Friday, April 15, 2016

Basic Communications Security Part 2 - password-store

When we last spoke about encryption, I covered nonrepudiation and the subject of signing.  Today, I will be showing a little less theory and more practical usage of GPG -- keeping your passwords safe.  I will be covering the use of our fancy new encryption key with pass (  My example machine today will be a shiny new OpenBSD 5.9 box, however the process is largely the same in Linux, et. al.

$ doas pkg_add -v password-store
doas ( password:
Update candidates: quirks-2.197 -> quirks-2.197
quirks-2.197 signed on 2016-02-26T22:06:23Z
password-store-1.6.5:base64-1.5: ok
password-store-1.6.5:colortree-1.7.0: ok
password-store-1.6.5:xclip-0.12p0: ok
password-store-1.6.5:gnugetopt-1.1.6: ok
password-store-1.6.5:pwgen-2.07p2: ok
File /etc/bash_completion.d/ could not be installed:
        No such file or directory
password-store-1.6.5: ok
Extracted 375880 from 377728

That would be roughly equivalent to a 'sudo yum install pass', 'brew install pass', etc.  Now that pass is installed, we will go ahead and initialize it with our key:

$ pass init 86F22317

Password store initialized for 86F22317

Now pass has created a simple file structure for us, and will store passwords inside GPG encrypted files within this file structure.  Let's start by creating a directory or two to categorize passwords, then we'll generate couple:

$ mkdir .password-store/websites
$ mkdir .password-store/ssh
$ pass
Password Store
|-- ssh
`-- websites
$ pass generate websites/facebook 26
The generated password for websites/facebook is:
$ pass generate ssh/ 32
The generated password for ssh/ is:
$ pass
Password Store
|-- ssh
|   `--
`-- websites
    `-- facebook

Password-store has now generated two passwords for us called facebook in the websites category, which is 26 characters long, and one called in the ssh category, which is 32 characters long (neither of these are my real passwords).

These passwords are stored, as mentioned above in GPG encrypted files:

$ ls -lR .password-store/
total 8
drwxr-xr-x  2 peter  peter  512 Apr 14 16:05 ssh
drwxr-xr-x  2 peter  peter  512 Apr 14 16:05 websites

total 4
-rw-------  1 peter  peter  611 Apr 14 16:05

total 4

-rw-------  1 peter  peter  605 Apr 14 16:05 facebook.gpg

The passwords can then be retrieved to either STDOUT or the clipboard (by adding the -c flag) using your GPG key:

$ pass websites/facebook

You need a passphrase to unlock the secret key for
user: "Peter Ezetta "
4096-bit RSA key, ID 647AF373, created 2016-04-04 (main key ID 86F22317)


Notice that the encryption subkey is used here, not the main key, which I keep offline on a USB stick.  

Another great feature of pass is it's built in git integration, allowing for easy team sharing of password stores, distributing and keeping passwords in sync between multiple machines:

$ pass git init
Initialized empty Git repository in /home/peter/.password-store/.git/
[master (root-commit) d1daf83] Add current contents of password store.
 Committer: Peter Ezetta

 3 files changed, 1 insertion(+)
 create mode 100644 .gpg-id
 create mode 100644 ssh/
 create mode 100644 websites/facebook.gpg
[master bd983ce] Configure git repository for gpg file diff.
 Committer: Peter Ezetta

 1 file changed, 1 insertion(+)

 create mode 100644 .gitattributes

Password-store is more than capable of adding git remotes and the like, but I will leave that as an exercise to the reader.  Much more information is available from the project website at

In the next part of this article, I will be discussing the web of trust and key signing procedures.  Stay tuned!

