Setting up a secure password manager

Fri 5 Apr 2019
Sun 28 Jul 2019

Your own password manager, it sounds like quite a daunting task! I hope to prove otherwise. We will use a few pieces of open-source software to create our password manager and make it available on all platforms.

I'm rocking a Linux desktop and Android-based cellphone. This guide will be geared towards this. Most of the mentioned software will run on Windows and Mac. There might be hurdles, but it is most certainly possible.

Before we start it's always good to make your acquaintance to these powerful pieces of software. They are open-source and awesome!

GPG - GNU Privacy Guard

This has been accepted as the defacto standard when it comes to managing keys, identities and the web of trust around it. With GPG we can create our electronic identity and choose to trust other keys/persons and let them be able to decrypt our messages.

The beautiful thing about this is that it actually works like that. It really is a bond of trust between two identities.

GPG is seen as a hard-to-learn piece of software. That's why many people choose convenience over security. I will take you through setting this up, step by step. You will see it ain't so bad.

Pass

A fun fact is that there are a lot of password managers -- often GUI based and premium priced that lean on pass. Pass is the Unix Password Store. It's a program to store and load passwords. We are going to use pass for our setup and use a GUI to make it easier on us.

Git

Git is a version control software. More often used to version code in the software world. We are going to use it to make our password store portable.

You'd think it would be pretty stupid to keep a setup like this in a piece of software that keeps versions of all the things you upload to it. You would be right! However, cracking the actual files would require a crazy-big amount of supercomputer hours to do so. In costs going up to literally thousands of euros.

Cracking the master password would be much, much easier than trying to decrypt an encrypted file. These, meaning the master password and secret keyfile, are not included in the repository, thus git being pretty safe to store your passwords.

Other software

QtPass is an excellent GUI written for Linux. I've been using it for years. On mobile, we are going to set up password-store, a great GUI also. Both pieces are made available as open-source software! Do check the source code, it has been made available.

We also need OpenKeyChain to set up an additional key that we are going to add to our keychain that we use to encrypt and decrypt passwords.

Trust, vendors, and devices

A small word on trust, vendors and the devices that you will actually use before we start with the actual guide.

- tinfoil hat on -

Everything we do on the internet is based on trust. We trust Google to carefully handle our data. We trust Facebook with our activities. We trust that our cellphones don't track us.

You might not actually trust these companies, yet still, use their software. Their software introduces convenience for us. The convenience not having to set up the software, know about the technology behind the service to actually make it secure.

There are vendors like LastPass, Dashlane, 1Password; why not use those? Well... I'm a programmer, sysadmin and really stubborn. Why should I trust these vendors with my passwords? Does this vendor have contracts with the government to give people access to my passwords when they request it? Do I manage my own keys, and when I got the option, do I really?

Every one of those services is still proprietary code. I cannot check if there is funky business going on. Should I store my all passwords on a service that I cannot audit myself? Passwords are everything these days as lots of companies are exclusively online. Their livelihood is in those passwords, think twice when choosing a vendor!

I'm not saying that you shoudn't trust a vendor, all I'm saying is to think twice before choosing a vendor with your important data.

Also, never forget that you compromise on something when these services are offered free, as in free beer to you, but not free as in freedom.

- tinfoil hat off -

Trust is a mutual thing, it should never come from one side.

The memory leaking issue referred above seems more prominent on Windows. Yet a good rule of thumb is to open your password manager and just close it when you are done. Memory will be scrubbed by the OS as the program no longer needs it. This prevents passwords and secure documents from leaking through memory.

I know that Linux has memory scrubbing build in, Windows seems a little behind on this and Mac should also be sufficiently be covered due to being based on BSD.

Also, a lot of security issues/breaches are done through bad habits and leaving your password manager open could be one of them. Just like re-using a password is one of them.

Then there are devices. You want your password manager to be portable, this adds convenience. You should ask yourself the question, do I trust my laptop with my password manager, do I trust my Android phone with my password manager? If the answer is yes, then proceed to set it up. If not, then don't. Nobody is forcing you to have your password manager everywhere.

Let's get started -- The guide

We need to install the required software, debian based distro's can use the following, otherwise, refer to the respective websites.

rob@Rathalos ~ $ sudo apt-get install pass gpg2 git qtpass

To start our guide, we need to set up our electronic identity in GPG. You will be guided by a wizard, asking a few questions. Read them carefully and protect your identity with a strong password. A very good and strong master password would be a password sentence. They are long, very hard to brute force, easy to remember and most importantly you will be able to type it in easily. Note this password down.

Note: You might have gpg and gpg2 coexist on your system. Pass will look for either of them but favor gpg2 for it's larger feature set. Both are compatible but if you have gpg2 installed, use gpg2.

rob@Rathalos ~ $ gpg2 --full-gen-key

Now you've made an identity. I've gone with a 4096 bits key. The computational power needed to encrypt passwords is next to nothing on modern devices and I don't want to leave anything to chance.

Next up, initialize a password-store. You can use gpg2 --list-keys to check the public key id you need to initialize the password-store.

rob@Rathalos ~ $ pass init 9525G9FA

After this, you've done the hard part! Now we need to create a git repository online. Use a private repository for this. Git will be the method of transport. To share our passwords with other devices.

When you are done making a new repository, set the remote origin for this repo via the pass command, then create a test password and push this to your repository to check if everything is functional!

rob@Rathalos ~ $ cd .password-store
rob@Rathalos ~/.password-store $ git remote add origin <repo url>
rob@Rathalos ~/.password-store $ pass generate test 21
rob@Rathalos ~/.password-store $ pass git push -u --all

You should be seeing a git action if everything worked out! Now we are ready for QtPass. We need to configure this to use our GPG key and use Git. Start the program, I've already set up my QtPass but it is really a matter of enabling some options.

QtPass greeting screen

Then it's simply going through the tabs and setting the git options you wish to enable. I like having the auto-push and pull on, though some people don't like that. That's why it is an option of course :)

QtPass settings screen

QtPass should be working instantly if you've enabled the options. It is nothing more than a GUI on top of the already existing password store. In users, you can enable/disable the keys. This program also works on Windows, this should cover every computer and laptop in the house.

The only thing left to do is configure password-store for Android. Configuring this is much like configuring Qtpass, however, we will need OpenKeyChain in order to make an additional key for the cellphone, then add it to our web of trust and re-encrypt the password store.

Password-store app and OpenKeyChain

Create a key on OpenKeyChain, export this key and get it securely to your laptop, we are going to import this key to our keyring and re-encrypt our password-store with it. We will be able to read/write passwords on our app when we've done this.

# Navigate to the directory and then import it
rob@Rathalos ~ $ gpg2 --import "EpicOnePlus 3.asc"

# Make sure it is imported correctly
rob@Rathalos ~ $ gpg2 --list-keys

# Trust this key, up to you to trust it either 4 or 5
# You just made this key and it is your own so it's safe
# To trust ultimately.
gpg2 --edit-key 3127C2HJ

We can re-encrypt the password store now. It's easy. You simply do init with the keys you entrust your password store with, and this list should always include at least one of the existing keys.

pass init 9525G9FA 3127C2HJ

The only thing left to do is setup password-store with an SSH key to access the repo and simply pull it. After that, we are all done! I won't guide you through the part of adding an SSH key to your account as that may also vary between git repo vendors.

Optionally: Backup sensitive files

I think this would actually be part of the guide. Make a backup! I prefer paper backups in this case. You might find this strange but paper backups are actually quite smart for this case.

Let's say you work for an cooperation. You've just generated a few keys that have to be kept as secret as can be. You make the paper backup, seal it and let it be stored safely. You know the master key cannot be trusted when the sealed envelope has been opened. You can set up procedures around this like re-encrypting passwords/documents when you found your master key to be compromised.

That's it!

That really concludes my guide. I hope you learned a thing or two. Setting up a password manager is not hard. It will take some time sure, but only the initial setup. Using this is as easy as any other password manager.