{"id":450,"date":"2016-12-14T03:04:35","date_gmt":"2016-12-14T03:04:35","guid":{"rendered":"http:\/\/tuxlabs.com\/?p=450"},"modified":"2016-12-14T17:54:54","modified_gmt":"2016-12-14T17:54:54","slug":"security-securely-storing-passwords-using-pass-gpg","status":"publish","type":"post","link":"https:\/\/tuxlabs.com\/?p=450","title":{"rendered":"Storing passwords securely using Pass (GPG)"},"content":{"rendered":"

Today we\u00a0live in an endless sea\u00a0of passwords, which are a very inefficient and ineffective means of securing our data & environments. Many companies are trying to solve this problem using a variety of techniques that all revolve around various forms of multi-factor authentication.<\/p>\n

However, in the mean time were all screwed \ud83d\ude09<\/p><\/blockquote>\n

Just kidding.<\/strong> Quick PSA though, use two factor authentication at a minimum everywhere you can ESPECIALLY your email, since it’s used for password recovery on other sites. Ok then moving on…<\/p>\n

There are many password managers like LastPass and 1Password, which do a fairly effective job at providing convenience and prevent you from scribbling down your passwords on paper (STOP IT !!!). However, I personally can’t get passed the whole ‘store all my passwords in one super secure vault on the Internet’ thing. To be fair some of these password managers can be downloaded on your machine and ran locally, but there are two\u00a0other drawbacks to those I found.<\/p>\n

    \n
  1. Some of them are not free and…<\/li>\n
  2. Some of them have\u00a0ugly and clunky UI’s<\/li>\n<\/ol>\n

    So what do I like\/use then ? I use something called ‘pass’. Which is a command line utility that wraps GPG. The reason I use it is because…<\/p>\n

      \n
    1. I love using command line utilities over GUI, I find it far more convenient and…<\/li>\n
    2. I was going to write this exact utility (a GPG wrapper) until I found out someone else did and…<\/li>\n
    3. Because I like\u00a0GPG.<\/li>\n<\/ol>\n

      At most of the organizations I have worked at, password management was done poorly i.e. everyone\u00a0used different approaches and there was no governance or oversight. I hope with this article to make folks aware of what I feel is a simple, effective method that every unix savvy administrator\u00a0should use.<\/p>\n

      FYI Pass provides migration scripts\u00a0from\u00a0the most\u00a0popular password manager tools\u00a0on their website.<\/p><\/blockquote>\n

      Introducing Pass<\/h2>\n

      From the Pass site “Password management should be simple and follow Unix philosophy<\/a>. With pass<\/code>, each password lives inside of a gpg<\/code><\/a> encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.”<\/p>\n

      Where Can You Get\u00a0or Learn More About Pass ?\u00a0<\/strong><\/p>\n

      https:\/\/www.passwordstore.org\/<\/a><\/p>\n

      Installing Pass<\/h2>\n

      Depending on your operating system there are various ways to install<\/p>\n

      Ubuntu\/Debian<\/strong><\/p>\n

      sudo apt-get install pass<\/pre>\n
      Fedora \/ RHEL<\/strong><\/p>\n
      sudo yum install pass<\/pre>\n
      Mac<\/strong><\/p>\n
      brew install pass\r\necho \"source \/usr\/local\/etc\/bash_completion.d\/password-store\" >> ~\/.bashrc<\/pre>\n
      Since I already installed pass on my Mac a while back I will be installing it on a Docker container with Ubuntu 16.04.<\/p>\n
      root@0b415380eb80:\/# apt-get install -y pass<\/pre>\n
      After pass successfully installs, try running it<\/p>\n
      root@0b415380eb80:\/# pass\r\nError: password store is empty. Try \"pass init\".\r\nroot@0b415380eb80:\/#<\/pre>\n
      Well that is pretty straight forward, it appears we need to initiliaze the db.<\/p>\n
      root@0b415380eb80:\/# pass init\r\nUsage: pass init [--path=subfolder,-p subfolder] gpg-id...\r\nroot@0b415380eb80:\/#<\/pre>\n
      Looks like we need to provide ‘key’…can that be just anything?<\/p>\n
      root@0b415380eb80:\/# pass init \"tuxlabs Password Key\"\r\nmkdir: created directory '\/root\/.password-store\/'\r\nPassword store initialized for tuxlabs Password Key\r\nroot@0b415380eb80:\/# pass\r\nPassword Store\r\nroot@0b415380eb80:\/#<\/pre>\n
      Now our password store looks initialized ! Let’s try inserting a password into the DB !<\/p>\n
      root@0b415380eb80:\/# pass insert Gmail\/myemail\r\nmkdir: created directory '\/root\/.password-store\/Gmail'\r\nEnter password for Gmail\/myemail:\r\nRetype password for Gmail\/myemail:\r\ngpg: tuxlabs Password Key: skipped: No public key\r\ngpg: [stdin]: encryption failed: No public key\r\nroot@0b415380eb80:\/#<\/pre>\n
      Uh oh what happened ? Well remember I said it uses GPG, and we not only don’t have a gpg key setup in our Docker container, but we initialized our Pass DB without using a GPG Key (the whole point) !<\/p>\n
      root@0b415380eb80:\/# gpg --list-keys\r\nroot@0b415380eb80:\/#<\/pre>\n
      To remedy this we need to create a GPG key<\/p>\n
      Creating your GPG Key<\/h3>\n
      root@0b415380eb80:\/# gpg --gen-key\r\ngpg (GnuPG) 1.4.20; Copyright (C) 2015 Free Software Foundation, Inc.\r\nThis is free software: you are free to change and redistribute it.\r\nThere is NO WARRANTY, to the extent permitted by law.\r\n\r\nPlease select what kind of key you want:\r\n   (1) RSA and RSA (default)\r\n   (2) DSA and Elgamal\r\n   (3) DSA (sign only)\r\n   (4) RSA (sign only)\r\nYour selection? 1\r\nRSA keys may be between 1024 and 4096 bits long.\r\nWhat keysize do you want? (2048) 4096\r\nRequested keysize is 4096 bits\r\nPlease specify how long the key should be valid.\r\n         0 = key does not expire\r\n      <n>  = key expires in n days\r\n      <n>w = key expires in n weeks\r\n      <n>m = key expires in n months\r\n      <n>y = key expires in n years\r\nKey is valid for? (0)\r\nKey does not expire at all\r\nIs this correct? (y\/N) y\r\n\r\nYou need a user ID to identify your key; the software constructs the user ID\r\nfrom the Real Name, Comment and Email Address in this form:\r\n    \"Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>\"\r\n\r\nReal name: Tuxninja\r\nEmail address: tuxninja@tuxlabs.com\r\nComment: TuxLabs\r\nYou selected this USER-ID:\r\n    \"Tuxninja (TuxLabs) <tuxninja@tuxlabs.com>\"\r\n\r\nChange (N)ame, (C)omment, (E)mail or (O)kay\/(Q)uit? O\r\nYou need a Passphrase to protect your secret key.\r\n\r\ngpg: gpg-agent is not available in this session\r\nWe need to generate a lot of random bytes. It is a good idea to perform\r\nsome other action (type on the keyboard, move the mouse, utilize the\r\ndisks) during the prime generation; this gives the random number\r\ngenerator a better chance to gain enough entropy.\r\n............+++++\r\n...................+++++\r\nWe need to generate a lot of random bytes. It is a good idea to perform\r\nsome other action (type on the keyboard, move the mouse, utilize the\r\ndisks) during the prime generation; this gives the random number\r\ngenerator a better chance to gain enough entropy.\r\n...+++++\r\n+++++\r\ngpg: key 5B2F89A5 marked as ultimately trusted\r\npublic and secret key created and signed.\r\n\r\ngpg: checking the trustdb\r\ngpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model\r\ngpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u\r\npub   4096R\/5B2F89A5 2016-12-14\r\n      Key fingerprint = 5FF6 1717 4415 03FF D455  7516 CF8E 1BDC 5B2F 89A5\r\nuid                  Tuxninja (TuxLabs) <tuxninja@tuxlabs.com>\r\nsub   4096R\/EF0F232F 2016-12-14\r\n\r\nroot@0b415380eb80:\/#<\/pre>\n
      To view your GPG key run<\/p>\n
      root@0b415380eb80:\/# gpg --list-keys\r\n\/root\/.gnupg\/pubring.gpg\r\n------------------------\r\npub   4096R\/5B2F89A5 2016-12-14\r\nuid                  Tuxninja (TuxLabs) <tuxninja@tuxlabs.com>\r\nsub   4096R\/EF0F232F 2016-12-14\r\n\r\nroot@0b415380eb80:\/#<\/pre>\n
      Now we can see we have one GPG key, with the ID 5B2F89A5<\/p>\n
      Let’s try re-initializing Pass.\u00a0<\/strong><\/p>\n
      root@0b415380eb80:\/# pass init \"5B2F89A5\"\r\nPassword store initialized for 5B2F89A5\r\nroot@0b415380eb80:\/#<\/pre>\n
      But we have a problem, re-initializing Pass doesn’t get rid of our previous insert into the db. As you can see here our Pass DB is effectively corrupt.<\/p>\n
      root@0b415380eb80:~# pass\r\nPassword Store\r\n`-- Gmail\r\nroot@0b415380eb80:~# pass rm Gmail\r\nAre you sure you would like to delete Gmail? [y\/N] y\r\nrm: cannot remove '\/root\/.password-store\/Gmail': Is a directory\r\nroot@0b415380eb80:~# pass rm Gmail\/myemail\r\nError: Gmail\/myemail is not in the password store.\r\nroot@0b415380eb80:~#<\/pre>\n
      Hmmm, what’s a guy to do….<\/p><\/blockquote>\n
      root@0b415380eb80:~# rm -rf .password-store\/Gmail\/\r\nroot@0b415380eb80:~# pass\r\nPassword Store\r\nroot@0b415380eb80:~#<\/pre>\n
      Yes it really was that simple, and that is one more reason why I love pass.<\/p>\n
      You can also initialize your password store using git for version control, see the passwordstore.org website for more info !<\/p><\/blockquote>\n
      Now let’s insert some good stuff.<\/p>\n
      Inserting A Password into Pass<\/h3>\n
      root@0b415380eb80:~# pass insert Gmail\/myemail\r\nEnter password for Gmail\/myemail:\r\nRetype password for Gmail\/myemail:\r\nroot@0b415380eb80:~# pass\r\nPassword Store\r\n`-- Gmail\r\n    `-- myemail\r\nroot@0b415380eb80:~#<\/pre>\n
      That seems to have worked. Let’s try to retrieve the pass.<\/p>\n
      Retrieving A Password In Pass<\/h3>\n
      root@0b415380eb80:~# pass Gmail\/myemail\r\ngpg: starting migration from earlier GnuPG versions\r\ngpg: porting secret keys from '\/root\/.gnupg\/secring.gpg' to gpg-agent\r\ngpg: migration succeeded\r\ntestpass\r\nroot@0b415380eb80:~# pass Gmail\/myemail\r\ntestpass\r\nroot@0b415380eb80:~#<\/pre>\n
      Note, I retrieve the password twice using my GPG Passsword (You will be prompted through a curses interface to enter your passphrase). Then I run it again, because of the initial GPG migration messages just to show how it would normally work after you’ve used GPG once with Pass.<\/p>\n
      Now let’s say someone is standing over your shoulder, you want to access your passsword, but you don’t want them to see it. You can get it straight to your clipboard by using -c.<\/p>\n
      Copying Passwords To Your Clipboard<\/h3>\n
      pass -c Gmail\/myemail\r\nCopied Gmail\/myemail to clipboard. Will clear in 45 seconds.<\/pre>\n
      Docker\u00a0Issue ?<\/h4>\n
      Notice the prompt is not included in the above example ? That is cause it didn’t actually work. Apparently, it doesn’t work in Docker due to not having display dependencies installed\/configured. So what I show above is the output from my mac…but my actual Docker related error was.<\/p>\n
      root@0b415380eb80:~# pass -c Gmail\/myemail\r\nError: Can't open display: (null)\r\nError: Could not copy data to the clipboard\r\nroot@0b415380eb80:~#<\/pre>\n
      There might be an easy way to fix this (like install X), but I don’t usually use Docker for storing my passwords I just happen to be using it for this tutorial, so moving on !<\/p>\n
      Folders<\/h3>\n
      It’s also important to note that Pass supports folder structures, as shown in my example I am creating a ‘Gmail’ folder and placing a password file called ‘myemail’ with my password in it. In reality I recommend not naming the file after your account\/email and using the multiline version to encrypt those details as well. That way you can just stick to the site name for the name of the encrypted file in whatever folder or in the top level of Pass.<\/p>\n
      Multiline Encrypted Files with Pass<\/h3>\n
      A common use case with Pass is adding an entire encrypted file so you can store more than just a password…<\/p>\n
      root@0b415380eb80:~# pass insert -m tuxlabs\/databases\r\nmkdir: created directory '\/root\/.password-store\/tuxlabs'\r\nEnter contents of tuxlabs\/databases and press Ctrl+D when finished:\r\n\r\nthis is an example of a multiline\r\nencrypted file\r\nthis way you can store more than just a password you can store user\/pass\/url etc\r\nroot@0b415380eb80:~# pass\r\nPassword Store\r\n|-- Gmail\r\n|   `-- myemail\r\n`-- tuxlabs\r\n    `-- databases\r\nroot@0b415380eb80:~#<\/pre>\n
      Again retrieving it is as easy as..<\/p>\n
      root@0b415380eb80:~# pass tuxlabs\/databases\r\nthis is an example of a multiline\r\nencrypted file\r\nthis way you can store more than just a password you can store user\/pass\/url etc\r\nroot@0b415380eb80:~#<\/pre>\n
      Finally if you no longer want the info to be stored in Pass…<\/p>\n
      If you want to copy you password\u00a0to the clipboard from a multiline file, you must store your password on the first line of the file !<\/p><\/blockquote>\n
      Deleting An Entry In Pass<\/h3>\n
      root@0b415380eb80:~# pass rm Gmail\/myemail\r\nAre you sure you would like to delete Gmail\/myemail? [y\/N] y\r\nremoved '\/root\/.password-store\/Gmail\/myemail.gpg'\r\nroot@0b415380eb80:~# pass rm tuxlabs\/databases\r\nAre you sure you would like to delete tuxlabs\/databases? [y\/N] y\r\nremoved '\/root\/.password-store\/tuxlabs\/databases.gpg'\r\nroot@0b415380eb80:~# pass\r\nPassword Store\r\nroot@0b415380eb80:~#<\/pre>\n
      Another thing, the output on my mac is much prettier\u00a0than this `– thing I am getting in the Ubuntu Docker container… Not sure if that’s an Ubuntu issue or Docker, but on the Mac the output is much prettier, which can be seen on the passwordstore.org home page.<\/p>\n
      So that’s it, Pass is pretty straight forward, easy to work with, depends on GPG security and that is why I like it.<\/p>\n
      Stay secure, until next time !<\/p>\n
       <\/p>\n","protected":false},"excerpt":{"rendered":"
      Today we\u00a0live in an endless sea\u00a0of passwords, which are a very inefficient and ineffective means of securing our data & environments. Many companies are trying to solve this problem using a variety of techniques that all revolve around various forms of multi-factor authentication. However, in the mean time were all screwed \ud83d\ude09 Just kidding. Quick […]<\/p>\n<\/a>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[61,157,78],"tags":[158,161,159,162,160,104],"class_list":{"0":"post-450","1":"post","2":"type-post","3":"status-publish","4":"format-standard","6":"category-encryption","7":"category-perspectives","8":"category-security","9":"tag-docker","10":"tag-gpg","11":"tag-pass","12":"tag-passwords","13":"tag-security","14":"tag-ubuntu","15":"h-entry","16":"hentry"},"_links":{"self":[{"href":"https:\/\/tuxlabs.com\/index.php?rest_route=\/wp\/v2\/posts\/450","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tuxlabs.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tuxlabs.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tuxlabs.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tuxlabs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=450"}],"version-history":[{"count":24,"href":"https:\/\/tuxlabs.com\/index.php?rest_route=\/wp\/v2\/posts\/450\/revisions"}],"predecessor-version":[{"id":474,"href":"https:\/\/tuxlabs.com\/index.php?rest_route=\/wp\/v2\/posts\/450\/revisions\/474"}],"wp:attachment":[{"href":"https:\/\/tuxlabs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=450"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tuxlabs.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=450"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tuxlabs.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=450"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}