Mastodon
Hektor🅭🅯
Writings / Password management, no cloud, no compromise

Wed, 18 Oct 2023

Password management, no cloud, no compromise

#security
#password
#keepassxc
#syncthing
#rclone
#ssh-agent

If you are not using any password manager at this point, I highly recommend KeePassXC, a Free and Open Source Software (FOSS) password manager [^1]. There are a plethora of password managers available, however here, I only cover KeePassXC. Specifically setting it up for use on Linux and Android devices. If you are on Windows, I can redirect you to this this video, which explains how to set up up KeePassXC with syncthing. Analogous to this setup for the most part.

[^1]: That is, free as in free, no lock-in / freemium surprises or other deceits.

Setup

In this example we will assume a database file ~/doc/passwd.kdbx, but feel free to pick your path. I won’t go into the installation, but on most distros the package is available under the name keepassxc. Should any issues arise, I recommend you to check the KeePassXC documentation or the Arch wiki page on KeePassXC.

Creating the database

After installing KeePassXC and and ) you can create the database ~/doc/passwd.kdbx. When creating the database make sure to use a strong master password and perhaps a key file. I like to use a ten word diceware passphrase for this (can be generated from within KeePassXC), e.g.:

recoup squall mustang mutation equal most skincare heroics decree jumble`

Browser integration

For Firefox, you should install the KeePassXC-Browser add-on, (similarly, for Chrome you can find the KeePassXC-Browser extension extension in the Chrome Web Store).

The KeePassXC documentation does a good job explaining how to link this to your database.

Android setup

Install either of the following apps:

Synchronization

For syncing your database accross devices (including Android), you can use Syncthing. E.g. to sync the *.kdbx files (optionally, with corresponding key files) in the ~/doc/ directory, you can add a Syncthing ‘folder’ with the following configuration:

Under General:

  • Folder Label: Password databases
  • Folder ID: password-databases
  • Folder Path: /home/h/doc/

Under Sharing:

Enable the devices you want to share this directory with.

Under Ignore Patterns:

Add the following to only synchronize your database and key files.

!*.kdbx
!*.kdbx.key
!.stignore
*

Scheduled backup

For daily backup, you can use an rclone script that uploads the database to cloud storage. To automate this, you can run it from a systemd service (with a systemd timer). An example would be the following rclone script (e.g. ~/.bin/save-passwdb) and systemd services [^2] .

[^2]: Under the Do What the Fuck You Want To Public License (WTFPL)

# Save (encrypted) password database to cloud storage
#
# Can be run manually or daily by enabling the corresponding systemd user
# service and timer, i.e.
#
# `systemctl --user enable save-passwddb.service`
# `systemctl --user enable save-passwddb.timer`

# https://unix.stackexchange.com/questions/100871/in-a-bash-if-condition-how-to-check-whether-any-files-matching-a-simple-wildcard
if [ 0 -lt "$(ls $HOME/doc/*.kdbx 2>/dev/null | wc -w)" ]; then
  rclone copy "$HOME/doc" google-drive: --include "*.kdbx"
  rclone copy "$HOME/doc" google-drive: --include "*.kdbx.key"
else
  echo "No password database found, use the following commands to restore"
  echo ""
  echo "rclone copy google-drive: "$HOME/doc" --include "*.kdbx""
  echo "rclone copy google-drive: "$HOME/doc" --include "*.kdbx.key""
  exit 1
fi

The systemd service (e.g. ~/.config/systemd/user/save-passwddb.service)

[Unit]
Description=Save KeypassXC password database to cloud
Wants=network-online.target
After=network-online.target

[Service]
Type=oneshot
ExecStart=/home/h/.bin/save-passwddb

[Install]
WantedBy=multi-user.target

The systemd timer (e.g. ~/.config/systemd/user/save-passwddb.timer)

[Unit]
Description=Save Keepass password database to cloud daily

[Timer]
OnCalendar=daily
RandomizedDelaySec=12h
Persistent=true

[Install]
WantedBy=timers.target

ssh-agent setup

Additional you can integrate ssh-agent with KeePassXC as follows (for a more complete overview see the KeePassXC documentation). This is useful for automatically unlocking your SSH keys whenever your database is unlocked.

In .bash_profile

export SSH_AUTH_SOCK="${XDG_RUNTIME_DIR}/ssh-agent.socket"

In ~/.config/systemd/user/ssh-agent.service

[Unit]
Description=SSH Key agent

[Service]
Type=simple
Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
ExecStart=/usr/bin/ssh-agent -D -a $SSH_AUTH_SOCK

[Install]
WantedBy=default.target

Then just

systemctl --user daemon-reload
systemctl --user enable ssh-agent
systemctl --user start ssh-agent

GPG Setup

To be continued/completed…

Two-factor authentication

To be continued/completed…

In short: I use a second database `mfa.kdbx` for Multi-Factor Authentication (MFA) tokens.

Comments