We tend to hoard passwords and secrets over time. Every day there’s a new cool service for us to register, and if you are a sane person, you are likely using a different password for each one (you are, right?). You also have your citizen related numbers and secrets, which must be stored somewhere. There’s also two factor authentication codes, which usually stay in your phone and you risk losing it every time you go out with your phone on your pocket.
As the time progresses, its relatively easy to have over a hundred passwords and at this point you start to forget and just reuse old passwords. We need a system that is reliable, secure and easy to use to hold all your secrets.
As a request from a friend, in this blog post I’ll show how I manage my secrets and passwords.
My requirements for a good password manager solution are the following:
- Should not be a paid service. I will not trust any company with the encryption of my passwords, I want to have control over my data, where it’s stored and where I hold my encryption keys.
- Should be simple. For the reason above to work, I cannot have a convoluted way of handling passwords, it should all fit in my head.
- Should be generally accessible. I want to be able to access every password over any device over any operating system.
- Should be easy to backup. I should be able to store this anywhere and have a history of every password created and every modification made.
- Should be quick to use. I want to access any password in less than a minute.
With this in mind, my solution has only two base components, GPG and Git.
GPG is a widely used encryption tool, it’s generally used to encrypt files and email. I’ve used GPG for a long time now, I have a pretty good knowledge of how to manage keys and how to not fuck it up. Also, most Linux distributions come with GPG already installed and it is also available on every operating system out there. There are plenty of good guides out there on how to start using it. You should learn it anyway, knowing to secure your files is something everyone should know.
Git is a version control system. You can track file changes and easily upload said files to private repositories of your choosing, usually for free. This is another tool I’ve used for years and it works to track pretty much any type of text.
Now, to actually generate, store and access passwords, I use a program called pass, it uses GPG to encrypt and optionally Git to track the passwords in a folder. Every password is a encrypted text file, so you can actually write any text on the file and that would be securely stored.
The simplest way to use pass is on the command line, assuming you already have a GPG key, here are some examples:
| |
To track the password folder on a git repository:
| |
There are of course, graphical interfaces and plugins for pass, all of them listed on the pass website, I personally use the pass-otp plugin to extract 2FA key from the encrypted files and generate a OTP code for me. I also use the pass app for android and it works really well, it even has autofill support. I’ve briefly used QtPass with great success too. Being a command line program also makes it easier to integrate on any workflow through scripts.
With this system I can store any type of text, with any length, access from anywhere, have a reliable copy in a remote place using git, and is secured with a strong GPG encryption key. I hold over 250 keys, passwords and other types of secret phrases with no worries of losing it or not being able to access it.
There are many alternatives to this, many of them “simpler” than this, but none of them fit my criteria for a password manager.