articles/manage-your-passwords-with-password-store.md

   1 ---
   2 title: Manage your passwords with password-store
   3 author: Danilo M.
   4 type: post
   5 date: 2021-05-27T15:08:05+00:00
   6 excerpt: "Today I'll guide you on how to safely manage all your passwords with password-store"
   7 featured_image: /wp-content/uploads/2021/05/vault-door1.jpg
   8 categories:
   9   - android
  10   - blogging
  11   - diy
  12   - linux
  13 tags:
  14   - android
  15   - gnupg
  16   - management
  17   - password
  18   - password-store
  19
  20 ---
  21 Hello everyone,
  22
  23 lately I&#8217;ve decided not to use the password manager offered by all major browsers nowadays, but instead try to manage all my passwords using some open source software in order to have a better control over my passwords.
  24
  25 I&#8217;ve decided to write this article after reading this <a rel="noreferrer noopener" href="https://alien.slackbook.org/blog/sync-and-share-your-chromium-and-more-browser-data-among-all-your-computers/" target="_blank">blog entry by AlienBob</a> where he speaks of KeepassXC, and since I&#8217;ve used it, I wanted to give a valid alternative to some downsides that I&#8217;ve stumbled upon while using it.
  26
  27 The first approach I&#8217;ve attempted, as I said, was using <a rel="noreferrer noopener" href="https://keepassxc.org/" target="_blank">KeepassXC</a>, quoting their website:
  28
  29 <blockquote class="wp-block-quote">
  30   <p>
  31     KeePassXC &#8211; Cross-Platform Password Manager
  32   </p>
  33
  34   <p>
  35     Never forget a password again.<br />Securely store passwords using industry standard encryption, quickly auto-type them into desktop applications, and use our browser extension to log into websites.
  36   </p>
  37
  38   <cite><a rel="noreferrer noopener" style="" href="https://keepassxc.org/" target="_blank">KeepassXC website</a></cite>
  39 </blockquote>
  40
  41 What I did was install keepassXC on my Slackware64-current, export all my passwords from my main browser, save them as CSV and import them inside keepassXC. Now I have to remember just one password to access my database and I can install the browser integration add-on for chromium (or firefox) to have all my passwords readily available. Neat!!
  42
  43 To share my passwords between my devices, I simply made a private git repository on my server and synced the password database with it. I then went and installed <a rel="noreferrer noopener" href="https://github.com/bpellin/keepassdroid" target="_blank">KeePassDroid</a>, which is an Android implementation of keepassXC.
  44
  45 Since keepassdroid doesn&#8217;t sync automatically from a remote server, I had to use git on my phone to pull/push to my remote in order to keep the password database up to date, and even if that&#8217;s not a big deal, I wasn&#8217;t happy with my password workflow so, while still using this approach, I was looking for alternatives.
  46
  47 <!--more-->
  48
  49 ## Meet password-store
  50
  51 I stumbled upon <a rel="noreferrer noopener" href="https://www.passwordstore.org" target="_blank">password-store</a>, which claims to be the standard unix password manager.
  52
  53 The way it works is simple yet brilliant in my opinion, each password is kept secure in a gpg encrypted text file inside a known directory structure, the file itself as well as the directory containing it can have whatever naming convention you want, and everything can be manipulated with standard unix tools (cp, mv, rm, etc.). <acronym title="Keep It Simple, Stupid">KISS</acronym> rule, am I right?!
  54
  55 Here&#8217;s how it looks like, standard tree view from the shell:
  56
  57 <pre class="wp-block-code language-bash"><code>.password-store/
  58 &#91;...]
  59 ├── facebook/
  60 │&nbsp;&nbsp; └── facebook-username
  61 ├── twitter/
  62 │&nbsp;&nbsp; └── twitter-username
  63 ├── www.instagram.com/
  64 │&nbsp;&nbsp; └── instagram-username
  65 &#91;...]</code></pre>
  66
  67 In this example, facebook is a directory, containing a gpg encrypted text file named &#8220;facebook-username&#8221;, in that file is written my password for that user on facebook, pretty straightforward.
  68
  69 The beauty of the pass program, is that it also includes git subcommands, so you can use it to sync your password database to a remote. Here&#8217;s how it works:
  70
  71 The first thing you want to do is create a remote repository on your git server, there&#8217;s a million ways to do so, and it depends on your git provider. If you want to host a git server I have an howto on this site, <a href="https://danix.xyz/2018/07/git-setup-own-server/" data-type="post" data-id="3748">give it a look</a>.
  72
  73 After creating the remote repository, you want to clone it in `~/.password-store`, the default directory where pass will store all your credentials, and to do so you&#8217;ll do:
  74
  75 <pre class="wp-block-code language-bash"><code>git clone myserver.com:git-repository ~/.password-store</code></pre>
  76
  77 Assuming you already have a gpg key pair for johndoe@youremailaddress.com, you&#8217;ll have to initialize the password repository like this:
  78
  79 <pre class="wp-block-code language-bash"><code>pass init johndoe@youremailaddress.com</code></pre>
  80
  81 Now pass will use the gpg key pair for that email address when encrypting and decrypting your passwords. Since it also understands when the directory is a local clone of a git repository, after initializing with the previous command, it created a commit ready to be pushed, so all you have to do is
  82
  83 <pre class="wp-block-code language-bash"><code>cd ~/.password-store && git push
  84 # or you can use pass internal git capabilities with:
  85 pass git push</code></pre>
  86
  87 and your password database will be synced.
  88
  89 From there you can simply invoke pass to see all your passwords, you can search your database, add or remove passwords, modify them etc. For more info you can check the manual where you also have advanced examples on how to use git with pass.
  90
  91 On my android phone I&#8217;ve installed the mobile version of <a rel="noreferrer noopener" href="https://play.google.com/store/apps/details?id=dev.msfjarvis.aps" target="_blank">Password Store</a>, I&#8217;ve setup my ssh key in order to be able to pull/push from my git remote, and now I have all my passwords syncronized to my mobile as well.
  92
  93 ## On the phone
  94
  95 The process for installing password-store on the phone is a bit tricky, but nothing really difficult. The two apps we need are:
  96
  97   * <a href="https://play.google.com/store/apps/details?id=dev.msfjarvis.aps" target="_blank" rel="noreferrer noopener">Password-store</a>
  98   * <a href="https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain" target="_blank" rel="noreferrer noopener">OpenKeyChain</a>
  99
 100 After installing both those apps, we&#8217;ll need to go on our computer and export our public and private gpg keys in order to import them inside OpenKeyChain, to do so we&#8217;ll go in the terminal and type away:
 101
 102 <pre class="wp-block-code language-bash"><code>gpg --export-secret-keys --armor johndoe@youremailaddress.com &gt; private.asc
 103 gpg --export --armor johndoe@youremailaddress.com &gt; public.asc</code></pre>
 104
 105 now we have both our private and public key stored in a file, which we can transfer to the phone and import inside OpenKeyChain. I&#8217;ve imported the private key first and then the public one, and while importing the latter, OpenKeyChain confirmed that the key was updated, so both are essentially on the same keypair.
 106
 107 One important note regarding git, depending on how your git repository is setup, you might be needed to import your ssh key inside password-store on your phone in order to access the repository, that&#8217;s really easy as the app will ask for your git configuration the first time you open it.
 108
 109 Once you&#8217;ve setup your git access, it will ask you to allow OpenKeyChain to manage your gpg key pair whenever you use password-store, and that&#8217;s it! You have now your passwords securely stored through GnuPG and synced between your devices with git.
 110
 111 ## Bonus note
 112
 113 password-store is a command line program that you can access via it&#8217;s command `pass`, but there are also graphical interfaces to access it.
 114
 115 One of them is <a rel="noreferrer noopener" href="https://qtpass.org/" target="_blank">qtpass</a>, you should find it in most distros, on Slackware I found it on <a rel="noreferrer noopener" href="https://slackbuilds.org/repository/14.2/desktop/qtpass/?search=qtpass" target="_blank">SBo</a> and compiled it without any problems. It performs very well, allows you to manipulate your password repository from a graphical interface, performs push/pull operations on git and makes it easier to create complex passwords whenever you need. Just a headsup, if you install this setup on raspbian, remember to install one of the pinentry programs to be able to insert your passkey when you are not in the terminal.
 116
 117 I hope you&#8217;ll find this article useful, remember to drop me a [comment][1] if you need any help and I&#8217;ll be happy to help you as best as I can.
 118
 119 Cheers!!
 120
 121  [1]: #comment