This article is intended to be a comprehensive recipe to password management, assuming:

• You are a developer
• You have to manage dozens of passwords, ssh key pairs and possibly some secret documents
• You want strong security on each of them
• You do not want to forget any of them but do not either want to spend too much time memorizing them
• You want to access your passwords from both your computers and mobile devices

The proposed solution includes:

• An unbreakable encryption standard (OpenPGP) and its open source implementation (GnuPG)
• An open source password manager built on top of it (pass)
• Memorizing one strong master pass phrase
• A backup plan: do not put all your eggs in one basket

Install Prerequisites

On Linux:

• GnuPG
• pass

(Ubuntu)

sudo apt-get install gnupg
sudo apt-get install pass

On Android:

• OpenKeyChain
• Password Store

On iOS:

• Pass for iOS

Preparing PGP Keys

If you are already a PGP user, skip this step, otherwise, you are going to generate:

• A master keypair (public/private keys)
• A sub keypair for password encryption/decryption

gpg --gen-key

This command will generate a master keypair associated with your true identity ( you may later want to use the PGP key pair for encrypted, digitally signed email).

Choose:

• Kind: RSA and RSA
• Bits: 4096
• Expire: key does not expire
• Real name: <real-name>
• Email address: <email-address>
• Comment: <comment>
• Pass phrase: <master-pass-phrase>

To make the process faster, you shouse increase the system randomness. Run in another terminal:

sudo rngd -f -r /dev/urandom

When finished, a master key pair and an associated sub key pair will be created. To see a list of your keys, type:

gpg --list-keys

You will see:

pub   4096R/<master-key-id> <date>
uid                  <real-name> <<email-address>>
sub   4096R/<sub-key-id> <date> 

The <sub-key-id> is the name of the key to encrypt/decrypt your stored passwords.

Optionally, you can strengthen it by changing the encryption preferences.

gpg --edit-key <email-address>

And type:

setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed 
save

Intialize a Pass Store

A password store is simply a directory including encrypted files, and each of them contains a password (the first line) and extra information (rest of the file).

cd <pass-store>
pass init <sub-key-id>

Password Management Tips

Replace Existing Passwords with Strong Ones

Generate a random password (15 characters):

pass generate <account-name> 15

An encrypted file .gpg is created. In decrypted form, the first line is the generated password.

To add extra information like user name or URL for the service:

pass edit <account-name>

Then you can update the password online accordingly.

Put a password into Clipboard for 45 seconds

pass -c <account-name>

Avoid typing master passwords repeatedly

Add configuration file $HOME/.gnupg/gpg-agent.conf and remember the master password for 3600 seconds:

pinentry-program /usr/bin/pinentry-gtk-2
default-cache-ttl 3600
max-cache-ttl 3600

Store SSH keys

Store SSH public key as the password in the pass store, and encrypt the private key in the rest of the file.

To change a Git remote from HTTPS to SSH:

git remote set-url origin git@<domain-name>:<repo-path>.git

Backup Plan

Prepare for the following extreme case:

• Both your laptop and cell phone containing the pass store and PGP keys are damaged or stolen.
• But you can still remember the master pass phrase.

Use a remote Git repository to backup the password store

cd <pass-store>
pass git init
pass git remote add origin <remote-git-url>
pass git push

Backup PGP keys

Export all the key pairs (including both master and sub keys):

gpg --export-secret-keys --armor <email-address>  >  <private-key-file>
gpg --export             --armor <email-address>  >  <public-key-file>

Keep the files in a safe, secret place!

To restore the keys from backup:

gpg --import <private-key-file> <public-key-file>

Hide PGP Master Private Key

AFTER the full backup of your PGP keys, you can choose to delete the master private key on the device with the pass store, because only the sub key pair is needed for encryption/decryption. The deletion will not protect your pass store, but it will protect your identity associated with the master key.

gpg --export-secret-subkeys <email-address>   >   subkeys
gpg --delete-secret-key     <email-address>
gpg   --import subkeys
shred --remove subkeys

Security Limitation

PGP itself is secure and robust, but it all depends on how well you can preserve and protect your PGP key pair and master pass phrase.

References

1. Creating the Perfect GPG Keypair
2. Pass: the standard unix password manager