storing passwords with age

another pufferfish drawn by rekka

storing passwords with age 2021-04-20 MY QUEST FOR A PASSWORD STORE THAT WORKS FOR ME =============================================== i have tried many times to use a tool that encrypts my passwords, and nearly every time i give in to convinience. there are somewhere between ten and fifty passwords that i keep memorized and can conjure at a moments notice, and it's very convenient to do so. i have, in my 8+ year computing career, tried using the following tools exclusively to secure my passwords: - keepass / keepassx / browser extensions - it became WAY too clunky to lug the keybase database around. sometimes it would hit file conflicts, and it's a huge binary file so it's not simple to store in version control. - pass - well, i had to learn PGP to use pass. the lack of iOS/desktop browser integration was also problematic for me, as i spend an inordinate amounts of time entering passwords on web browsers. - macos's keystore - it's proprietary and only supports Apple devices. not sure why i even tried this. - bitwarden - this one i went all-in on. unfortunately, it suffers from the same problem keepass does - i must enter one huge cludgy password every time i want to get to any of my other passwords. this, to me, sucks balls. - raw PGP - ah, my ignorant days of "minimalism". i went the whole 9 yards - bought a smartcard reader and generated my PGP key on it. used it for SSH. all that. i don't recommend this unless you want to straight up lose 1/5 of your available free time. - pash - ah, pass, my favorite option so far, but simpler! - pass again - ah, pash wasn't compatible with lots of stuff. hello again old friend. AND YET ======= pass serves me fine, but PGP is very concerning. not only because i'm a floundering moron who didn't make a key backup, therefore making my only smartcard a ticking time bomb, but because even if i had, i could never in a million years move that key to my phone. because phones aren't really made to support PGP. this is a big deal, for me. also, PGP is very slow. also, in case i haven't made this clear, PGP's UX is so bad that i recommend people against using it at all. so, then, why do i use it? that's the question i'm writing this post to answer. ( __________ )\ / /\______{,} \_________\/ undoing my time bomb, with intent ================================= so, let's define my unique tooling requirements. getting passwords: - i refuse to wait more than a few seconds for most common day-to-day operations. - i refuse to type a huge long error-prone password - therefore, the secret should be a *key* that i lug around, that can easily be rotated - i want passwords to be loaded into my clipboard, pasted wherever my focus is, and then my clipboard should clear instantly so i don't wind up pasting the password somewhere else - the hotkey should be control+shift+p, and should react instantly (within 100ms) when pressed. - i should type to filter passwords from a list, then press enter to select the one i like - the hotkey should *not* press <return> for me. philosophy: i will use an unencrypted-at-rest key for convinience. - my hard drive is encrypted, so nobody can just pull the drive and scrape the key - if a malicious actor accesses my key, i'm screwed anyway, because: - most short pass phrases can be bruteforced - i would not make it long because typing long passphrases all the time sucks - they have access to my system and can just keylog me my password files shall be kept in a private git repo - the private part is "yet another layer" of obscurity - i don't want my encrypted file history to be totally public becaaaauuuusssseeee if one of my keys gets exploited, welp, they can pull out the previously encrypted files and go to town. - this is up to user discretion obvs, you could put your passes in a public repo, that's fine entering new passwords, or changing existing passwords, or deleting passwords. - this should be accomplished via a simple CLI tool that has the following requirements: - the tool shall be called "pa" - longform: "password ass" - `pa add <name-of-password>` shall make a new password, and randomly generate it - if the name is already taken, exit 1 - automatically git commits & pushes on exit 0 - `pa show <password>` prints the encrypted file to stdout - `pa del <password>` deletes a password (no warning) - `pa list` lists all passwords - `pa edit <password>` opens password file in $EDITOR i use linux at home, and macos at work, but i want the same tooling to work on both of them. this means simple posix sh so, i made pa: https://giit.cyberia.club/~j3s/pa the code is based off of dylan araps's wonderful pash, which i used for awhile. here's an example of pa usage in action: $ pa list /home/j3s/.age/key.txt not detected, generate a new one? [y/n]: y Public key: age1sj9qx968gk40juqxeng0g8vjw6u5rc0vtvqw8dgkjt3usarmnqqsn6u89y $ cat .age/key.txt # created: 2021-01-25T13:49:23-06:00 # public key: age1sj9qx968gk40juqxeng0g8vjw6u5rc0vtvqw8dgkjt3usarmnqqsn6u89y AGE-SECRET-KEY-1XYEUPJ9RUPPDA6DR9RPEQ0HHKLAAAAZYRYHTPE86HSYM8XZ8FEPQD46K8W $ pa list $ pa add garbage Generate a password? [y/n]: y Saved 'garbage' to the store. $ pa list garbage $ pa show garbage f3dYJ3Aq8jZ6Xx0fF2JcAXZpb_2G58pwvZ9Yk8bQ_4q_zL0r8e $ pa del garbage Delete pass file 'garbage'? [y/n]: y $ pa add garbage Generate a password? [y/n]: n Enter password: Enter password (again): Saved 'garbage' to the store. $ pa edit garbage what i love about this is that it can automatically generate your age keys, and they work the same way as ssh keys - which lowers the barrier to entry and understanding. no need to fuss around with keychains, trust levels, daemons, etc. welp, enjoi! That's all for now, next I'll be demonstrating how to tie pa into regular workflows - including dmenu for linux integrations. j3s

follow me on mastodon!

last updated 2021-04-20T00:00:00.000Z