gsthnz's blog

The true password solution

We tend to hoard passwords and secrets over time. Every day there’s a new cool service for us to register, and if you are a sane person, you are likely using a different password for each one (you are, right?). You also have your citizen related numbers and secrets, which must be stored somewhere. There’s also two factor authentication codes, which usually stay in your phone and you risk losing it every time you go out with your phone on your pocket.

As the time progresses, its relatively easy to have over a hundred passwords and at this point you start to forget and just reuse old passwords. We need a system that is reliable, secure and easy to use to hold all your secrets.

As a request from a friend, in this blog post I’ll show how I manage my secrets and passwords.

My requirements for a good password manager solution are the following:

With this in mind, my solution has only two base components, GPG and Git.

GPG is a widely used encryption tool, it’s generally used to encrypt files and email. I’ve used GPG for a long time now, I have a pretty good knowledge of how to manage keys and how to not fuck it up. Also, most Linux distributions come with GPG already installed and it is also available on every operating system out there. There are plenty of good guides out there on how to start using it. You should learn it anyway, knowing to secure your files is something everyone should know.

Git is a version control system. You can track file changes and easily upload said files to private repositories of your choosing, usually for free. This is another tool I’ve used for years and it works to track pretty much any type of text.

Now, to actually generate, store and access passwords, I use a program called pass, it uses GPG to encrypt and optionally Git to track the passwords in a folder. Every password is a encrypted text file, so you can actually write any text on the file and that would be securely stored.

The simplest way to use pass is on the command line, assuming you already have a GPG key, here are some examples:

# Create encrypted password folder
$ pass init "GPG Key"

# Generate a 30 character password for your email account
$ pass generate email-password 30

# Manually insert a password
$ pass edit email-password

# Show the email account password
$ pass show email-password

# Copy the email account password to the clipboard
$ pass -c email-password

To track the password folder on a git repository:

# Initialize git repository using pass
$ pass git init

# Set the url of your remote repository
$ pass git remote add origin <url>:<respository>

# Push your changes to the remote repository
$ pass git push -u --all

There are of course, graphical interfaces and plugins for pass, all of them listed on the pass website, I personally use the pass-otp plugin to extract 2FA key from the encrypted files and generate a OTP code for me. I also use the pass app for android and it works really well, it even has autofill support. I’ve briefly used QtPass with great success too. Being a command line program also makes it easier to integrate on any workflow through scripts.

With this system I can store any type of text, with any length, access from anywhere, have a reliable copy in a remote place using git, and is secured with a strong GPG encryption key. I hold over 250 keys, passwords and other types of secret phrases with no worries of losing it or not being able to access it.

There are many alternatives to this, many of them “simpler” than this, but none of them fit my criteria for a password manager.

Have questions or comments? Use my public inbox by sending a plain text-email to ~gsthnz/