This article is intended to be a comprehensive recipe to password management, assuming:
- You are a developer
- You have to manage dozens of passwords, ssh key pairs and possibly some secret documents
- You want strong security on each of them
- You do not want to forget any of them but do not either want to spend too much time memorizing them
- You want to access your passwords from both your computers and mobile devices
The proposed solution includes:
- An unbreakable encryption standard (OpenPGP) and its open source implementation (GnuPG)
- An open source password manager built on top of it (pass)
- Memorizing one strong master pass phrase
- A backup plan: do not put all your eggs in one basket
sudo apt-get install gnupg sudo apt-get install pass
Preparing PGP Keys
If you are already a PGP user, skip this step, otherwise, you are going to generate:
- A master keypair (public/private keys)
- A sub keypair for password encryption/decryption
This command will generate a master keypair associated with your true identity ( you may later want to use the PGP key pair for encrypted, digitally signed email).
- Kind: RSA and RSA
- Bits: 4096
- Expire: key does not expire
- Real name: <real-name>
- Email address: <email-address>
- Comment: <comment>
- Pass phrase: <master-pass-phrase>
To make the process faster, you shouse increase the system randomness. Run in another terminal:
sudo rngd -f -r /dev/urandom
When finished, a master key pair and an associated sub key pair will be created. To see a list of your keys, type:
You will see:
pub 4096R/<master-key-id> <date> uid <real-name> <<email-address>> sub 4096R/<sub-key-id> <date>
<sub-key-id> is the name of the key to encrypt/decrypt your stored passwords.
Optionally, you can strengthen it by changing the encryption preferences.
gpg --edit-key <email-address>
setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed save
Intialize a Pass Store
A password store is simply a directory including encrypted files, and each of them contains a password (the first line) and extra information (rest of the file).
cd <pass-store> pass init <sub-key-id>
Password Management Tips
Replace Existing Passwords with Strong Ones
Generate a random password (15 characters):
pass generate <account-name> 15
An encrypted file
To add extra information like user name or URL for the service:
pass edit <account-name>
Then you can update the password online accordingly.
Put a password into Clipboard for 45 seconds
pass -c <account-name>
Avoid typing master passwords repeatedly
Add configuration file
$HOME/.gnupg/gpg-agent.conf and remember the master
password for 3600 seconds:
pinentry-program /usr/bin/pinentry-gtk-2 default-cache-ttl 3600 max-cache-ttl 3600
Store SSH keys
Store SSH public key as the password in the pass store, and encrypt the private key in the rest of the file.
To change a Git remote from HTTPS to SSH:
git remote set-url origin [email protected]<domain-name>:<repo-path>.git
Prepare for the following extreme case:
- Both your laptop and cell phone containing the pass store and PGP keys are damaged or stolen.
- But you can still remember the master pass phrase.
Use a remote Git repository to backup the password store
cd <pass-store> pass git init pass git remote add origin <remote-git-url> pass git push
Backup PGP keys
Export all the key pairs (including both master and sub keys):
gpg --export-secret-keys --armor <email-address> > <private-key-file> gpg --export --armor <email-address> > <public-key-file>
Keep the files in a safe, secret place!
To restore the keys from backup:
gpg --import <private-key-file> <public-key-file>
Hide PGP Master Private Key
AFTER the full backup of your PGP keys, you can choose to delete the master private key on the device with the pass store, because only the sub key pair is needed for encryption/decryption. The deletion will not protect your pass store, but it will protect your identity associated with the master key.
gpg --export-secret-subkeys <email-address> > subkeys gpg --delete-secret-key <email-address> gpg --import subkeys shred --remove subkeys
PGP itself is secure and robust, but it all depends on how well you can preserve and protect your PGP key pair and master pass phrase.