Managing passwords can be a daunting task and people usually recycle the same few passwords over all the sites they visit. There are several browser based solutions such as LastPass and 1Password, but there are drawbacks to those solutions that we dont have using the vim+gpg+git solution. Some of the advantages to this system are the ability to share passwords between several locations or even several different users. This system offers a finer grain of control if you are already used to vim, gpg, and git. The combination of these 3 common unix tools offers an effective way to manage your passwords.

I shall break down the process of setting up the system into 3 parts:

  1. configuring gpg
  2. setting up vim to work with gpg
  3. keeping the password file in git

I keep all my essential files in git, such as dotfiles and my encrypted password file. This article is going to focus mainly on the managing passwords, but adding dotfiles into the mix is an easy step forward.

Installing and configuring GPG

Make sure you have gnupg installed. On my macbook pro I use ports, so I would run

% sudo port install -v gnupg

For debian/ubuntu installations this will work for you:

% sudo apt-get install gnupg

NOTE: install gnupg, not gnupg2
Once you have gpg installed, you need to generate your key pair:

% gpg --gen-key

You will be prompted to fill out information to generate your key. Choose the default (1) RSA and RSA type of key. Use use a keylength of 4096 bits. Once you are done, this command will show you the public keys in your keychain:

% gpg --list-keys

Take note of the email address of the recipients that you are going to add to your password list. If this is a shared password list, then make note of all the recipients. For my personal use, I have a key for each place that I use this project, ie. home, work, etc.

Installing and configuring VIM

If you are using a debian based OS, you may simply install vim via apt-get:

% sudo apt-get install vim

OSX

% sudo port install -v vim

NOTE: The gui version of vim needs addition configuration that is not covered here.

Once we have VIM installed and running, we need to get the gnupg.vim plugin:

If you are using debian/ubuntu I believe the plugin is part of the vim-scripts package.

% apt-get install vim-scripts
% mkdir ~/.vim/plugin
% ln -s /usr/share/vim-scripts/plugin/gnupg.vim ~/.vim/plugin/gnupg.vim

Otherwise you can grab the plugin from here:

http://www.vim.org/scripts/script.php?script_id=661

and place the plugin in .vim/plugin folder.

Setting up your git repo

I keep all my git projects in ~/git, but feel free to use ~/src, ~/Projects, or whatever makes you feel comfortable. Since I use git to manage my my home directory, I name the project after my username:

% mkdir -p ~/git/enter2exit/
% cd !$
% git init
% mkdir -p secure/keys

At this point we want to export our public key. This will allow us to add passwords from a different location.

NOTE: You must have the keys of all recipients in your keychain when you edit the file!

% gpg --export -a <keyid> | tee secure/keys/<userid>.key
% git add secure/keys/<userid>.key
secure/keys/<userid>.key

Add other keys to your keyring like this:

% gpg --import secure/keys/<userid>.key

 

The gpg plugin defaults to encrypting the file as binary data. If you prefer the encrypted document to be ascii armor then add this to your vimrc:

 let g:GPGPreferArmor = 1
Now we edit the password file.

 % vim secure/passwd.gpg

If everything is working fine, vim should open the document in a split window. The top window will ask you to input recipients, one per line. You can enter the email address of each recipient, or the key ID. Once you are done, :wq the window. You can always get back here by using the following command:

:GPGEditRecipients

Now start adding your passwords. I use a new password for each site that I register for, and I generate each password using pwgen. pwgen can be installed via ports or apt-get. To generate a 16 character password with characters:

% pwgen -s -y 16
will output a password like this:
55R(BW!}eT{V=iYZ

% pwgen -s 16

jgGEbMK1u7Vp3CKl

Now that we have our password file, let’s check it in.

% git status
% git add secure/password.gpg
% git commit -m "initial password checkin" doc/password.gpg

Having a local git repo is great, but the idea is to sync our files to other computers. Let’s assume that we have an account on remotehost.example.com that we can ssh to and that we are going to keep the same directory structure that we have locally. We are going to treat the remote host as our origin in this example, and always sync to here from our other hosts.

% git remote add origin user@remotehost.example.com:/home/user/git/user
% git push origin master

Now, when we are using our computer at work we can retrieve our password file like this:

% mkdir -p ~/git/<user>
% cd git
% git clone user@remotehost.example.com:/home/user/git/user

And there we have it. A secure and distributed way of managing passwords. Enjoy.
Advertisements