Solved Password Manager

Hi!

I removed as much as possible GNOME3 from my system and I am using Openbox as my first WM (I have Fluxbox and CDE also installed).
On GNOME I used security/gnome-keyring which is removed too and I am looking for the new one. In ports we have many keepass* but I do not know if is a good choice.

Thank you.
 
Have a look at sysutils/password-store (https://www.passwordstore.org/). It is basically a wrapper around gpg and git, hence you are not tied to some proprietary format (if pass should break, just use plain gpg) and sharing passwords between systems is as easy as putting the git repository on a private server you can reach from all your systems - or a private git repo on github if you trust Microsoft...

I've put a copy of the repository on my private keypass.io store, so only the systems I've registered with keybase have access to it. For my GPG-keys I'm using a yubikey, so access to the password store is basically 2FA secured.

A plugin for all major browsers is also available: https://github.com/passff/passff

Thanks to the simplicity of the tools involved, it is also very easy to adjust pass for more complex scenarios even most/all commercial password stores can't do (or only by putting all your passwords on someone else's server...). E.g. you can use various gpg-keys and even multiple ones throughout the hierarchy in the password store, so it is very easy to share groups of logins with selected people within a company by just adding their key-id to the .gpg-id file within a subfolder.
Because you are basically just encrypting normal text files, you can put any additional information in them you want. E.g. 2FA recovery codes, hotline/service phone numbers, customer IDs, Serial numbers for accounts that are linked to some hardware or just some reminder where to find a specific option within a ill-designed web portal (aka "mobile friendly")...
 
For now I am using what mail/claws-malhas:
Claws Mail 3.14.0 debuts a new ‘master passphrase’ feature.
It also makes some big changes to the way it stores passwords, as the official release notes explain:
All passwords are now stored in a separate file, (~/.claws-mail/passwordstorerc), and use a stronger encryption than previously.
Existing passwords are moved to the new file automatically, in the old format. The new format will be used whenever old passwords are changed or when a Master Passphrase is used. All new passwords are saved using the new format, irrespective of whether a Master Passphrase is used or not.”
But I installed security/keepassxc and sysutils/pwsafe which looks interesting.

Thank you for the all suggestions.
 
The KDB[X] format is not a proprietary format, it is GPL.
I was mainly referring to all/most of the cloud-based and commercial solutions out there. Should have made it more specific.
But nevertheless: getting your passwords out of an (encrypted) KDB file isn't as trivial as just decrypting simple text files via gpg.

Could you elaborate on what features you are missing? There is a qt-based GUI available for pass if that's what you're missing: sysutils/qtpass
 
Mostly, the integration with ssh-agent and gpg-agent. When I start keepassxc (and login) it does start those agents and add the keys (if there are keys for both configured).

The integrated password generator is also very handy, but I don't know if password-store have this function already.

I've not tested the Firefox plugin but (by looks) does not seem to be as automatic as the new keepassxc-browser plugin.
 
  • Thanks
Reactions: sko
Thanks for the feedback. I'm not in any way affiliated with/to password-store, but as I'm in the process of rolling it out in our network where it will be used (although mostly invisible in the background) by non-technical users, I'm always happy to get some new opinions on it.

I'm using gpg-agent with ssh-support, so no need for ssh-agent. gpg-agent is started via gpg-connect-agent /bye at login (as is the default and IIRC is recommended in the package information that is shown after installation), so pass doesn't need to be involved with that. Key management should IMHO always be left to gpg/gpg-agent and maybe a GUI tool to manage it (kgpg, gnome-gpg etc). The password-manager should do exactly one thing: manage my passwords - gpg is only used for de/encryption of them; so the password manager is just another downstream consumer of the gpg-agent but should never control the keyring or keys (especially private ones).
This is the exact reason why I/we abandoned enigmail, which more than once nuked a users gpg-keyring because it tries to 'manage' it but obviously can't do it reliably at some times...
 
Yep, I could initiate the thing from login (as used before) but still I would need to add the keys or at least type the passwords for them. This is the point I use keepassxc for that, because it does add the keys and unlock them using its password.
 
Back
Top