small pixel drawing of a pufferfish j3s.sh

thought/storing-passwords-with-age.html

storing passwords with age
2021-04-20

    MY QUEST FOR A PASSWORD STORE THAT WORKS FOR ME
    ===============================================

i have tried many times to use a tool that encrypts my
passwords, and nearly every time i give in to convinience.

there are somewhere between ten and fifty passwords that i keep
memorized and can conjure at a moments notice, and it's very convenient
to do so.

i have, in my 8+ year computing career, tried using
the following tools exclusively to secure my passwords:

- keepass / keepassx / browser extensions -

it became WAY too clunky to lug the keybase database around. sometimes
it would hit file conflicts, and it's a huge binary file so it's not simple
to store in version control.

- pass -

well, i had to learn PGP to use pass. the lack of iOS/desktop browser integration
was also problematic for me, as i spend an inordinate amounts of time entering
passwords on web browsers.

- macos's keystore -

it's proprietary and only supports Apple devices. not sure why i even tried this.

- bitwarden -

this one i went all-in on. unfortunately, it suffers from the same problem keepass
does - i must enter one huge cludgy password every time i want to get to any
of my other passwords. this, to me, sucks balls.

- raw PGP -

ah, my ignorant days of "minimalism". i went the whole 9 yards - bought a smartcard
reader and generated my PGP key on it. used it for SSH. all that. i don't recommend
this unless you want to straight up lose 1/5 of your available free time.

- pash -

ah, pass, my favorite option so far, but simpler!

- pass again -

ah, pash wasn't compatible with lots of stuff. hello again old friend.



AND YET
=======

pass serves me fine, but PGP is very concerning. not only because i'm
a floundering moron who didn't make a key backup, therefore making my
only smartcard a ticking time bomb, but because even if i had, i could
never in a million years move that key to my phone. because phones aren't
really made to support PGP. this is a big deal, for me.

also, PGP is very slow.

also, in case i haven't made this clear, PGP's UX is so bad that i recommend
people against using it at all. so, then, why do i use it? that's the question
i'm writing this post to answer.


                       (
      __________       )\
     /         /\______{,}
     \_________\/


undoing my time bomb, with intent
=================================

so, let's define my unique tooling requirements.

getting passwords:
- i refuse to wait more than a few seconds for most common day-to-day operations.
- i refuse to type a huge long error-prone password 
- therefore, the secret should be a *key* that i lug around, that can easily be rotated
- i want passwords to be loaded into my clipboard, pasted wherever my focus is, and then
  my clipboard should clear instantly so i don't wind up pasting the password somewhere else
- the hotkey should be control+shift+p, and should react instantly (within 100ms) when pressed.
- i should type to filter passwords from a list, then press enter to select the one i like
- the hotkey should *not* press <return> for me.

philosophy:

i will use an unencrypted-at-rest key for convinience.
- my hard drive is encrypted, so nobody can just pull the drive and scrape the key
- if a malicious actor accesses my key, i'm screwed anyway, because:
  - most short pass phrases can be bruteforced
    - i would not make it long because typing long passphrases all the time sucks
  - they have access to my system and can just keylog me

my password files shall be kept in a private git repo
- the private part is "yet another layer" of obscurity - i don't want my encrypted file
  history to be totally public becaaaauuuusssseeee if one of my keys gets exploited, welp,
  they can pull out the previously encrypted files and go to town.
- this is up to user discretion obvs, you could put your passes in a public repo, that's fine

entering new passwords, or changing existing passwords, or deleting passwords.
- this should be accomplished via a simple CLI tool that has the following requirements:
  - the tool shall be called "pa" - longform: "password ass"
  - `pa add <name-of-password>` shall make a new password, and randomly generate it
    - if the name is already taken, exit 1
    - automatically git commits & pushes on exit 0
  - `pa show <password>` prints the encrypted file to stdout
  - `pa del <password>` deletes a password (no warning)
  - `pa list` lists all passwords
  - `pa edit <password>` opens password file in $EDITOR

i use linux at home, and macos at work, but i want
the same tooling to work on both of them. this means
simple posix sh

so, i made pa: https://giit.cyberia.club/~j3s/pa

the code is based off of dylan araps's wonderful pash, which i used
for awhile.

here's an example of pa usage in action:

$ pa list
/home/j3s/.age/key.txt not detected, generate a new one? [y/n]: y
Public key: age1sj9qx968gk40juqxeng0g8vjw6u5rc0vtvqw8dgkjt3usarmnqqsn6u89y

$ cat .age/key.txt
# created: 2021-01-25T13:49:23-06:00
# public key: age1sj9qx968gk40juqxeng0g8vjw6u5rc0vtvqw8dgkjt3usarmnqqsn6u89y
AGE-SECRET-KEY-1XYEUPJ9RUPPDA6DR9RPEQ0HHKLAAAAZYRYHTPE86HSYM8XZ8FEPQD46K8W

$ pa list

$ pa add garbage
Generate a password? [y/n]: y
Saved 'garbage' to the store.

$ pa list
garbage

$ pa show garbage
f3dYJ3Aq8jZ6Xx0fF2JcAXZpb_2G58pwvZ9Yk8bQ_4q_zL0r8e

$ pa del garbage
Delete pass file 'garbage'? [y/n]: y

$ pa add garbage
Generate a password? [y/n]: n
Enter password:
Enter password (again):
Saved 'garbage' to the store.

$ pa edit garbage


what i love about this is that it can automatically generate your
age keys, and they work the same way as ssh keys - which lowers
the barrier to entry and understanding.
no need to fuss around with keychains, trust levels, daemons, etc.

welp, enjoi! That's all for now, next I'll be demonstrating how to
tie pa into regular workflows - including dmenu for linux integrations.


j3s