Unlock powerful SSH management with modular architecture, encrypted vaults, and advanced featuresβincluding secure, interactive password-based server access for effortless and safe connections.
This script is designed to securely manage and store SSH passwords. It provides encrypted vault storage and safe, interactive password-based SSH connectionsβall within a modular, extensible framework.
- π― Overview
- β¨ Features
- π Installation
- π Usage
- π§ Configuration
- π Project Structure
- π‘οΈ Security Features
- π€ Contributing
- π License
SSH Vault Manager (SVM) is a comprehensive bash-based tool designed for managing multiple SSH servers with enhanced security features. It provides encrypted vault storage, secure authentication, and a user-friendly interface for server operations.
- Secure Server Credential Storage: Organize and protect SSH credentials for servers across multiple environments
- Interactive Interface: Beautiful, intuitive menu-driven interface
- Advanced Operations: Connect, search, backup, and manage servers efficiently
- Modular Architecture: Clean, maintainable codebase with separated concerns
Managing multiple SSH servers with different credentials can be challenging and insecure. Traditional methods like storing passwords in plain text or using SSH keys without proper organization can lead to security vulnerabilities and operational inefficiencies.
- AES-256 Encryption: All vault data is encrypted using industry-standard encryption
- Password Protection: Master passphrase required for vault access
- Secure Credential Storage: No plain text passwords stored
- Session Management: Automatic cleanup and secure session handling
- Multi-level Security: Configurable security levels with DOD-standard memory protection
- Variable Protection: Advanced tracking and sanitization of sensitive variables
- Multiple Vaults: Create and manage separate vaults for different environments
- Import/Export: Secure vault migration and backup capabilities
- Vault Operations: Create, delete, rename, and manage vaults
- Global Search: Search across all vaults simultaneously
- Server Information: Detailed server details and statistics
- Connection Logging: Track connection history and usage
- Centralized Input Validation: Improved input validation with centralized validation logic, allowing for consistent checks across modules.
- Configuration Integrity: Schema validation and upgrade handling for configuration files, ensuring consistency and reducing errors.
- Safe Execution: New dry-run mode that allows users to preview the results of vault operations without making any changes, helping to prevent accidental modifications.
- Beautiful Interface: Color-coded, intuitive menu system
- Error Handling: Robust error handling with user-friendly messages
- Input Validation: Improved input validation with centralized validation logic
- Version Checking: Automated version comparison for dependencies.
- Configuration Integrity: Schema validation and upgrade handling for configuration files.
- Progress Feedback: Clear status messages and progress indicators
Run the provided install script for a portable, user-local installation:
sh install.sh- By default, this will install all files to
~/.local/share/opt/ssh-vault-managerand create a wrapper commandsvmin~/.local/bin. - You can customize the install location and wrapper name:
sh install.sh --install-dir /your/path --wrapper /usr/local/bin/svm
- After install, you can run
svmfrom any directory (ensure~/.local/binis in your PATH).
- Copies all project files to your chosen install directory (default: user-local XDG path)
- Creates a lightweight wrapper script (
svm) in your user bin directory - Warns if the bin directory is not in your PATH
- Does not require root or sudo (unless you choose a system-wide location)
- Creates all necessary directory structures for SVM operation
To cleanly remove SSH Vault Manager, use the provided uninstall script:
svm-uninstallThe uninstallation process requires verification of your master passphrase to prevent accidental removals. This ensures that only authorized users can uninstall the application.
The uninstaller will:
- Verify your master passphrase
- Remove all SVM files from your installation directory
- Delete the wrapper scripts from your bin directory
- Provide an option to keep or remove your vault data
- Thoroughly clean up any temporary or leftover files
- Clone the repository:
git clone https://github.com/ahmadarafaa/ssh-vault-manager.git cd ssh-vault-manager - Set execution permissions:
chmod +x svm.sh chmod +x lib/*.sh - Run the script:
./svm.sh
-
Install SVM (recommended):
sh install.sh
After installation, use the
svmcommand from any directory:svm
-
Create your first vault:
- Select "Vault Management" β "Create New Vault"
- Enter a vault name (e.g., "production-servers")
- Set a master passphrase
-
Add your first server:
- Select "Server Management" β "Add Server"
- Enter server details (name, IP, username, password, port)
- The server will be encrypted and stored securely
svm
# Select "Connect to Server" β Choose server β Connectsvm
# Vault Management β Create New Vault
# - production-vault
# - staging-vault
# - development-vaultsvm
# Select "Global Search" β Enter search termsvm
# Vault Management β Import Vault β Select filesvm
# Vault Management β Export Vault β Choose format| Variable | Description | Default |
|---|---|---|
SVM_VAULT_DIR |
Base directory for vaults | ~/.svm |
SVM_LOG_LEVEL |
Logging level | INFO |
SVM_TIMEOUT |
Connection timeout (seconds) | 30 |
~/.svm/
βββ vaults/
β βββ production-vault/
β β βββ .vault.enc # Encrypted server data
β β βββ .svm.conf # Vault configuration
β β βββ .connection.log # Connection history
β βββ staging-vault/
βββ .master_passphrase # Encrypted master passphrase
βββ .vault_registry # Vault registry
ssh-vault-manager/
βββ svm.sh # Main orchestrator script (entrypoint, sources all modules)
βββ lib/
β βββ config.sh
β βββ encryption.sh
β βββ menu.sh
β βββ security.sh
β βββ server.sh
β βββ utils.sh
β βββ vault.sh
βββ install.sh # Installer script (user-local, portable)
- AES-256-CBC encryption for all sensitive data
- PBKDF2 key derivation for master passphrase
- Random SALT generation for each encryption operation
- Secure cleanup of temporary files
- Master passphrase required for vault access
- Session timeout for inactive sessions
- Input validation to prevent injection attacks
- Secure deletion of sensitive data
- No plain text passwords stored anywhere
- Temporary file cleanup after operations
- Error handling without exposing sensitive information
- Logging without sensitive data exposure
- Enhanced backup and restore functionality with improved error handling
- Security improvements in handling sensitive data within
lib/security.sh - DOD-standard memory wiping for secure data cleanup
- Configurable security levels (low, medium, high)
- Memory sanitization on process exit
- Secure variable tracking for sensitive data
- Automated security testing with comprehensive test suite
We welcome contributions! Here's how you can help:
- Fork the repository
- Create a feature branch:
git checkout -b feature/amazing-feature - Make your changes
- Test thoroughly: Ensure all functionality works as expected
- Commit your changes:
git commit -m 'Add amazing feature' - Push to the branch:
git push origin feature/amazing-feature - Open a Pull Request
- Bash best practices: Follow shell scripting conventions
- Error handling: Implement proper error handling
- Documentation: Comment complex functions
- Security: Never expose sensitive information
This project is licensed under the MIT License - see the LICENSE file for details.
Made with β€οΈ for the DevOps community