$ doas pkg_add -v password-store
doas (peter@devenv.my.domain) password:
Update candidates: quirks-2.197 -> quirks-2.197
quirks-2.197 signed on 2016-02-26T22:06:23Z
password-store-1.6.5:base64-1.5: ok
password-store-1.6.5:colortree-1.7.0: ok
password-store-1.6.5:xclip-0.12p0: ok
password-store-1.6.5:gnugetopt-1.1.6: ok
password-store-1.6.5:pwgen-2.07p2: ok
File /etc/bash_completion.d/pass-bash-completion.sh could not be installed:
No such file or directory
password-store-1.6.5: ok
Extracted 375880 from 377728
That would be roughly equivalent to a 'sudo yum install pass', 'brew install pass', etc. Now that pass is installed, we will go ahead and initialize it with our key:
$ pass init 86F22317
Password store initialized for 86F22317
Now pass has created a simple file structure for us, and will store passwords inside GPG encrypted files within this file structure. Let's start by creating a directory or two to categorize passwords, then we'll generate couple:
$ mkdir .password-store/websites
$ mkdir .password-store/ssh
$ pass
Password Store
|-- ssh
`-- websites
$ pass generate websites/facebook 26
The generated password for websites/facebook is:
D#)y=[fehkr`BRZJcrHFbA^8"Y
$ pass generate ssh/peter@example.com 32
The generated password for ssh/peter@example.com is:
S_=zXyt}:5Y`VX|7al&FVTyG^jXGH`L3
$ pass
Password Store
|-- ssh
| `-- peter@example.com
`-- websites
Password-store has now generated two passwords for us called facebook in the websites category, which is 26 characters long, and one called peter@example.com in the ssh category, which is 32 characters long (neither of these are my real passwords).
These passwords are stored, as mentioned above in GPG encrypted files:
$ ls -lR .password-store/
total 8
drwxr-xr-x 2 peter peter 512 Apr 14 16:05 ssh
drwxr-xr-x 2 peter peter 512 Apr 14 16:05 websites
.password-store/ssh:
total 4
-rw------- 1 peter peter 611 Apr 14 16:05 peter@example.com.gpg
.password-store/websites:
total 4
-rw------- 1 peter peter 605 Apr 14 16:05 facebook.gpg
The passwords can then be retrieved to either STDOUT or the clipboard (by adding the -c flag) using your GPG key:
$ pass websites/facebook
You need a passphrase to unlock the secret key for
user: "Peter Ezetta
4096-bit RSA key, ID 647AF373, created 2016-04-04 (main key ID 86F22317)
D#)y=[fehkr`BRZJcrHFbA^8"Y
Notice that the encryption subkey is used here, not the main key, which I keep offline on a USB stick.
Another great feature of pass is it's built in git integration, allowing for easy team sharing of password stores, distributing and keeping passwords in sync between multiple machines:
$ pass git init
Initialized empty Git repository in /home/peter/.password-store/.git/
[master (root-commit) d1daf83] Add current contents of password store.
Committer: Peter Ezetta
3 files changed, 1 insertion(+)
create mode 100644 .gpg-id
create mode 100644 ssh/peter@example.com.gpg
create mode 100644 websites/facebook.gpg
[master bd983ce] Configure git repository for gpg file diff.
Committer: Peter Ezetta
1 file changed, 1 insertion(+)
create mode 100644 .gitattributes
Password-store is more than capable of adding git remotes and the like, but I will leave that as an exercise to the reader. Much more information is available from the project website at https://passwordstore.org.
In the next part of this article, I will be discussing the web of trust and key signing procedures. Stay tuned!
No comments:
Post a Comment