It's been five years since I created my Unix password store, encypted with my GPG key pair password-store. That key expired and now I need to update my database to a new master key.
Now is also a good time to clear out the git history. My key has not (to my knowledge) been compromised, so I don't need to remove all instances of passwords encrypted with the old key, but it will be nice to clear out the old history.
I've been using pass for a while now and I really like it. But I don't like putting passwords or passphrases into my system clipboard if I can help it: writing code to sniff the clipboard is child's play, so I'd like to avoid that attack vector if possible.
One place that I thought would be simple would be the SSH utility to add keys to your SSH Agent: ssh-add. It should be possible to do something like this:
$ pass github/sinewalker|head -1|ssh-add github/sinewalker
Unfortunately this isn't so: ssh-add doesn't accept your passphrase from STDIN when piped like this.
But, there is a way to do it.
The final part of the password puzzle is getting my passwords into my pocket. There are quite a few images in this post (about 2MB) as I describe setting up the system on Android, which involves a lot of steps, with screen-shots.
Hold onto your hat, it's a bit of a fiddle.
Having covered what pass is, why I'm using it, and the required supporting tools gnupg, git, ssh and a private git remote, it's time to go over how to put the system together.
Setting it all up on a Unix computer is fairly straight-forward. Getting it onto an Android is a bit different. So in this post I'll cover how the pieces of the system fit together, and then walk through setting it up on Unix.
Synchronising your local password-store git repository with your remote store is done a bit differently depending if this is the first time you're setting up the remote, or if you already have a remote and you wish to merge it into your new local. I'll cover that too.
I spent some spare hours on the week-end playing with Pass, importing my KeePassX database into password-store and synchronising it to a GitLab private repository.
It's a little tricky to get it set up, with a few moving parts, so I'm still experimenting. Here's what I've figured out so far.
Passwords. We all have a lot of them to remember — most of us have too many. How do you keep track of them all?
Originally I used to just remember passwords for everything, like most people. I soon found this doesn't scale past about 7 passwords and PINs. Rather than use the same passwords everywhere, I started to keep a secret list of passwords, but it was a pain to keep that list with me, and what if it was discovered?
After been keeping my passwords in a GPG-encrypted text file for a few years, I then started using a KeePassX database, and that's been pretty successful. I sync the database to my phone so that I can have my passwords with me whenever needed, but it is a little bit clunky to use.
At the recomendation from someone at work, I checked out pass, “the standard Unix password manager”. It offers all the features I've been using from KeePassX for a few years now, only with much better syncronisation based upon git+ssh.
Pass is also integrated into browsers, editors, and even a few operating systems, so it's potentially a lot less clunky and risky to use than how I was using KeePassX with passwords entered via the system clipboard.
This post reviews my password management approaches to date and gives an overview of Pass.
I've just finished hacking together a simple little program to transcode my "dvorcodes" for when entering on a QWERTY keyboard. I've created a new project on SourceForge and I've uploaded the code and a pair of pre-compiled executable JARs (one for Java 5 and also a re-worked version that's been tested on Java 1.4.2).