Friday, April 15, 2016

Basic Communications Security Part 2 - password-store

When we last spoke about encryption, I covered nonrepudiation and the subject of signing.  Today, I will be showing a little less theory and more practical usage of GPG -- keeping your passwords safe.  I will be covering the use of our fancy new encryption key with pass (https://passwordstore.org).  My example machine today will be a shiny new OpenBSD 5.9 box, however the process is largely the same in Linux, et. al.

$ doas pkg_add -v password-store
doas (peter@devenv.my.domain) password:
Update candidates: quirks-2.197 -> quirks-2.197
quirks-2.197 signed on 2016-02-26T22:06:23Z
password-store-1.6.5:base64-1.5: ok
password-store-1.6.5:colortree-1.7.0: ok
password-store-1.6.5:xclip-0.12p0: ok
password-store-1.6.5:gnugetopt-1.1.6: ok
password-store-1.6.5:pwgen-2.07p2: ok
File /etc/bash_completion.d/pass-bash-completion.sh could not be installed:
        No such file or directory
password-store-1.6.5: ok
Extracted 375880 from 377728

That would be roughly equivalent to a 'sudo yum install pass', 'brew install pass', etc.  Now that pass is installed, we will go ahead and initialize it with our key:

$ pass init 86F22317

Password store initialized for 86F22317

Now pass has created a simple file structure for us, and will store passwords inside GPG encrypted files within this file structure.  Let's start by creating a directory or two to categorize passwords, then we'll generate couple:

$ mkdir .password-store/websites
$ mkdir .password-store/ssh
$ pass
Password Store
|-- ssh
`-- websites
$ pass generate websites/facebook 26
The generated password for websites/facebook is:
D#)y=[fehkr`BRZJcrHFbA^8"Y
$ pass generate ssh/peter@example.com 32
The generated password for ssh/peter@example.com is:
S_=zXyt}:5Y`VX|7al&FVTyG^jXGH`L3
$ pass
Password Store
|-- ssh
|   `-- peter@example.com
`-- websites
    `-- facebook

Password-store has now generated two passwords for us called facebook in the websites category, which is 26 characters long, and one called peter@example.com in the ssh category, which is 32 characters long (neither of these are my real passwords).

These passwords are stored, as mentioned above in GPG encrypted files:

$ ls -lR .password-store/
total 8
drwxr-xr-x  2 peter  peter  512 Apr 14 16:05 ssh
drwxr-xr-x  2 peter  peter  512 Apr 14 16:05 websites

.password-store/ssh:
total 4
-rw-------  1 peter  peter  611 Apr 14 16:05 peter@example.com.gpg

.password-store/websites:
total 4

-rw-------  1 peter  peter  605 Apr 14 16:05 facebook.gpg

The passwords can then be retrieved to either STDOUT or the clipboard (by adding the -c flag) using your GPG key:

$ pass websites/facebook

You need a passphrase to unlock the secret key for
user: "Peter Ezetta "
4096-bit RSA key, ID 647AF373, created 2016-04-04 (main key ID 86F22317)


D#)y=[fehkr`BRZJcrHFbA^8"Y

Notice that the encryption subkey is used here, not the main key, which I keep offline on a USB stick.  

Another great feature of pass is it's built in git integration, allowing for easy team sharing of password stores, distributing and keeping passwords in sync between multiple machines:

$ pass git init
Initialized empty Git repository in /home/peter/.password-store/.git/
[master (root-commit) d1daf83] Add current contents of password store.
 Committer: Peter Ezetta

 3 files changed, 1 insertion(+)
 create mode 100644 .gpg-id
 create mode 100644 ssh/peter@example.com.gpg
 create mode 100644 websites/facebook.gpg
[master bd983ce] Configure git repository for gpg file diff.
 Committer: Peter Ezetta

 1 file changed, 1 insertion(+)

 create mode 100644 .gitattributes

Password-store is more than capable of adding git remotes and the like, but I will leave that as an exercise to the reader.  Much more information is available from the project website at https://passwordstore.org.

In the next part of this article, I will be discussing the web of trust and key signing procedures.  Stay tuned!

No comments:

Post a Comment