## Thursday, 19 November 2015

Recently I was looking for a good Password Manager, as the number of passwords I need to maintain is growing steadily (I'm sure everyone knows how it is).

The one I found ("pass2 - the standard unix password manager"), the one I am talking about, exemplifies the Unix philosophy0. Which is:
Do One Thing and Do It Well.
Write programs to work together.
Write programs to handle text streams, because that is a universal interface.
The password manager actually basically doesn't do anything itself, but delegates to other parts of the Linux system, namely the filesystem, and GPG for encryption, pwgen for the generation of random passwords, xclip for interfacing with the clipboard and (optionally) Git for version control.

It does mean that you have to setup Gnu Private Guard properly, before you can start using "pass", hence the next chapter.

# Gnu Private Guard

“GnuPG1 is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP).”

## Creating a key

All keys are stored in .gnupg.
bash-4.3$gpg2 --full-gen-key gpg (GnuPG) 2.1.7; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. gpg: directory '/home/mrbear/.gnupg' created gpg: new configuration file '/home/mrbear/.gnupg/gpg.conf' created gpg: WARNING: options in '/home/mrbear/.gnupg/gpg.conf' are not yet active during this run gpg: keybox '/home/mrbear/.gnupg/pubring.kbx' created Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 2 I have decided to follow the advice of the website1 and take 2. DSA keys may be between 1024 and 3072 bits long. What keysize do you want? (2048) I take 2048, it seems fairly default. Requested keysize is 2048 bits Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) Y GnuPG needs to construct a user ID to identify your key. Real name: mrbear Email address: mrbear@localhost.com Comment: mrbear You selected this USER-ID: "mrbear (mrbear) " Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? And away we go! We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: WARNING: some OpenPGP programs can't handle a DSA key with this digest size We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: /home/mrbear/.gnupg/trustdb.gpg: trustdb created gpg: key 3A4CFDFE marked as ultimately trusted gpg: directory '/home/mrbear/.gnupg/openpgp-revocs.d' created public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub dsa2048/3A4CFDFE 2015-10-14 Key fingerprint = 7FCC 07FA A6BE 32DE A971 2281 587B D827 3A4C FDFE uid [ultimate] mrbear (mrbear) sub elg2048/0B94C819 2015-10-14 So, just to check: bash-4.3$ gpg2 --list-keys
/home/mrbear/.gnupg/pubring.kbx
---------------------------------
pub dsa2048/3A4CFDFE 2015-10-14
uid [ultimate] mrbear (mrbear)
sub elg2048/0B94C819 2015-10-14

Apparently, initialising the store needs to be done with the name of the key generated above.
bash-4.3$sudo dnf install pass ... bash-4.3$ pass init "3A4CFDFE"
And I wish to use Git, because I'm that kinda guy.
bash-4.3$pass git init Initialized empty Git repository in /home/mrbear/.password-store/.git/ [master (root-commit) 77cc085] Add current contents of password store. 1 file changed, 1 insertion(+) create mode 100644 .gpg-id [master 6655058] Configure git repository for gpg file diff. 1 file changed, 1 insertion(+) create mode 100644 .gitattributes ## Adding my passwords For example, my email: bash-4.3$ pass insert Email/mail.localhost.com
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 Email/mail.localhost.com.gpg

bash-4.3$pass Password Store └── Email └── mail.localhost.com ## Generating passwords bash-4.3$ pass generate Internet/sync.firefox.com 16
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 Internet/sync.firefox.com.gpg
The generated password for Internet/sync.firefox.com is:
\$%R&E%&8^BA/ Some websites do not accept "odd" characters (< > ! @ #$ % ^ & * _) when it comes to passwords. When adding the "[--no-symbols,-n]" option you get a generated password containing only letters, capitals and digits.

bash-4.3$pass -c Email/mail.localhost.com Copied Email/mail.localhost.com to clipboard. Will clear in 45 seconds. ## Getting your stuff back As basically this awesome password manager stored the passwords as a bunch of GPG2 encrypted files in .password-store, we should be able to decrypt the files directly. This would work as follows: bash-4.3$ gpg2 --decrypt .password-store/Email/mail.localhost.com.gpg
gpg: encrypted with 2048-bit ELG key, ID 0B94C819, created 2015-10-14
"mrbear (mrbear) "
itsasecret!

# Syncing the git

As I wish to manage my passwords from multiple computers, there's a need to sync/merge the git repositories5 from time to time.

First is, of course, the copying of the GPG keys by copying the .gnupg directory.
scp -r .gnupg mrbear@toby:/home/mrbear
From the second machine, from my homedirectory:
After that it is nothing more but a "git pull" or "git push" whenever I need it.

# References

[0] Wikipedia - Unix philosophy
https://en.wikipedia.org/wiki/Unix_philosophy
[1] GnuPG
https://www.gnupg.org/documentation/howtos.html