Detailed features of cpm

Here is a detailed list of the features which CPM provides.

public key encryption

The data is encrypted with GnuPG which uses public key encryption. This makes it possible to share the password file among several people. Sharing of a general password to decrypt the database is not necessary.

Back to the main page.

signed data files

The data file gets signed by the user who saves the file. The signature is always created by the last user who saved the file, any old signature gets removed.

The signing makes it impossible for other people to forge data files.

Back to the main page.

GPGME encryption library

GPGME is used for encryption, decryption and signing of the data. It provides an interface to the widely known encryption engine GnuPG.

Back to the main page.

gzipped content

The XML content is compressed using the gzip algorithm before it get's encrypted. This way it is almost impossible to guess what the encrypted data looks like and makes known-text-attacks impossible.

Back to the main page.

paging protection

Paging is disabled for CPM so it's memory does never get swapped out to disk, not even when memory gets low. Otherwise it would be possible to find sensitive data like the passwords in the swap partition or swap file.

Back to the main page.

core dump protection

CPM turns core dumps off so even when a segmentation fault causes the application to crash, no sensitive data (the passwords) get unencryptedly written to disk.

Back to the main page.

ptrace protection

CPM is also protected from ptrace attacks. This makes it impossible (even for the root user) to attach a tracing process (like strace or a debugger) to the application. This secures the application against local attacks where you are not the owner of the computer.

Back to the main page.

root check

CPM checks that it's not running as root user.

This is necessary because the program usually has the suid-bit set which means it automatically runs as root user which is necessary for the other protection mechanisms which are only configurable by root owned processes. After the protection mechanisms are in place, CPM switches back to the user who started the application. This check makes sure that the switch back really worked.

Back to the main page.

runtime environment checks

The environment variables are carefully checked to make sure it's not possible to inject any weird characters into external libraries like gettext. Only the following variables are accepted, any other variables are removed.

  • HOME
  • LANG
  • TERM

Back to the main page.

support for external tools

Any CPM data file can be decrypted manually by the following command:

$ gpg --decrypt <FILE> | gzip -cd

Moreover, the correct XML data can be encrypted like this:

$ cat <XMLFILE> | gzip -c9 | gpg --encrypt --sign --armour > <FILE>

Back to the main page.

XML data

The internal CPM data format is XML which makes it possible to easily convert any existing data to the CPM format or even make a 3rd party application interact with CPM.

Back to the main page.

DTD validation

On each startup the XML data is validated by a DTD to make sure the XML is formatted properly.

Back to the main page.

backup files

If the data is saved to disk, CPM creates a backup of the last version by appending the character ~ to the filename. Of course, this feature can be turned off in CPM's configuration file.

Back to the main page.

several passwords per account

Since a password entry is just another node in the tree it is possible to store even more than one password per account. This makes it possible to archive old passwords or store used one-time passwords.

Back to the main page.

several datafiles

You can have several data files, each encrypted for different people.

Back to the main page.

check of password strength

When you enter a password, it's strength gets checked to make sure you don't use weak passwords like names or dictionary words. If a weak password is found a warning is displayed.

The library doing this check is libcrack.

Back to the main page.

user definable hierarchy

CPM is not limited to the default hierarchy host / service / user / password. Any hierarchy can be defined, different for any data file.

Back to the main page.

long comments

For each node in the data structure a comment can be stored to note any important facts.

Back to the main page.

password generator

If you are lazy and don't want to think about new passwords a password generator can help you out there too. It automatically creates a good password for you.

Back to the main page.

one visible password

There is only one password visible at a time (if any at all).

Back to the main page.

It is possible to search through the database on the commandline without using any interface.

This works like this:

$ cpm harry@localhost
enter your passphrase (try #1)
Harry Brueckner <>
http harry@localhost secretpassword
1 match found.

Back to the main page.

regex patterns

When searching on the commandline, regex patterns can be used for the search.

Back to the main page.

user definable searchpatterns

It is possible to define which patterns are searchable, e.g. user@hostname in the above example is simply defined in the cpmrc file. Any other combination of the hierarchy levels is possible.

This is also the case for the result, which means that it is customizable that a search for user@hostname displays service user@hostname password. It might also just display the password, whatever you need or prefer.

Back to the main page.

display of several search results

If there is more than one match several results are displayed at once so you can get a list of all accounts on e.g. one host.

Back to the main page.

conversion scripts

With CPM come several conversion scripts which make it possible to import data from these sources:

  • Password Management System (pms)
  • Password Safe
  • CSV files

Back to the main page.

harry/cpm_features.txt · Last modified: 2006/04/12 21:37 (external edit)
Locations of visitors to this page

Recent changes RSS feed Creative Commons License Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki