This is perhaps my favorite password manager for the terminal
Вставка
- Опубліковано 26 тра 2023
- Password managers are a prime target for exploitation given their high reward. For me, I prefer to use self custody to manage my passwords, which gives me control over my own data. Because of this, I use password-store which a unix based password management solution. Password store is perfect for my use case, and allows me to easily manage my passwords on the cli.
In this video, I give an introduction to password store, and talk about how to get set up and working with it. From inserting and generating passwords, to then having access to them in your browser and developer workflow, all whilst keeping your passwords secure and under your control.
#cli #passwordmanager #unix
Links:
Password Store: www.passwordstore.org/
My Equipment:
Voice over: kit.co/dreamsofcode/voiceover
Coding: kit.co/dreamsofcode/coding
My socials:
Twitter: / dreamsofcode_io
Discord Server: / discord
Please consider supporting me as well!
Patreon: / dreamsofcode - Наука та технологія
Been using this for years, even implemented it at the office, we have several password stores for different trust levels within the business. As well as promote technical staff to manage their own personal password-store.
One thing to note, is that a single password-store can be setup with multiple GPG keys, password-store then uses multi-key encryption which allows any of the included parties to read data (as long as you have one of the private keys loaded in GPG), and write data (as long as you have all the public keys loaded in GPG). Combined with git, you can't ask for a better in-house solution in my opinion.
EDIT: And I've just noticed others have mentioned this, oh well :)
The multi key usage is really awesome, but it does require users to be rather technically proficient.
@@dreamsofcode That is true, but setup and management of keys can also be done by a technical user - and then non-technical users simply need to know the basic commands.
Usually non-technical users forget to `pass git push` or `pass git pull` but after some gentle reminders, most I've dealt with have had no issues in the long run.
Either way, it's great to see password-store getting some love - highly underrated password manager!
I've been using pass for a few years now and I learned lots watching this. Thanks so much!!
This seems like exactly what I wished to have for password manager, but I'm too lazy to migrate from my current password manager
😆 ikr..
if it had a easy syncing solution, i would have started using this....
They have a number of plugins to import from existing managers btw :)
There's some tools to import from existing managers on the password store site :)
what are you currently using btw?
@@pali122 bitwarden
The fact, that this can be used in bash scripts is amazing.
I have a bunch of of scripts, to connect to various databases quickly and I was never compfortable with having the plain credentials directly in them. Thank you so so much. 🙏❤
I agree! It really makes working with credentials feel much more secure.
Glad you enjoyed this video!!
Bitwarden can also be used in bash scripts. They offer a command line interface for all major operation systems.
I also love Bitwarden and especially it's cli client
since years.
how can this be used in a script safely? If I put I assign it to a variable it can be echo'd out. Trying to pass auth token in a curl request but I want to save the auth token to this password manager. Thanks in advance
I have used this for years with smartcard for secret key storage with physical confirmation on the device. This is just an incredibly efficient solution. Thanks for the tutorial!
Same! I use it with Yubikeys which works really nice.
How to use it with yubikey, maybe you can make a video about it?
@Dreams of Code can we please have a demo of how to set this up? I also have a yubikey and would love to implement this
@@macktheripper7454 I can add a video to the backlog!
@Dreams of Code that would be excellent .. I'm currently using a password manager but sadly it's closed source and probably spying on me .. I'd much prefer this and I also prefer the terminal.. Once again .. thank you for showing us this
What a great presentation of a great tool, using pass more than 4 years, love it.
It's the best!
Nice to see such a detailed explanation of a fantastic tool. I have not looked at anything else since I started using pass a few years ago.
I'm the same as you, I moved over to yubikeys for managing my encryption keys and feel very safe and comfortable. The only thing I have to do is rotate my derived keys periodically.
8:25 one thing terminal enthusiasts will never stop doing is mixing up GPG and PGP
🤣 You got me. Gnu Privacy Guard and Pretty Good Privacy are a dyslexics nightmare.
thank you, great content, and the graphics and quality of the video is just too great :)
Thank you! I appreciate that.
I've been using pass for about 3 years now. Wish I had such an amazing video back when I started, would have helped with almost any issue I encountered (the only other one being NixOS specific).
Your other videos seem interesting too, you definetly deserve the bell!
Thank you very much!
Wonderful channel, perfect content 🎉 thank you
So glad I ran into this video. I was about ready to build my own password manager. This looks really promising. None of the others caught my attention.
Bitwarden has a CLI (aside from a desktop app and browser plugins), it's source is fully available and it allows you to run your own server (setup time 1 minute) if you don't trust them, so passwords not only never leave your computer unencrypted, they also never get store anywhere but in your own backend. All of that is available already with the free plan.
@@xcoder1122 Bitwarden is unattractive. Its alternative, vaultwarden, I found unattractive as well.
Thanks for your videos! After trying neovim every couple of years and just bouncing hard, your vim setup + tmux videos finally got me going with something that sticks.
I was considering some terminal-based thing myself. I'm very much a 1Password user, I've found their quick-fill UI is great to just pop up for fetching PWs or other info in an entry without needing my hands to leave the keyboard, so I haven't really needed it yet.
I was extremely happy when I found that 1Password Connect is available even for my personal Family-tier account, so I've been experimenting with that on my homelab, and deploying credentials as code with 1Password's Terraform provider has been like a dream. It sits in its own vault so it only has access to that and not my personal stuff. Never have to bother with the credentials, Terraform and the provider sorts it out for me.
Not trying to shill 1Password, just a very happy user. :-P
I'm glad you're happy with it! I think password store is beyond the needs of most people and you should definitely stay with 1password if it works for you!
To add to that, 1Password can connect as a backend to your terminal based password prompts. I use this all the time
Bravo! Best pass tutorial on the internet.
Great video as usual! ❤
Thank you!
Just subscribed! I never knew about this pass before. Your video is very informative
Awesome! Thank you!
If you are gonna use a password manager, always fork the project and read the code before using it.
FOSS communities are normally audited by the contributors, and they are unlikely to be dangerous. But you wanna be extra sure about the place you are writing all your passwords.
Luckily pass is literally only a 700 line bash script making reading the entire source code really easy. You don't even need to fork the source, but can read /usr/bin/pass. (Or where ever else it might be installed.)
Yep. One thing I like the most about pass is that you can read the source code. This isn't even possible with proprietary password managers.
I understand the sentiment, but when using something like Bitwarden there’s no way someone like me will ever be able to audit the source better than the numerous people already doing it. So I take others’ word for it then.
@@thescroogemcduck Don't verify, Trust xD
i use keepass
Love this, I’ve been using a proprietary pwd manager for some time and I just don’t enjoy it…. But have been too lazy to look into a self managed version like this. Another great vid, thanks for sharing!
I'm glad you enjoyed it!
Another option to think about, is self hosted bitwarden, you can host as a docker image, and it gives you a nice UI, plus the bitwarden extension is pretty good.
Great tips !!! Thank you !!!
Excellent! Thank you
Thank you for watching!
You have all the videos for things i thought,
I might do some day.
just ❤
I'm glad you're enjoying them!
@@dreamsofcode today i setup ur vim config, in process of configuring tmux
truly amazing.
Would work on setting up java, learning basics of vim since im a vim noob.
If u have an ongoing project would love to help😁
Great content! Thanks for sharing.
I'm glad you enjoyed it!
i've been using pass with passmenu for almost 2 years now. such a great tool
I use rofi pass which is almost the same and it's incredible ! No browser extension but still very smooth UX, it is just perfect !
Awesome trick using an alias to override the AWS CLI command.
One trick I use is a 'pass-fzf' wrapper script so I can fuzzy search a password and pipe it to the clipboard to search and copy passwords quickly.
Oh that's a cool trick! I'm going to give that a go!
Super helpful , thank you
This video was just perfect.
Thank you!
Great video. Thanks
Top tutorial. Thank you
Hey, I've seen your terminal and fell in love, have you made a video covering your setup, if not would you be willing to upload the configs?
Aweome! Recently I am learning from your videos a lot. Would be great if you release at a video how to make ArchLinux looks so beautiful. A complete series on managing local environment, dotfiles (with scalability and interoperability in mind) and system setup would be a great help for us.
I watched your videos about Tmux, NvChad as well. Those also were a great help for me. Thanks a lot.
Great suggestion! I shall add the idea to my video backlog
Sorry for my typos.
This is nice, I currently just write my passwords on paper because they can't be hacked but I might switch to something like this
Paper is a good option! But this is probably a little more secure in case of any natural disasters.
very nice!!!
Looks amazing tbh ill have to add it to the list of things ..
for aws cli (and possibly a bunch of others) it's actually possible to make aws ask passwordstore directly, no need to export credentials as environment variables, no need to alias etc.
Unrelated to the video, but do you edit these videos on Arch? If so, what video editor do you use? Love your stuff!
I use Davinci Resolve on Arch. Which is pretty great. The only thing I can't do is After Effects, but a lot of my animations are done with Fusion. Thank you!
KeePassXC + SyncThing = ✊ I started the transition from Bitwarden to my new setup about a couple of months ago: no MEGA, no Dropbox anti-privacy bullshit - my vaults never leave my devices. Data sovereignty. Working wonderfully integrating with all the devices where I might need to access passwords and sensible data in general: my laptop, my battle-station, my pocket-computer-stupidly-referred-as-smartphone, and my tablet.
I may have to take a look at this! I'm a huge fan of data sovereignty and this sounds pretty dope.
how does it sync with your phone? :)
@@somerandomchannel382search for syncthing in f-droid
@@somerandomchannel382 Sorry I just saw your question. Correct, on Android you can use an app that work seamlessly. On iOS is a little bit trickier, the best choice being the paid version of Möbius (about four American dollars last time I checked). A third option and the one I use on my iOS tablet is KeePassium, which allows me to connect to a KeePassXC server I host on my home lab within my home network using WebCAL.
well it good idea in case of mistake and backup system. Which is good thing.
I love this
Please consider cover some practical situations like syncing different git local repositories stored in different machines, so they may evolve adding or deleting keys, but they may need to be "synced".
Great video
Thank you!
I kinda like bitwarden. They had cli too and if you're a bit paranoid you can always self-host them
Bitwarden is a great option!
Great video. Thank you so much.
A couple of questions. 1) how do you copy the username/email/other metadata to the clipboard without exposing the password? 2) how can this be used on mobile devices?
Thank you! To answer your qs:
1. There's an extension called pass-extension-tail that does what you're looking for easily. It's on the password store website under extensions.
2. There are mobile apps for both iOS and Android. I use it easily on my iPad and my Android phone. It does take a little bit to set it up, but works perfectly once that's done.
@@dreamsofcode I've been playing around with this all afternoon and I have to say, this is it! I've been using KeePassXC but always longed for a CLI solution and this is perfect. I have no idea how this has escaped my radar, but thank you for presenting it.
@@MalachiMarvin keepassxc has a cli that can be easily used to put passwords in the clipboard or export them as environment variables
Yes finally someone stated gnu-pass. Been using it for 6 years never had an issue with it. Synchronised passwords across multi devices just using a git account. No need to worry since key doesn't belong in the application itself.
Clear and concise. Noice video!
When you went over to macOS the rounded icons in statusline for tmux didn't look funky, whereas with any terminal emulator I tried, they look... weird. Back when I still used p10k, those looked kind of horrible as well. Did you find a way to fix it, or is that just another less popular terminal emulator?
Thank you!
I use Alacritty on macOS and use a nerd font. The font I use is JetBrainsMono Nerd font. That should give you the same experience as myself
1:18 Dropping a like after use hearing that you use Arch. By the way it is mainly because I also use Arch.
oh this nice option, thanks
Thank you!
This is great, but doesn't seem very convenient compared to having a browser add-on that will automatically list matching sites based on the domain (thus preventing phishing), show you a prompt to add/update the password in your vault, automatically sync all changes, and is available on mobile.
Pass has a browser add on, he mentions it in the video itself.
@@botondhetyey159now we just need a mobile app
My current workflow is KeepassXC with a script that use it's cli command tool.
So we store entire log of all edits in GitHub, each password encrypted individually, so any reuse is obvious without the key. And unencrypted passwords are in terminal memory until we close the terminal. Does it at least support yubikey?
there's also a an integration with dmenu `pass-menu` which is great , and one with fzf too!
Some of the integrations are awesome! I probably should do a video on my favorite ones.
Thank you "-)
You're very welcome!
This is cool and all, but how do you manage when you want to login to smt on mobile?
does anybody know if password-store is usable with windows? i'm not the most tech proficient person, but this video did get me to use password-store as my main password manager whilst using ubuntu, and now i would like to use it with windows, but i don't see a rather simple way to install it. am i missing something or do i simply have to find another option?
Hey, do you have a video about your Linux terminal setup?
I don't have anything specific! But it's just Alacritty with the Catpuccin theme. My tmux video is probably better for getting close to my setup!
I absolutely love this!!
One thing I'm missing, I usually like bitwarden because I can also use it from my phone if I need to copy, for example, my paypal or bank account password so I can log in from my phone
Does anyone know if someone already created some sort of mobile client so we can use basic features like copying or editing a password from the phone??
oh nevermind, I asked before watching the video until the end... Thank you so much for this content!!
can it also encrypt and keep other file formats for example I want to store my ID card image, or bank statement pdf
so that I can keep it uploaded on github and at the same time they are encrypted
anyway how you can change the default text editor on pass, the default is use vi, i want to use neovim
Do you have a video or guide on how to set up your terminal colors and especially the vim/tmux setup?
I have two videos! One for my Tmux config and the other for my Neovim config! Otherwise I'm using the Alacritty terminal with Catppuccin theme!
Small correction: Bitwarden can't be hacked. Like literally. They don't store any actual passwords. All the passwords are encrypted by your degice and the entire blob is sent to the server to sync. You can verify this, because the protocol is open source.
I use Bitwarden and like it, but there are some issues around how easy it is to delete your vault. Make sure you have some backups.
how did you get rounded corner in your vim/neovim pop-up for auto completion at 5:23 ?
I use NVChad as my base configuration which uses cmp as the auto completion. I have a video on NVChad which can help you in setting it up!
think this is the only video I intentionally "watched" post-roll ads for...
My notebook is the best password manager, it has never been compromised, I can always get back in and the transfer from once device to another is easy as well.
I hope this is satire lol. So many risk vectors.
Do you have an off-site backup at least?
@@dreamsofcode notebook as in paper and its at home lol
@@rrraewr I know 😭😭😭. I'm just worried for your logins if anything happens.
5:11 Important security note! Disable the editor's backup system if it has one. For example, use `export EDITOR=rnano` instead of `export EDITOR=nano`.
Just noticed this mistake recently -- all my edited password files in plain text!
Very good note! You should be able to add an exclusion as well for you tmp directory
Yubikey sounds like an obvious thing to improve the experience with gpg keys here
I use this setup. It's great
Agreed, I use Yubikeys as well with mine! I didn't want to add more complexity to the video but I have one coming about setting up yubikey.
@@dreamsofcode super nice. Thanks
Vulnerable password manager
what i'm having trouble understanding is how is this different from using a combination of gnupg + git ? Both password store and gnupg will create encrypted files where you can store passwords. and then you can use git to keep history and upload encrypted files
This is basically that, except it's a more standardized format
Just wondering, where do you store your private key? I mean, do you use some service?
I manage my own using yubikeys. I also have an offline backup stored securely so if I lost all my keys, I could still recover.
What's a recommended process for also keeping user names? User name in xclip primary (middle mouse button) and password in xclip clipboard would be nice. Is there anything like that in Pass.
Because it's gpg you could probably build out an extension that takes the second line and adds it to your other clipboard. I don't think pass supports this out of the box though unfortunately.
The browser extensions work similar to this, however!
How do you make the terminal prompt like that?
Been using pass for years (with the "passmenu" dmenu script on a keyboard shortcut) and love it.
A side note for teams, or cases where you might want to share your passwords, it is possible to encrypt passwords with multiple keys!
pass init shared/BlueTeam/
Now both key1 and key2 can decrypt the passwords stored in the BlueTeam subdirectory (and all subdirectories of BlueTeam so be aware).
As pass was used at work the root of my password directory was split into two (~/.password-store/personal and /shared).
Setting the personal directory to be ignored via the git ignore file. Backed that up using rsync to a separate solution, and this way my passwords didn't make the shared dir more chaotic for others. Though if you use QtPass (which works on Linux, Mac and Windows) you can define multiple password stores with separate git repositories so you don't have to be quite as terminal-goblin-y to get the same effect.
One last thing: if you use Thunderbird with PGP, you may want to get a separate password PGP key. Otherwise your passwords can be decrypted using a left-open Thunderbird client (I know, physical access etc so only if this fits in your threat model). Actually used this to re-encrypt some passwords one time.
This is some great advice, you can also get people to encrypt passwords for you using your public key and submitting a PR to your password store repo!
I do think pass is maybe too high of a technical barrier for enterprise or business, which is a shame. But it's certainly possible to do so.
Honestly, a product built off of pass would be incredibly useful I think.
@@dreamsofcode There's QtPass for people who need a GUI, I haven't used it so I'm not sure how simple it is. Great video!
@@MrA26749 Yeah, qtpass is pretty great! Could do with a little modernizing, but it works!
there is also gopass, which is cross platform, and, as the name suggests uses go instead of a bash script
Gopass is awesome!
I'm trying to set up this with github, but I don't know how to authenticate to it. Can someone explain how to do that for pass?
Dude! Bravo on a great video! Obviously you put a lot of effort into your videos. Every aspect of this video (script, video, audio, post production and voice-over) is top notch! Looking forward to exploring your channel further. Oh, and you answered my questions on how to integrate git with pass and provided some great examples to take my own skills even further than I was thinking I needed to go. Subscribe... check!
at @8:49 , are you sure the gpg flag for exporting secret key is "--export-secret-key" and not "--export-secret-keys" ? because i'm getting --export-secret-keyS on autocompletion.. man pages for gpg also show there is a keyS option, plural. my shell: bash. OS: ubuntu 23.04 x86_64
Thanks for video, have question - Is there any way to safely store a backup of the GPG private key in public repositories such as google-disk, or GitHub etc?
You mean the public key right? I dont think you want to leak your private key
Could be do passkey on local system
Like using raspberry pi
I've created my own, locally
Nothing fancy but my passwords are safe
You are a braver person than I.
@@dreamsofcode now I'm worried 😂, but hey it's a nice way to learn cryptography and security
I always tend to forget the gpg commands. So I switched to keepassxc.
How are you getting master password prompt in terminal? Is it a kind of polkit agent? How did you set it up?
I believe it's the default pinentry program that's installed with password store. pinentry-curses. You can also adjust it to a different peogram if you like as well
what DE or TWM do you use?
Keybase for the gpg key store?
Is there a similar alternative for Windows?
How did you get a mac like topbar of the terminal app?
On gn*me or KDE or GTK QT you have themes that give you that, on a tiling wm you usually don't want that but you can still use something like lxapparance for apps that force a bar on you
You can host bitwarden on ur own server btw
Hey, i love ur vim config, do you have an accessible version ?
I do! I also have a video on it. If you look on my GitHub, you should find an accessible version.
I personally use gopass which is compatible api
Nice!
How secure is it to upload to remote github?
If that account get hacked, aren’t all my passwords available for grabs…?
The passwords are encrypted using gpg so they'd need you private key as well
Is it recommended to use `pass rm` over the vanilla `rm`? Same for `pass git push ..`, why not just use vanilla git commands?
Great video ❤
Then you'd have to first cd into the pass directory? With the pass command it'll automatically apply those git commands in the pass directory without the need to change it.
You'll want to use the pass prefix as it'll perform any decryption that it needs to. It is a filesystem at the end of the day so you could use normal git commands if you like.
Do you store recovery codes there too?
You can do! You can store pretty much anything you'd like. Recovery codes are pretty decent to do so
at 1:56 is that a floating terminal, and how can I replicate that? I'm asking cause when I get prompted to write my passphrase I get an ugly window.
What operating system are you on? There's a couple of UI options for password entry
I'm on arch linux with qtile as a window manager
for some reason tmux wont allow me to copy/paste a password into cli
Do you have xclip installed if you're on X11?
What about if you need to login on another computer which does not have the encrypted keys setup?
I usually keep a copy on my store on my phone as well so if I need a password I can pull it from there and type it in (tedious).
I also have my gpg key on a yubikey which I can plug into other another computer easily to decrypt it. So you could clone the repo and use the key.
Otherwise you can keep the key in a remote drive that's accessible, although yubikey is much more secure.
@@dreamsofcode so then all your keys are accessible to all who have access to that other computer? Even if you deleted the key and the repo, we can assume the other computer made a copy already.
@@abuk95 With the Yubikey, no. and as long as you're using a password for the GPG key, then also no. Although I wouldn't want to put my private key on other machines, personally. Probably better to just copy from your phone.
good video, but i pretty dumb to really understand git and gpg2 pair keys, also i need otp and some kinde of secure and auto sync between my main PC and android (and well if i lose both my pc and android i still want to have access to all my pass and otp using a new 0km device using only 2 or 3 pass i remember very well...
Actually i use bitwarden and Aegis for OTP but i want to change the otp for another more secure and portable, i can use bitwarden as a pass manager and otp but i refuse to do that, put all egg in the same basket means to loose all egg in a unfortunate accident
How'd you make it so that your macbook's host is named `amaterasu` and not its local IP address?
That is my Linux box, which I have set it's hostname in the /etc/hostname file.
MacBooks automatically set their hostname to be Name-MacBook-Pro usually. You can change the local hostname of a MacBook pro as well though in your system preferences.
@@dreamsofcode Gotcha, I somehow missed it but you were on your macbook when you did the scp command. Thanks!
Is this available for Windows?
Let's be honest, that's nowhere near as convenient as a real password manager. I get it we all love our CLI and stuff but what about autofill, automatic saving of newly created accounts/passwords, auto synching, autofill on mobile, combining web and app passwords etc etc. I guess for a backup of my most important keys it would be useful but than again I could just use gpg and git. Bitwarden can be self-hosted, is OSS and provides actual password manager features, and even has a CLI for those who want it. I guess this is a fun little tool to play around with but yeah I wouldn't call a gpg frontend a password manager.
Just to be sure, apart from the git remote you may or may not setup, there are no servers involved? Can I go offline and still use this?
Correct. You can go completely offline. I have my main password store backed up on to my NAS, so it's only in my local network. (Except my encrypted backups)
@@dreamsofcode this is a gem!! Thank you for sharing!
Also, what is an NAS and can I set it up for free?
@@norielgames4765 a NAS is a network attached storage. If you have an old computer or a raspberry pi with some external Hard drives you can easily set this up!
@@dreamsofcode thanks!! 😁
Could someone please explain the dis-advantage of storing the AES256 encrypted private key in the same Github repository?
It is a key, if you store your front door keys under a rug beside a door, please stop. =)
It's just another point of defense, if attacker somehow will get access to your hard drive files, he won't be able to read your passwords without a key.
My understanding is that storing the AES256 encrypted key in Github isn't like storing a door key under a rug since it still requires a password to decrypt.
At that point you're reducing the number of steps required to have your passwords compromised. If you trust your password and AES256 then it's probably fine. But having the key elsewhere just gives another step of protection.
I use yubikeys personally so I'm able to not able expose the private key at all, even to my machine.
Thanks for the explanation that makes a lot of sense. Awesome video btw!
Keepassxc is great choice
Sadly my android version is too new for the Android app... Let's see how much I do or don't need an Android version...