cache \
epiphany.cookies epiphany.passwords epiphany.places evolution.cache exaile.cache exaile.downloaded_podcasts exaile.log filezilla.mru firefox.backup \
firefox.cache firefox.cookies firefox.crash_reports firefox.dom firefox.download_history firefox.forms firefox.passwords firefox.session_restore \
firefox.site_preferences firefox.url_history firefox.vacuum flash.cache flash.cookies gedit.recent_documents gftp.cache gftp.logs gimp.tmp gl-117.debug_logs \ gnome.search_history google_chrome.cache google_chrome.cookies google_chrome.dom google_chrome.form_history google_chrome.history \
google_chrome.passwords google_chrome.search_engines google_chrome.session google_chrome.vacuum google_earth.temporary_files google_toolbar.search_history \
gpodder.cache gpodder.vacuum gwenview.recent_documents hippo_opensim_viewer.cache hippo_opensim_viewer.logs java.cache kde.cache kde.recent_documents kde.tmp \
konqueror.cookies konqueror.current_session konqueror.url_history libreoffice.cache libreoffice.history liferea.cache liferea.cookies liferea.vacuum \
links2.history midnightcommander.history miro.cache miro.logs nautilus.history nexuiz.cache octave.history openofficeorg.cache openofficeorg.recent_documents \
opera.cache opera.cookies opera.current_session opera.dom opera.download_history opera.passwords opera.search_history opera.url_history pidgin.cache pidgin.logs \
realplayer.cookies realplayer.history realplayer.logs recoll.index rhythmbox.cache screenlets.logs seamonkey.cache seamonkey.chat_logs seamonkey.cookies \
seamonkey.download_history seamonkey.history secondlife_viewer.Cache secondlife_viewer.Logs skype.chat_logs skype.installers sqlite3.history system.cache \
system.clipboard system.custom system.desktop_entry system.free_disk_space system.localizations system.memory system.recent_documents system.rotated_logs \
system.tmp system.trash thumbnails.cache thunderbird.cache thunderbird.cookies thunderbird.index thunderbird.passwords thunderbird.vacuum \
transmission.blocklists transmission.torrents tremulous.cache vim.history vlc.mru vuze.backup_files vuze.cache vuze.logs vuze.tmp warzone2100.logs wine.tmp \
winetricks.temporary_files x11.debug_logs xchat.logs xine.cache yum.clean_all yum.vacuum

Hydra is a bash script that sets up an ultra secure GnuPG based password manager in a directory that you specify. Named after a creature of myth
"The Hydra", this script creates a 1001 files, and 1000 of these files are filled with decoy subkeys all symetrically enciphered with unique passcodes
(that are not stored anywhere!) using the TWOFISH cipher. Only one file out of the set of a 1001 will contain your real subkeys.. Your password database is also
symmectrically enciphered with a custom user set passphrase, and then asymmetrically encrypted with a 8192-bit RSA key on top of that. There are two hidden
directories inside of the Hydra directory called .Despair0 and .Despair1.. Inside of .Despair1 are a 1001 symmectrically encrypted files, with only one of these
containing your "Meta-Key-Passcode" which is by default a 2000 character private key passcode, that you must unlock with your set passphrase in order to utilize
the decryption capabilities of your private key, in which allows you to decrypt you password database file.. It's encouraged to append a custom passphrase at
the end of the Meta-Key-Passcode during the setup process, which will act as a form of 2fa. Note that if set, this custom passphrase is not stored in any file,
and so you must remember it! Inside of .Despair0 are again 1001 TWOFISH symmetrically/RSA asymmetrically encrypted files with one being your password database.. 

-- The steps taken to unlock your password database generally are: Unlock Meta-Key-Passcode with passphrase > Use Meta-Key-Passcode (plus optional custom passphrase) 
   to decrypt the asymmectric RSA layer on the database > Decrypt symmectric TWOFISH layer on the database with a passphrase... 
*  Note after the script is finished your subkeys are already imported and ready to go, but remember their also backed up and obfuscated among the other
   1000 decoy subkeys in the Hydra folder. If you're a regualr user of live installations and you choose to store the Hydra folder (which contains everything) 
   on an external media, then you likely need to take the extra step of decrypting your subkeys with the passphrase you that set, and then importing them..


1) Generate random text of various lenghths sizes for the 1000 decoy password database files in order to prevent file size analysis, as by dafult your password database with
   all your passwords would be bigger than these other blank encrypted files, and stick out like a sore thumb.. Without this feature the security is this script is
   insufficent for the goal of this project.. This feature means your password database file will come with randomly pre-generated passwords. 

2) Have the user setup of group/title template for their passwords (similar to KeepassX) during the setup process, for the organization of their passcodes.

3) Fight keyloggers by implementing an on-demand feature which would have the Databases/Subkeys/Meta-Key-Passcodes shuffle their names and/or file sizes. On the
   bottom of your password database will be a "fuzz field" in order to modify the file size of this file.. Then have the system generate a new Meta-Key-Passcode
   for your subkey, aswell as new passwords for the symmectric encryptions that are set on password database, hydra file, and MKP. Then finally send a report to the
   owner of associated Hydra directory detailing the new passwords and file identities.. This automaticaly generated report will be encrypted with the owner's
   8192-bit RSA public key, but only the MASTER KEY PAIR can decrypt it (since the subkey's Meta-Key-Passcode just changed).
*  You will be encourgaed to use this feature after you edit the password database
*  This feature should only be used when the system is not connected to the network, as passwords will be visible to system as it's running!

4) Fight malitious screen recorders by the optional ROT13 encoding of passcodes
5) Use characters from all avaliable languages/compatable text for passcodes

6) Give the option to choose the Meta-Key-Passcode size (right now by default it's 2000 characters) 

DEPENDENCIES: gpg, pwgen, bleachbit
%echo Generating a 8192-bit RSA key pair!
Key-Type: RSA
Subkey-Type: RSA
Subkey-Length: 8192
Name-Real: hydra
Expire-Date: 6m
Passphrase: toor
Preferences: SHA512 SHA384 SHA256 SHA224 TWOFISH AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed
%secring key.sec
%echo DONE!
# This ^ key template file is required for the script to work. It should look just like this. You can change the keysize, and expiration date, but everything else it's recommend you don't touch.. Don't worry the toor passphrase will be changed to a 2000 character passphrase during the setup process.. During the setup process you will vi into this file where you can change the passphrase for your MASTER KEY PAIR (or you can change it beforehand)..

Bleach bit is not required if just using for testing purposes, but pwgen is.. WARNING: this script will rm -rf your ~/.gnupg, and bleachbit if installed will also do what it does! To get some more insight of what this script is having you do please see this YouTube video, and this video of me showcasing it

Last edited by justmy2cents; 07-18-2017 at 10:07 AM.
Old 07-17-2017, 06:02 PM   #3
Registered: Oct 2008
Distribution: Slackware [64]-X.{0|1|2|37|-current} ::12<=X<=14, FreeBSD_10{.0|.1|.2}
Posts: 4,341
Blog Entries: 1

Rep: Reputation: 2331Reputation: 2331Reputation: 2331Reputation: 2331Reputation: 2331Reputation: 2331Reputation: 2331Reputation: 2331Reputation: 2331Reputation: 2331Reputation: 2331
I have not tried to run your script (and probably will not because of this), however, this should be at the TOP of you post, in bold red as shown here, before anyone has a chance to blindly download and try it out!

WARNING: this script will rm -rf your .gnupg, and bleachbit if installed will also do what it does!
Please be aware that many people will simply copy/paste/download things posted here! Please keep that in mind when posting anything that may potentially corrupt their systems without warning!
1 members found this post helpful.
Old 07-18-2017, 09:43 AM   #4
Registered: May 2017
Location: U.S.
Distribution: Un*x
Posts: 169

Original Poster
Rep: Reputation: Disabled
My sincere apologies I just assumed most people would try this out in a VM or something.

Last edited by justmy2cents; 07-18-2017 at 10:06 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: SSH Password Testing With Hydra on Kali Linux LXer Syndicated Linux News 0 02-22-2017 12:41 PM
hydra to know root password of my router ut0ugh1 Linux - Newbie 7 06-10-2015 03:19 AM
LXer: Encryptr Zero-Knowledge System Based Password Manager For Linux LXer Syndicated Linux News 1 04-17-2015 07:40 PM
LXer: How To Set Up A Web-Based Enterprise Password Manager Protected By Two-Factor Authentication LXer Syndicated Linux News 0 07-08-2011 08:20 AM
web based password manager pbaumgar Linux - Security 1 09-16-2008 10:04 AM

All times are GMT -5. The time now is 06:02 PM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration