Today I'll guide you on how to safely manage all your passwords with password-store
Hello everyone,
lately I’ve decided not to use the password manager offered by all major browsers nowadays, but instead try to manage all my passwords using some open source software in order to have a better control over my passwords.
I’ve decided to write this article after reading this blog entry by AlienBob where he speaks of KeepassXC, and since I’ve used it, I wanted to give a valid alternative to some downsides that I’ve stumbled upon while using it.
The first approach I’ve attempted, as I said, was using KeepassXC, quoting their website:
KeePassXC – Cross-Platform Password Manager
Never forget a password again.
Securely store passwords using industry standard encryption, quickly auto-type them into desktop applications, and use our browser extension to log into websites.
What I did was install keepassXC on my Slackware64-current, export all my passwords from my main browser, save them as CSV and import them inside keepassXC. Now I have to remember just one password to access my database and I can install the browser integration add-on for chromium (or firefox) to have all my passwords readily available. Neat!!
To share my passwords between my devices, I simply made a private git repository on my server and synced the password database with it. I then went and installed KeePassDroid, which is an Android implementation of keepassXC.
Since keepassdroid doesn’t sync automatically from a remote server, I had to use git on my phone to pull/push to my remote in order to keep the password database up to date, and even if that’s not a big deal, I wasn’t happy with my password workflow so, while still using this approach, I was looking for alternatives.
Meet password-store
I stumbled upon password-store, which claims to be the standard unix password manager.
The way it works is simple yet brilliant in my opinion, each password is kept secure in a gpg encrypted text file inside a known directory structure, the file itself as well as the directory containing it can have whatever naming convention you want, and everything can be manipulated with standard unix tools (cp, mv, rm, etc.). KISS rule, am I right?!
Here’s how it looks like, standard tree view from the shell:
.password-store/
[...]
├── facebook/
│ └── facebook-username
├── twitter/
│ └── twitter-username
├── www.instagram.com/
│ └── instagram-username
[...]
In this example, facebook is a directory, containing a gpg encrypted text file named “facebook-username”, in that file is written my password for that user on facebook, pretty straightforward.
The beauty of the pass program, is that it also includes git subcommands, so you can use it to sync your password database to a remote. Here’s how it works:
The first thing you want to do is create a remote repository on your git server, there’s a million ways to do so, and it depends on your git provider. If you want to host a git server I have an howto on this site, give it a look.
After creating the remote repository, you want to clone it in ~/.password-store
, the default directory where pass will store all your credentials, and to do so you’ll do:
git clone myserver.com:git-repository ~/.password-store
Assuming you already have a gpg key pair for johndoe@youremailaddress.com, you’ll have to initialize the password repository like this:
pass init johndoe@youremailaddress.com
Now pass will use the gpg key pair for that email address when encrypting and decrypting your passwords. Since it also understands when the directory is a local clone of a git repository, after initializing with the previous command, it created a commit ready to be pushed, so all you have to do is
cd ~/.password-store && git push
# or you can use pass internal git capabilities with:
pass git push
and your password database will be synced.
From there you can simply invoke pass to see all your passwords, you can search your database, add or remove passwords, modify them etc. For more info you can check the manual where you also have advanced examples on how to use git with pass.
On my android phone I’ve installed the mobile version of Password Store, I’ve setup my ssh key in order to be able to pull/push from my git remote, and now I have all my passwords syncronized to my mobile as well.
On the phone
The process for installing password-store on the phone is a bit tricky, but nothing really difficult. The two apps we need are:
After installing both those apps, we’ll need to go on our computer and export our public and private gpg keys in order to import them inside OpenKeyChain, to do so we’ll go in the terminal and type away:
gpg --export-secret-keys --armor johndoe@youremailaddress.com > private.asc
gpg --export --armor johndoe@youremailaddress.com > public.asc
now we have both our private and public key stored in a file, which we can transfer to the phone and import inside OpenKeyChain. I’ve imported the private key first and then the public one, and while importing the latter, OpenKeyChain confirmed that the key was updated, so both are essentially on the same keypair.
One important note regarding git, depending on how your git repository is setup, you might be needed to import your ssh key inside password-store on your phone in order to access the repository, that’s really easy as the app will ask for your git configuration the first time you open it.
Once you’ve setup your git access, it will ask you to allow OpenKeyChain to manage your gpg key pair whenever you use password-store, and that’s it! You have now your passwords securely stored through GnuPG and synced between your devices with git.
Bonus note
password-store is a command line program that you can access via it’s command pass
, but there are also graphical interfaces to access it.
One of them is qtpass, you should find it in most distros, on Slackware I found it on SBo and compiled it without any problems. It performs very well, allows you to manipulate your password repository from a graphical interface, performs push/pull operations on git and makes it easier to create complex passwords whenever you need. Just a headsup, if you install this setup on raspbian, remember to install one of the pinentry programs to be able to insert your passkey when you are not in the terminal.
I hope you’ll find this article useful, remember to drop me a comment if you need any help and I’ll be happy to help you as best as I can.
Cheers!!