This app was mentioned in 22 comments, with an average of 2.77 upvotes
I push it to a private git repo. I have a $1 a month server I use for git and push to that but you can use anything that you can ssh to.
For multiple devices I just use multiple encryption keys. You can store the key ids in ~/.password-store/.gpg-id
- so when you create a new password, it gets encrypted with all the public keys listed in that file.
I even use it on my phone, there's a great app that works in conjunction with OpenKeychain (the first manages the passwords, the second manages the PGP keys).
The app can also pull from git so it's really a painless process.
Password Store is a pass app for Android. Also available on f-droid.
You could look at pass. Given, it's perhaps not as convenient as having a cloud based password manager, but you can synchronize your password using a git repo, and the program is accessible in the terminal. Moreover, there is several browser plugins for browser integration, as well as one Android app.
I just use pass. The database is stored in a git repository that I host on my server. While it doesn't integrate with browsers, there's a simple switch to dump the password into your clipboard (which is securely cleared 30 seconds or so later). There's also an Android application.
There is an Android app for it. You will also need something to handle the gpg side, like open keychain. Both are available on F-Droid as well.
I use these with a yubikey neo, because the idea of storing my private key on my phone kinda terrifies me.
I'm using PasswordStore, which is the Android implementation of pass, the standard unix password manager. Each password is stored in a gpg encrypted file. I'm using pass on my PC, Notebook, Tablet and Android Phone and it's pretty great.
https://play.google.com/store/apps/details?id=com.zeapo.pwdstore Password Store.
For PGP, I use OpenKeyChain, absolutely amazing App, tons of features, very active and friendly Devs.
Following up on where I landed: I was pretty captivated by the idea of password-store (pass) as you may have seen in my earlier comment, and after learning a lot about PGP, I'm pretty happy with the solution. Brain dump from the experience is below for those who may find this later. What I use now by platform:
​
- Linux: the pass CLI
- Android: the Password Store app https://play.google.com/store/apps/details?id=com.zeapo.pwdstore (in conjunction with OpenKeychain)
- Windows: GPG4Win + the Windows Git client + Win10's built-in SSH client + a lightweight but brilliant .NET app called pass-winmenu https://github.com/Baggykiin/pass-winmenu
- macOS: haven't configured it yet, but probably similar to Linux - the pass homepage links to a "pass.applescript" file that should take care of the non-UNIX bits (think clipboard)
​
The Android UX for this way exceeded my expectations and seems like it's going to work really well for me.
​
Importing from pwSafe was super easy with the pass-import extension, although I had to be careful since I had to first export my passwords to an intermediate unencrypted XML format.
​
I've created a master key with GPG and an encryption subkey, whose private keys I securely store offline. The subkey's private key also lives on the YubiKey, and the subkey's public key is imported to and trusted on each device/OS I use. So now, on each platform, I perform the desired action/command and am prompted to insert the YubiKey then enter the PGP user PIN that I've set up. If the PIN I enter is correct, the password entries are encrypted or decrypted (depending on what I'm trying to do). Boom, my YubiKey is a PGP smartcard.
​
Reason for using subkeys: if my YubiKey is compromised, I can use the master key (which is not stored there) to create a new subkey, re-encrypt the passwords with it, and revoke the old subkey.
​
I have not attempted to add the requirement that I touch the YubiKey (I consider the PIN secure enough for me), although that use case is mentioned in the links below.
​
All devices mentioned above have local repositories of a private Git repo I created on BitBucket. Already the Git feature has proven useful: I accidentally edited the wrong file on the Windows client today, and it was a matter of "git reset --hard" instead of "git push." This is a beautiful, just-thin-enough abstraction for what I want.
​
Resources I used:
- http://deferred.io/2017/08/03/yubikey4-gpg-ssh-u2f.html - using pass for this exact use case (Linux + Android with a USB-C YubiKey)
- https://blog.eleven-labs.com/en/openpgp-almost-perfect-key-pair-part-1/ - mechanics and best practices of generating the GPG keys
- https://www.palkeo.com/en/blog/perfect-password-manager.html - largely redundant with the other two but filled in some details I found helpful
​
Issues and limitations:
- While it is possible to use a GPG AUTH subkey for SSH, which would allow the YubiKey to function as a one-stop shop for both en/decrypting the passwords and authenticating to Git, this feature is unfortunately not supported by the Android client: https://github.com/zeapo/Android-Password-Store/issues/71
- As a result, I generated an SSH keypair and store the private key on each device. In theory, if one of my devices were compromised, an attacker could use this SSH key to modify my Git repository, although they couldn't decrypt anything in it. Not ideal, but the damage would be contained--and unlike other solutions, even if the attacker manages to delete the Git history, I'd still have it all on my other devices because Git is peer-to-peer, yo.
- The pass documentation mentions that when you use the CLI, your default text editor (e.g., vim) may create unencrypted temporary/scratch files containing your password when creating/editing. The homepage provides a vim plugin to prevent this. Fortunately, while vim plugins were a Wild West situation for awhile, vim 8 introduces official plugin support. Unfortunately, the documentation is hecking smol. Essentially what you need to do to install it is place the file in ~/.vim/pack/plugins/start/redact_pass/plugin/redact_pass.vim and verify vim has recognized it by running ":scriptnames" within vim.
- Oh my goshness QtPass is the worst on Windows! I spent way too much time trying to wrangle with that thing before just Googling whether there were any alternatives that aren't mentioned on pass's homepage. Glad I did--I'm happy with pass-winmenu.
- pass-winmenu is not perfect either, though: when creating a new password entry, it successfully creates and then immediately crashes. (Just need to restart it when it does, so it's inconvenient but not a huge deal.) And although it does make commits to Git along the way, it crashes when trying to push and displays an error when trying to pull. (No biggie, that's what the command line is for.) Retrieving and editing, the core use case, are a really seamless experience.
- While I proved out that the pass CLI works in Windows Subsystem for Linux, I don't think it plays nicely with YubiKeys at the moment. I know Microsoft has gradually incremented USB support in WSL, but I couldn't get "gpg2 --card-status" to return anything intelligible from the WSL terminal, when it works fine with GPG4Win. This is all using the Debian distro.
- Totally self-imposed, but I personally chose to put an expiration date on my GPG keys. Lucky me, I'll get to go through all the key-generation fun again eventually ;)
- Android recognizes the YubiKey as a USB keyboard and by default disables the virtual keyboard. There's a persistent notification that you can use to re-enable it, and Android will remember that preference.
​
Aaaand that's all folks! :) I'd recommend pass only to people who want to further their understanding of crypto and already have some kind of development background (grok version control et al.), but it's a really slick solution for people already of some technical persuasion.
Android: Yes, on Google Play and F-Droid.
I use the passmenu
script (with dmenu/rofi) locally (xdotool for autofill is nice) instead of a browser extension.
I use pass, and back up the store to a private git repo. I like this approach because really the only necessary tool to decrypt them is gpg, pass is just a nice wrapper around it and git.
I also have integration with my browser via browserpass and on my Android
Currently using gopass pushed to git with Password Store on Android
Password Store, if you're comfortable with git and gpg.
You can do this with Android Password Store (Fdroid or Google Play) and OpenKeychain (Fdroid or Google Play). It doesn't support GPG cards, though.
I use pass, with my VPS acting as my remote git repository, on my phone as well. Check out Password Store.
Password Store is something I've just started using. There are clients for different platforms. For android you need Android Password store and Open Keychain
Switched from keepass to pass 5 months ago. May I provide my experiences:
Migration:
At first I cleaned up the folder structure within keepass.
After that I used https://github.com/roddhjav/pass-import/blob/master/README.md to import the passwords into my pass passwordstore.
Usage:
As stated in different pass manuals, I organized my folders as follows:
category/website.com/emailadress
So e.g.
social/facebook.com/[email protected]
Or:
apps/Evernote/myCoolUsername
That makes the folder structure really clean and nice to find things.
I initially created the password store as local git repo on my PC. When on Wifi, I'm able to sync this repo with my other Notebook and my phone.
I use https://play.google.com/store/apps/details?id=com.zeapo.pwdstore on my phone.
For the gpg keys I use https://play.google.com/store/apps/details?id=org.sufficientlysecure.keychain
So, on the main PC I need to import all public keys from phone and notebook und re-encrypt my password store for all my three devices (3 different public keys).
See: https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592
Summary:
Yes, there are a few manual steps, but I'm okay with that. And I don't want to use another password store. :)
Come to Android. Yubikey 5 NFC works with OpenKeychain + Password Store.
Found it, thanks to /u/hot2
For those that want a link:
https://play.google.com/store/apps/details?id=com.zeapo.pwdstore&hl=en
Takes a bit of set up to get running but I use Password Store.
It's pretty good, it's designed to work with Pass: The standard unix password manager. It has a bunch of other clients including a windows one: Pass4Win.
If anyone is interested in setting it up and has any issues let me know - but yeah it's probably a lot more complicated than a standard password manager (for setup - in normal use I don't think there's much difference).
EDIT: Password store is also on F-Droid.
I swear I can find a bug in anything.
Keeper Password Manager is not Password Store.