Re: Password managers

To: debian-user@lists.debian.org
Subject: Re: Password managers
From: <paulf@quillandmouse.com>
Date: Fri, 10 Nov 2023 00:39:08 -0500
Message-id: <[🔎] 20231110003908.5ed8fb0a@yosemite.mars.lan>
Reply-to: paulf@quillandmouse.com
In-reply-to: <[🔎] ZU0a70Z0lR9ltxa_@pobox.com>
References: <[🔎] 20231109110553.10261d32@yosemite.mars.lan> <[🔎] ZU0a70Z0lR9ltxa_@pobox.com>

On Thu, 9 Nov 2023 12:46:23 -0500
Todd Zullinger <tmz@pobox.com> wrote:

> Hi,
> 
> paulf@quillandmouse.com wrote:
> > I have a bash/GPG based password manager I wrote years ago, but I'd
> > like to use something more "accepted/popular". The problem I have
> > with the other password managers I've looked at is that you can
> > store a very limited amount of information for each "account". For
> > example, for one of my logins, I may have to store the answers to
> > three security questions, an account login, email address, the
> > actual password, and maybe the mobile phone number associated with
> > the login. I also object to my password information being stored
> > online by some password manager vendor.
> > 
> > Does anyone know of a password manager which will store a variety of
> > user-defined information for each login, and not store that
> > information on the internet (and which is free as in beer)?
> 
> You may like pass[1].  It's a bash script which uses gpg, so
> it's somewhat familiar to what you've written in a sense.
> 
> It supports random data via the --multiline (-m) option.
> 
> It's locally hosted (though you can use online syncing tools
> if you want).  There are a a good number of alternative
> clients for it as well, to suit various use cases or
> environments.
> 
> [1] https://www.passwordstore.org/
> 

Excellent suggestion!

I can't get it to work properly, because there must be something
fundamentally missing in my understanding of GPG, etc.

To initiate the store, you use the following command:

pass init <gpg-id>

If I feed this my master password for the "gpg-id", the .gpg-id file in
the password store shows my master password in the clear. This can't be
right. None of the docs explain what a "gpg-id" actually is.

I found some docs on Redhat's site where you could generate a gpg file:

gpg --full-generate-key

This asks a bunch of questions, and asks me for my master password. It
generates a file: ~/.gnupg/pubring.kbx, and add a couple of hex strings
in ~/.gnupg/private-keys-v1.d. Seems like I should be using one of
those strings as my private key for gpg-id, but which one?

I'm really not sure what to give the init command for a gpg-id. Any
help would be much appreciated.

Paul

-- 
Paul M. Foster
Personal Blog: http://noferblatz.com
Company Site: http://quillandmouse.com
Software Projects: https://gitlab.com/paulmfoster

Reply to:

Follow-Ups:
- Re: Password managers
  - From: <paulf@quillandmouse.com>

References:
- Password managers
  - From: <paulf@quillandmouse.com>
- Re: Password managers
  - From: Todd Zullinger <tmz@pobox.com>

Prev by Date: Re: limit on attachment in mail to list
Next by Date: Re: limit on attachment in mail to list
Previous by thread: Re: Password managers
Next by thread: Re: Password managers
Index(es):
- Date
- Thread