Sign in to follow this  

cloudless password vault

Recommended Posts

I combine Resilio Sync with OpenKeychainYubiKey NEOpass, and Password Store for Android to roll my own cloudless password vault, synced among my computer and mobile phone devices, and secured with GPG/PGP on a physical second factor.  Here're the steps that I follow.

  1. Purchase a YubiKey NEO (currently $50) NFC security device1.
  2. Install Resilio Sync on all my relevant devices (a couple computers plus my Android phone).
  3. Install OpenKeychain GPG/PGP app on my Android phone.
  4. Install Password Store on my Android phone.
  5. Install pass on my Linux computers (there are compatible clients for every platform).
  6. Install PCSC-Lite on my Linux computers2
  7. Use OpenKeychain to generate a new GPG/PGP key (identified by my email address) stored on the YubiKey NEO3, over its NFC interface.
  8. Plug the YubiKey NEO into an available USB port on one of my Linux computers.
  9. From the command-line run "gpg --card-status" to create on the computer stubs for the key(s) on the YubiKey4.
  10. From the command-line run "pass init <email address of key>" to create the password database in $HOME/.password-store, encrypted with the key identified by <email address>.
  11. On the computer, use Resilio Sync to share the $HOME/.password-store directory to my Android phone, using an optically-scanned QR code.
  12. After a few minutes and Resilio Sync has copied that directory and its contents to my phone, in the settings for Password Store on my phone I change its database directory to the synced one.

If you're wondering what this all means, you can be forgiven.  Here's what's happening.  pass is a command-line password manager that establishes basic functionality and a database scheme, which is just a glorified directory tree under $HOME/.password-store, where passwords are in GPG/PGP encrypted files.  Password Store is just an Android clone, and as I said there're others for all the platforms (Windows, iOS, mac, etc.)  If you're just using pass on one computer, you can generate/store the GPG/PGP key right there (though, already that raises security concerns).  But, if you're sharing your database among multiple computers and devices, it's best to keep the key on a physical factor, which is where the YubiKey NEO comes in.  Yubico sells many similar devices, but you want the NEO for its NFC interface.  OpenKeychain is needed, at least on Android, to manage the GPG/PGP keys and the NFC radio, since Password Store doesn't perform these functions natively and just delegates them to OpenKeychain.  With these pieces, you have a functioning password vault across your devices, so long as you can establish a synchronization mechanism.

This is where Resilio Sync comes in.

It is possible to sync the password database (again, $HOME/.password-store) over a git repository.  The trouble is, committing changes and pushing to and pulling from a repository creates tedious friction.  Moreover, now your passwords are probably stored in a "cloud" somewhere (e.g., GitHub).  Of course, being encrypted with GPG/PGP they should be secure, but still you may sleep better at night if they're not in any cloud anywhere.  By adding Resilio Sync to the mix, you get nice, seamless, silky-smooth synchronization among the various copies of your password vault.  

Now, this is not for the faint of heart.  The list of steps above appears long, and I even left out quite a few details.  You have to be the kind of person who enjoys futzing with technology like this (not everyone does, and that's OK).  You might also wonder, "Why bother?"  What's the value over, say, 1password or LastPass?  Well, to some degree that's a matter of judgment.  Nonetheless, I see these advantages.

  1. No cloud storage needed, like 1Password does for syncing, and LastPass does intrinsically.
  2. (Possibly) not a broad target vector, like LastPass might be.
  3. Secured with physical GPG/PGP security key.  I know of no way to achieve this with any other common password manager.
  4. "Free as in beer."  Well, you have to pay for the YubiKey NEO, for OpenKeychain, and of course for Resilio, but that's it.  No recurring charges.
  5. Dead simple.  Despite the apparent complexity, all the pieces are general-purpose and can be understood individually.  Everything's transparent, and the password database could hardly be simpler.

YRMV, of course, but I've been using this setup for about a year and despite a few hiccups (I admit, there's a learning curve) overall I've been very pleased.




1. As I said, you want the YubiKey NEO because it's the only that's a NFC device.  You need that if you want to use it with a phone.  ALSO!  I'm not an Apple user, but AFAIK Apple doesn't put NFC radios in their phones, and Yubico doesn't (yet) have a Bluetooth device, so this might not exactly be an option on iPhone at this time.  Sorry!

2. PCSC-Lite is needed for your computer (Linux) to talk to SmartCards, which is what the YubiKey NEO presents itself as.

3. There's a whole series of steps for creating the key on phone and storing it on the NEO, which I left out.  Moreover, it's also possible to create the key on the computer and then move it to the YubiKey NEO.  I may do that one day, but that was more complicated than I had the stomach for.

4. The gpg --card-status command is but one of several commands within the GPG suite for working with SmardCard-based keys.  Again, I'm eliding quite a few technical details here, and things can get as complicated as you want them to.  Also, I think this was the only actual step needed, but I'm working from memory.  It'll take some fiddling, I'm not gonna lie.

Share this post

Link to post
Share on other sites

Hey david, 

thanks for the detailed post!

excuse my newbie-ness, but what steps would be needed to:

1) Retrieve a password of a website on my android phone? I stored this password on my windows machine using one of the software you mentioned. The sync has been completed and the password database has been synced across all the devices.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this