diff --git a/blogs/2022/8/13/decentralised-password-management.md b/blogs/2022/8/13/decentralised-password-management.md new file mode 100644 index 0000000..163cbdf --- /dev/null +++ b/blogs/2022/8/13/decentralised-password-management.md @@ -0,0 +1,116 @@ +# Decentralised password management + +Password managers are a fact of modern life. +Popular examples include [KeePassXC](https://keepassxc.org/), [1Password](https://1password.com) and the one I've personally used for years, [Bitwarden](https://bitwarden.com). +They have slightly different sets of features, are varying levels of open-source, but all generally work well and provide cross-platform access to a password vault protected by various kinds of authentication. + +Bitwarden works well, but its Linux support leaves a lot to be desired. +The clients available on Arch `bitwarden` and `bitwarden-cli` are slow to start up as they attempt to sync the vault, and are awkward to navigate as a power user. +`bitwarden` is a graphical application with some keyboard shortcuts, but is too complicated for efficient use. +`bitwarden-cli` has performance issues, and requires external scripting to be able to copy things to the clipboard. +Both applications depend on several hundred megabytes of dependencies, which is needless for something which ultimately manages a dictionary of strings and does a little cryptography. + +I've also made substantial use of Bitwarden's browser plugins for Firefox and Brave, but there unsurprisingly exists none for my current browser of choice, [qutebrowser](https://qutebrowser.org/). +I prefer the light and minimal approach to web browsing qutebrowser engenders, so I'd rather find an alternative password management workflow than have my hand forced by what extensions are available. + +Lastly, an issue with all mentioned password managers is their dependence on a particular cloud host. +Though it is easy to export the vault, and therefore not really a point of failure, being dependent on a particular company paying their hosting bills ad infinitum will ultimately be a point of minor frustration. +At some point, Bitwarden will fold and I'd have to change anyway! + +So, I've decided to explore what it would take to avoid a minor frustration far in the future by undertaking a much more complex frustration, immediately, in the name of slightly improved resilience and independence, and a better fit to my needlessly esoteric usage requirements. +Off we go! + +## The standard UNIX password manager + +[`pass`](https://www.passwordstore.org/) is a dead-simple password manager which stores passwords in files named after the thing they are for. +It uses existing technology for authentication (GPG), clipboard access (`xclip`) and copying stored passwords between machines ([Git](https://git-scm.com/)). +It is also very tiny - on my system the total installed size is 50 KiB. + +Passwords can be generated and retrieved with: + +``` +# generate a password for example.com +pass generate example.com/ktyl + +# retrieve the password and copy it to the clipboard +pass -c example.com/ktyl +``` + +## GPG + +Passwords are encrypted with a GPG key, a popular public-key encryption method used to validate updates in package repositories and validate identities of source contributors to those packages. +GPG is also often used to encrypt email and other forms of communication in open-source communities. + +GPG keys are very similar to SSH keys, but notably different in that they force the use of a password, while SSH keys may be passwordless. +They also differ in that GPG keys aren't named, but rather are stored on a keyring. + +I first installed [gnupg](https://gnupg.org/) and created a GPG key using `gpg --full-gen-key`. +I gave it my email address, set it to expire after a year and used otherwise default encrpytion options. +The key has now been added to my public keyring, which I can verify with `gpg --list-keys`. + +## Importing keys + +Since I've been using Bitwarden for years, I have hundreds of passwords saved. +I don't want to have to copy them manually, either all at once or on a case-by-case basis (although that would rid me of all the defunct and unused passwords). +Thankfully, a community extension `pass` to import passwords from other managers is available in the form of [pass-import](https://github.com/roddhjav/pass-import). +With this tool, I was able to import my [exported Bitwarden vault](https://bitwarden.com/help/export-your-data/) with a single command. + +## Inter-device access + +A requirement of a password manager for most people is that it be available, whatever device they're using. +To this end, `pass` uses Git, a near-ubiquitous collaboration and backup tool among software developers. +This has the advantage if diversifying the available hosts for backing up passwords from the one cloud service provided by most password managers to anything which can host a Git repository. +Popular Git hosts today include [GitHub](https://github.com/), [GitLab](https://gitlab.com/), [BitBucket](https://bitbucket.org/) and [SourceHut](https://sr.ht/). +Many also choose to self-host collaboration tools such as [Gitea](https://gitea.io/) or [GitLab Community Edition](https://about.gitlab.com/install/). + +Any of the aforementioned tools allow for the creation and management of Git repositories, but also come associated with substantial project management tooling, none of which is necessary for a password manager. +In my case, I am using the most minimal possible setup, which is a Git server on my VPS - I wrote a blog post on setting this up [here](https://ktyl.dev/blog/2022/5/26/git-server.html). +With my setup, password access is disallowed - access is allowed only through the use of SSH keys. + +I need access to my password manager on Linux, Windows and iOS. +For maximum functionality, I'd also like a way to access it from a web browser, à la [vault.bitwarden.com](https://vault.bitwarden.com/), but that brings in a whole bunch of security challenges, not to mention hosting. +For now I'll content myself with copying a password manually from my phone occasionally, and maybe come up with something slicker in the future. +Better safe than sorry! + +For Windows I intend to use [qtpass](https://qtpass.org/), a cross-platform GUI frontend for `pass`. +I'll not bother documenting it here, because it's the weekend, and Windows is eternally a Monday problem. +A more interesting challenge however, is iOS. + +## Pass for iOS + +[`passforios`](https://github.com/mssun/passforios) is a `pass` client for iOS. +The challenge in setting this up is finding ways to transfer not only the public and private GPG keys to the walled-garden iPhone, but also a private SSH key. +The [quickstart guide](https://github.com/mssun/passforios/wiki#quick-start-guide-for-pass-for-ios) describes a few methods to do this, for which I opted to use the [asc-key-to-qr-code-gif](https://github.com/yishilin14/asc-key-to-qr-code-gif) script. +This avoids sending private keys over any network by converting keys to a QR code, which the iPhone can then scan. + +I ran into some trouble when transferring a private SSH key, in that my Git remote refused the key with an error of `callback returned unsupposrted credentials type`. +[This GitHub issue](https://github.com/mssun/passforios/issues/218#issuecomment-425520272) detailed some specifics about acceptable key formats, and I ultimately ended up generating a working one with: + +``` +ssh-keygen -t rsa -b 2046 -m PEM -f passforios_rsa +``` + +This wasn't the end of my trouble, either. +I found I had to present the URL in a weird way that I've not seen before, specifying the absolute path of the repository on the server, as opposed to relative to the `git` user's home directory. + +``` +# bad +ssh://git@domain.com:pass.git + +# good +ssh://git@domain.com/home/git/pass.git +``` + +After that however, it worked! +I could see the passwords I'd imported earlier from Bitwarden, and was able to add new ones. +Success! + +## Final notes + +Overall, there's a lot more setup involved for `pass` compared to a more orthodox password manager. +For most people, I wouldn't recommend it - convenience is absolutely key for security practices, and this took me the better part of a day to set up, as a technically-inclined person. +On iOS particularly, the app is functional, but I can appreciate it's less convenient than being able to use the built-in biometric security to unlock one's vault. +I think the process is likely much easier with an Android phone. +This is something I'm willing to put up with because of the improved experience on Linux, but is absolutely something to consider for those with other use cases. + +If you have any questions, or if I've got something horribly, terribly wrong, [I'd love to hear from you](mailto:me@ktyl.dev)!