Quick Tip: GnuPG-based password manager (Linux)

0
29
views

In this article we will setup a secure password manager. You probably use the same password over and over again on multiple sites/devices/applications. Not so great! If one service gets compromised, an attacker can wreak some serious havoc. YOU SHOULD USE DIFFERENT PASSWORDS!
But this is hard, so many store their passwords in a passwords.txt file on their desktop, or even better, in a service like Dropbox storing all passwords together and keeping that file synced. Copying passwords will also circumvent keyloggers active on your system. So awesome right?!

Not really, If one of your devices gets compromised, or Dropbox makes a mistake, you are screwed. You should still have an extra layer of access protection between the file and the passwords, syncing with Dropbox can be fine, but you have to encrypt the file.

About password managers

One option is using tools like Keepass or 1Password. But you are depending on that service, its not modular (you can not choose the way it gets synced). I don’t like trusting these services. Not only the communication but things like encryption type, memory leaks, temporary files can all be badly designed. Open-source tools are the way to go, because you can trust AND verify.

The best way to do this is with asymmetric encryption. Their are standards such as PGP (GnuPG on linux) who make this easy. The encryption is very strong because you use a long encryption key, to decrypt your target file.
The long encryption key is stored locally on your machines, and you need a passphrase to use it. So even if the can get access to the long secure encryption key (private key). They will still need the passphrase.

This is not all that GnuPG can do, it is an amazing piece of work, if interested, you should check it out. A nice place to get started with using it is this Arch Linux page about GnuPG.

I use the terminal everywhere and there is a cli-tool named pass to automate the usage of GnuPG for passwords. We will use that to manage our passwords.

Dependencies

You first have to install pass and GnuPG and more important, set up GnuPG and have it make a key for you (you can of course use an already existing key, but then you would not be reading this). Do what is right on your system:

Debian-based;

sudo apt-get install pass gnupg

Arch Linux; 

sudo pacman -Sy pass gnupg

The cool thing about the pass password-manager, is its cross platform uniform behavior. You know how to use it on one platform and you know it on all your other devices (more on syncing the passwords later)

Setup your encryption key

gpg --full-gen-key

Now gpg will ask you a couple questions, like what kind of key you want, press 1.
I chose a key-size of 4096, which is the highest possible. Then put in 0 for a everlasting key, confirm you choice. and STOP!setup gpg key

Now put a YouTube video playing, setup a file copy from and to your disk for 10 minutes or something. Then go back to your console and it will have asked for a password and fill in you name, email and a comment (like ‘created on 27/12/2016’). Confirm and you are done.
You can close your YouTube video and the file transfer. This is to generate some computer noise. Which will enprove the randomness of the generated key!

To test if the key was successfully created:

gpg --list-keys

List keys

Ok great!, let us now get pass setup, you can do that with this command: (where the <id> value is your email or name you just put in)

pass init <id>

Init password store

Setup done!

Usage

To insert a password in your password-store:

pass insert stuffathome/thingseverybodyshouldknow/wifipassword

You can keep adding or removing ‘/’ signs to make more divisions in your password-store.
These will just be added as descending folders.

To have it instead generate a password for you (if you want to be extra safe) and store it in an encrypted file:

pass generate stuffathome/thingseverybodyshouldknow/wifipassword

No password asked? Isn’t this unsafe?
The way we encrypted this password-store is asymmetrical… so everybody can encrypt, but only the ones with a private key can decrypt.

To list the available passwords just type:

pass show

To retrieve the password we just created, do:

pass show stuffathome/thingseverybodyshouldknow/wifipassword

And now it will ask for your passphrase of the gpg key you specified in the setup command. Then it should echo the password out. And thats really all you need to know to use this password manager. The key will be available for a small time until it timed out. That’s it!

Syncing your passwords

To synchronize your password manager between devices. You need to synchronize 2 sets of files. The first one is you gpg key. Those are stored in the folder ~/.gnupg by default. You can change the location where GnuPG checks for these files with setting the $GNUPGHOME variable:

export GNUPGHOME="~/keys"

Now you can move your .gnupg folder to a new location and put the new location in this variable. REMINDER: you have to put this command in your ~/.bashrc file or alias it with your pass command (more on that later).

You passwords are stored in a directory, called a store, this is the one that pass has setup for you. The default location is ~/.password-store. If you use change the variables $PASSWORD_STORE_DIR and $PASSWORDS_STORE_GIT to the location where your store is. So all this in one command (put this in ~/.bashrc):

alias pass='GNUPGHOME=~/keys PASSWORD_STORE_DIR=~/DATA/PASSWORDS PASSWORD_STORE_GIT=~/DATA/PASSWORDS pass'

This alias command, will make your pass command always use these variables. You copy the passwords-store and key to a service like Dropbox or in a synced git-repository, put the path to these directories in the command and you are set! Please keep the key and password-store seperate, it is still protected by a passphrase but you lose the protection of you 4096-bit key.

That’s it! Good Luck with your password manager!

LEAVE A REPLY

Please enter your comment!
Please enter your name here