added article about bash-notes. Still in draft
[danix.xyz.git] / content / articles / manage-your-passwords-with-password-store.md
... / ...
CommitLineData
1---
2title: Manage your passwords with password-store
3author: Danilo M.
4type: article
5date: 2021-05-27T15:08:05+00:00
6excerpt: "Today I'll guide you on how to safely manage all your passwords with password-store"
7featured_image: /uploads/2021/05/vault-door1.jpg
8categories:
9 - android
10 - blogging
11 - diy
12 - linux
13tags:
14 - android
15 - gnupg
16 - management
17 - password
18 - password-store
19
20---
21Hello everyone,
22
23lately I’ve decided not to use the password manager offered by all major browsers nowadays, but instead try to manage all my passwords using some open source software in order to have a better control over my passwords.
24
25I&#8217;ve decided to write this article after reading this <a rel="noreferrer noopener" href="https://alien.slackbook.org/blog/sync-and-share-your-chromium-and-more-browser-data-among-all-your-computers/" target="_blank">blog entry by AlienBob</a> where he speaks of KeepassXC, and since I&#8217;ve used it, I wanted to give a valid alternative to some downsides that I&#8217;ve stumbled upon while using it.
26
27The first approach I&#8217;ve attempted, as I said, was using <a rel="noreferrer noopener" href="https://keepassxc.org/" target="_blank">KeepassXC</a>, quoting their website:
28
29<blockquote class="wp-block-quote">
30 <p>
31 KeePassXC &#8211; Cross-Platform Password Manager
32 </p>
33
34 <p>
35 Never forget a password again.<br />Securely store passwords using industry standard encryption, quickly auto-type them into desktop applications, and use our browser extension to log into websites.
36 </p>
37
38 <cite><a rel="noreferrer noopener" style="" href="https://keepassxc.org/" target="_blank">KeepassXC website</a></cite>
39</blockquote>
40
41What I did was install keepassXC on my Slackware64-current, export all my passwords from my main browser, save them as CSV and import them inside keepassXC. Now I have to remember just one password to access my database and I can install the browser integration add-on for chromium (or firefox) to have all my passwords readily available. Neat!!
42
43To share my passwords between my devices, I simply made a private git repository on my server and synced the password database with it. I then went and installed <a rel="noreferrer noopener" href="https://github.com/bpellin/keepassdroid" target="_blank">KeePassDroid</a>, which is an Android implementation of keepassXC.
44
45Since keepassdroid doesn&#8217;t sync automatically from a remote server, I had to use git on my phone to pull/push to my remote in order to keep the password database up to date, and even if that&#8217;s not a big deal, I wasn&#8217;t happy with my password workflow so, while still using this approach, I was looking for alternatives.
46
47<!--more-->
48
49## Meet password-store
50
51I stumbled upon <a rel="noreferrer noopener" href="https://www.passwordstore.org" target="_blank">password-store</a>, which claims to be the standard unix password manager.
52
53The way it works is simple yet brilliant in my opinion, each password is kept secure in a gpg encrypted text file inside a known directory structure, the file itself as well as the directory containing it can have whatever naming convention you want, and everything can be manipulated with standard unix tools (cp, mv, rm, etc.). <acronym title="Keep It Simple, Stupid">KISS</acronym> rule, am I right?!
54
55Here&#8217;s how it looks like, standard tree view from the shell:
56
57<pre class="wp-block-code language-bash"><code>.password-store/
58&#91;...]
59├── facebook/
60│&nbsp;&nbsp; └── facebook-username
61├── twitter/
62│&nbsp;&nbsp; └── twitter-username
63├── www.instagram.com/
64│&nbsp;&nbsp; └── instagram-username
65&#91;...]</code></pre>
66
67In this example, facebook is a directory, containing a gpg encrypted text file named &#8220;facebook-username&#8221;, in that file is written my password for that user on facebook, pretty straightforward.
68
69The beauty of the pass program, is that it also includes git subcommands, so you can use it to sync your password database to a remote. Here&#8217;s how it works:
70
71The first thing you want to do is create a remote repository on your git server, there&#8217;s a million ways to do so, and it depends on your git provider. If you want to host a git server I have an howto on this site, <a href="https://danix.xyz/2018/07/git-setup-own-server/" data-type="post" data-id="3748">give it a look</a>.
72
73After creating the remote repository, you want to clone it in `~/.password-store`, the default directory where pass will store all your credentials, and to do so you&#8217;ll do:
74
75<pre class="wp-block-code language-bash"><code>git clone myserver.com:git-repository ~/.password-store</code></pre>
76
77Assuming you already have a gpg key pair for johndoe@youremailaddress.com, you&#8217;ll have to initialize the password repository like this:
78
79<pre class="wp-block-code language-bash"><code>pass init johndoe@youremailaddress.com</code></pre>
80
81Now pass will use the gpg key pair for that email address when encrypting and decrypting your passwords. Since it also understands when the directory is a local clone of a git repository, after initializing with the previous command, it created a commit ready to be pushed, so all you have to do is
82
83<pre class="wp-block-code language-bash"><code>cd ~/.password-store && git push
84# or you can use pass internal git capabilities with:
85pass git push</code></pre>
86
87and your password database will be synced.
88
89From there you can simply invoke pass to see all your passwords, you can search your database, add or remove passwords, modify them etc. For more info you can check the manual where you also have advanced examples on how to use git with pass.
90
91On my android phone I&#8217;ve installed the mobile version of <a rel="noreferrer noopener" href="https://play.google.com/store/apps/details?id=dev.msfjarvis.aps" target="_blank">Password Store</a>, I&#8217;ve setup my ssh key in order to be able to pull/push from my git remote, and now I have all my passwords syncronized to my mobile as well.
92
93## On the phone
94
95The process for installing password-store on the phone is a bit tricky, but nothing really difficult. The two apps we need are:
96
97 * <a href="https://play.google.com/store/apps/details?id=dev.msfjarvis.aps" target="_blank" rel="noreferrer noopener">Password-store</a>
98 * <a href="https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain" target="_blank" rel="noreferrer noopener">OpenKeyChain</a>
99
100After installing both those apps, we&#8217;ll need to go on our computer and export our public and private gpg keys in order to import them inside OpenKeyChain, to do so we&#8217;ll go in the terminal and type away:
101
102<pre class="wp-block-code language-bash"><code>gpg --export-secret-keys --armor johndoe@youremailaddress.com &gt; private.asc
103gpg --export --armor johndoe@youremailaddress.com &gt; public.asc</code></pre>
104
105now we have both our private and public key stored in a file, which we can transfer to the phone and import inside OpenKeyChain. I&#8217;ve imported the private key first and then the public one, and while importing the latter, OpenKeyChain confirmed that the key was updated, so both are essentially on the same keypair.
106
107One important note regarding git, depending on how your git repository is setup, you might be needed to import your ssh key inside password-store on your phone in order to access the repository, that&#8217;s really easy as the app will ask for your git configuration the first time you open it.
108
109Once you&#8217;ve setup your git access, it will ask you to allow OpenKeyChain to manage your gpg key pair whenever you use password-store, and that&#8217;s it! You have now your passwords securely stored through GnuPG and synced between your devices with git.
110
111## Bonus note
112
113password-store is a command line program that you can access via it&#8217;s command `pass`, but there are also graphical interfaces to access it.
114
115One of them is <a rel="noreferrer noopener" href="https://qtpass.org/" target="_blank">qtpass</a>, you should find it in most distros, on Slackware I found it on <a rel="noreferrer noopener" href="https://slackbuilds.org/repository/14.2/desktop/qtpass/?search=qtpass" target="_blank">SBo</a> and compiled it without any problems. It performs very well, allows you to manipulate your password repository from a graphical interface, performs push/pull operations on git and makes it easier to create complex passwords whenever you need. Just a headsup, if you install this setup on raspbian, remember to install one of the pinentry programs to be able to insert your passkey when you are not in the terminal.
116
117I hope you&#8217;ll find this article useful, remember to drop me a [comment][1] if you need any help and I&#8217;ll be happy to help you as best as I can.
118
119Cheers!!
120
121[1]: #comment