I have too many passwords to track. My sysadmin tells me “If you have to memorize long, complicated passwords, you are doing it wrong.” And many of the sysadmins I talk to tell me they memorize the important ones and just rely on email password recovery for the rest-all the stuff you don’t care about. And of course other sysadmins will disagree because of the insecurity of email. Or some will keep a list in their wallet since people generally know pretty quickly after the fact, that their wallet is missing.
Whatever. I chose to go the password manager route, so I use OpenSSL and KeePassX. KeePassX for practicality and ease of use, and OpenSSL for backup of the KeePassX datastore as well as emergency remote text access if needed — KeePassX does not have a commandline interface (CI). I am also not bold enough to keep the KeePassX database stored on any of the convenient cloud services like Dropbox so syncing can be a problem.
This is not the best solution. I would prefer a password manager that had a CI so I could just ssh and get my passwords when I need them. I would probably still keep a cheesy OpenSSL encyrpted file for backup, but it would not be the only way to get remote access to the file.
I still like the OpenSSL method.
openssl aes-256-cbc -a -salt -in stuff.txt -out stuff.encrypted
openssl aes-256-cbc -d -a -in stuff.encrypted -out stuff.woohoo
So the sysadmin mentions this password manager a couple weeks ago and I’ve finally had a chance to look at it. Pass – the standard Unix password manager. This stores passwords in GPG encrypted files and is accessible through simple CI commands. The man page is also complete and understandable (if you are not a doit like me). Quick and dirty
$ pass init [your-gpg-id] # see gnupg note below if you have not used gnupg before. $ pass # lists the datastore in a pretty tree structure. $ pass -c Versioningfirstname.lastname@example.org # copies the password to clipboard. Exp. 45s $ pass insert Emailemail@example.com # add another password. $ pass generate Server/user@somehost
and so on.
Stuff you may need to know.
You might want to install gnupg or gnupg2 if your system doesn’t have it already. Fedora 18 installs gnupg2 by default. (Update: stick with gpg, bc gpg2 causes problems with cache-ttl in gpg-agent, that make using Pass annoying.) Once installed generate your gpg key
$ gpg2 --gen-key
Follow all the prompts. It’s sort of fun to make randomness. I hate that gpg and pgp look so similar to me.
It is good to note that after you make the pgp keypair you can refer to the public key either by the key itself, the name you associated with it or the email you associated with it. This was what was messing me up with the instructions for pass, even after I had created the gpg-id. I issued the following:
$ pass init Versioningfirstname.lastname@example.org # Wrong
the .password-store/ would create successfully, but then I would try to add a new password by issuing a
$ pass insert somethingelse
which would error out with a
gpg: [stdin]: encryption failed: No public key
This confused me until I realized that in the example
$ pass init Jason@zx2c4.com
‘Jason@zx2c4’ was referring to his gpg-id and not just creating the password-store by adding an email address. See what I get for just going by the examples at the bottom of the man page and not looking at blah blah blah stuff at the top of the man page first?
If you want to delve more into how and why you should use PGP, good citizen Peter E. Murray wrote an articulate post about it on his blog. In the above case, I am only using PGP for encryption, Peter talks about using PGP for authentication of identity and the good of the world.