11.12.2018

The Advent of Void: Day 11: gopass

One very important aspect of our work, until a fully passwordless future can be upon us, is password management. Some people choose to use tools like LastPass, or other online password management schemes. But what do you do if you are really paranoid? Enter, pass , and it’s written-in-go companion with more features: gopass .

We can start our journey with the help of a wizard.

[nakasone@gibson ~]$ gopass It seems you are new to gopass. Do you want to run the onboarding wizard? [Y/n/q]: [init] No useable crypto keys. Generating new key pair [init] [crypto] Key generation may take up to a few minutes [init] [crypto] Creating key pair ... [init] [crypto] WARNING: We are about to generate some GPG keys. [init] [crypto] However, the GPG program can sometimes lock up, displaying the following: "We need to generate a lot of random bytes." If this happens, please see the following tips: https://github.com/gopasspw/gopass/blob/master/docs/entropy.md Continue? [Y/n/q]: gpg (GnuPG) 2.2.11; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Note: Use "gpg2 --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: John Smith Email address: John.Smith@example.com You selected this USER-ID: "John Smith <John.Smith@example.com>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key F90F4F27E8F3BCBE marked as ultimately trusted gpg: directory '/home/nakasone/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/nakasone/.gnupg/openpgp-revocs.d/1D9F3C091EB8211439B9F80BF90F4F27E8F3BCBE.rev' public and secret key created and signed. pub rsa2048 2018-12-11 [SC] [expires: 2020-12-10] 1D9F3C091EB8211439B9F80BF90F4F27E8F3BCBE uid John Smith <John.Smith@example.com> sub rsa2048 2018-12-11 [E] [expires: 2020-12-10] -> OK Error: failed to run onboarding wizard: failed to create new private key: failed to create a useable key pair [nakasone@gibson ~]$

Well, that was weird. But I can do this, let’s try again.

[nakasone@gibson ~]$ gopass init [init] Initializing a new password store ... Please select a private key for encrypting secrets: [0] gpg - 0x6EB42A8FCB19121B - John Smith <John.Smith@example.com> Please enter the number of a key (0-0, [q]uit) [0]: [init] Initializing git repository (gitcli) ... Use John Smith (John.Smith@example.com) for password store git config? [Y/n/q]: [init] Git initialized [init] Password store /home/nakasone/.password-store initialized for: [init] 0x6EB42A8FCB19121B - John Smith <John.Smith@example.com> [nakasone@gibson ~]$

Now that we have a password store, let’s look at this.

[nakasone@gibson ~]$ gopass gopass

Anti-climactic to be sure, but let’s try using it a bit. We have a front gate, let’s put in my code.

[nakasone@gibson ~]$ gopass insert front-gate Enter password for front-gate: Retype password for front-gate: Warning: Password is too short

Well, duh, I’ve been telling the guards that 1234 is not a reasonable code! But we have a back gate too.

[nakasone@gibson ~]$ gopass insert back-gate Enter password for back-gate: Retype password for back-gate: Warning: Password is too short

Yes, it’s not acceptable. Cry me a river.

[nakasone@gibson ~]$ gopass gopass ├── back-gate └── front-gate [nakasone@gibson ~]$ gopass audit Auditing passwords for common flaws ... Checking 2 secrets. This may take some time ... 2 of 2 secrets checked [################################################] 100.00% Detected a shared secret for: - back-gate - front-gate Password is too short: - back-gate - front-gate 2018/12/11 00:16:28 found weak passwords or duplicates [nakasone@gibson ~]$

We need a better gate code. Let’s get one. Security says we can’t have more than 5 characters…

[nakasone@gibson ~]$ gopass generate new-front-gate How long should the password be? [24]: 5 Do you have strict rules to include different character classes? [y/N/q]: [nakasone@gibson ~]$ gopass gopass ├── back-gate ├── front-gate └── new-front-gate [nakasone@gibson ~]$ gopass show new-front-gate nMzke [nakasone@gibson ~]$

Well, that should do. We don’t have any time based logins, so we can’t generate otp or totp or hotp tokens to show you, but that’s what there is.

[nakasone@gibson ~]$ gopass rm back-gate Are you sure you would like to delete back-gate? [y/N/q]: y [nakasone@gibson ~]$ gopass mv new-front-gate front-gate front-gate already exists. Overwrite it? [y/N/q]: y Warning: git has no remote. Ignoring auto-push option Run: gopass git remote add origin ... [nakasone@gibson ~]$ gopass gopass └── front-gate

As you can see, gopass reminds us our password store isn’t backed up. Well, let’s do that really quickly.

[nakasone@gibson ~]$ gopass git remote add origin git@github.com:void-linux/fortress-pws.git [nakasone@gibson ~]$ git sync Sync starting ... [<root>] git pull and push ... All done [nakasone@gibson ~]$

Maybe we can also record some of those useful passwords we have learned.

[nakasone@gibson ~]$ gopass insert github/torvalds Enter password for github/torvalds: Retype password for github/torvalds: [nakasone@gibson ~]$ gopass insert github/bob-beck Enter password for github/bob-beck: Retype password for github/bob-beck: [nakasone@gibson ~]$ gopass gopass ├── github │ ├── bob-beck │ └── torvalds └── front-gate [nakasone@gibson ~]$ gopass sync Sync starting ... [<root>] git pull and push ... All done [nakasone@gibson ~]$

Tada, we have now created some passwords, and syncronized them with a backup! Like all the people with LastPass, our passwords are safe from a destruction of our computer, and protected with the finest gpg has to offer! So fine, in fact, we can push valuable assets to github, and be assured they will not be read. Of course, the names of those assets, and our organization of them, is still publicly visible:

[nakasone@gibson ~]$ find .password-store .password-store/.git/ # snip .password-store/front-gate.gpg .password-store/github/ .password-store/github/jeremy.gpg .password-store/github/torvalds.gpg .password-store/.gpg-id .password-store/.public-keys .password-store/.public-keys/0x6EB42A8FCB19121B

Obviously, it might be best to store usernames on one line, and passwords on the second (you can have multiline secrets in gopass). In such a scheme, the identity of the assets or usernames you hold can be better protected. But all of that can be handled with gopass, on your computer, trusting nobody else, and can be scripted however you please. There are gopass plugins for firefox and chrome, but the author has not had any success with testing those.