Top

gpass

pass-like password management applition

Clone   Log   Files   Readme

Archives:

zip   older archives

Branches:

  git-annex
* master
  synced/git-annex
  synced/master

Releases:


Clone:

git clone https://gitlab.com/joedoe47/gpass
git clone git://git.joepcs.com/projects/gpass

Log:

DateAuthor (GPG Key)CommitComment
2018-09-04joedoe47 (D7D9DC93B1538725)b990663allow for proper encryption with GPG key
2018-09-04joedoe47 (D7D9DC93B1538725)a73332fallow for proper encryption with GPG key
2018-09-04joedoe47 (D7D9DC93B1538725)f3e1bddchanging readme and git clone url
2018-09-04joedoe47 (D7D9DC93B1538725)9332a32self auditing.
2018-08-17joedoe47 (D7D9DC93B1538725)2788691git-annex in joedoe47@greatfox-lylat2:/media/sdh1/documents/public/gpass
2018-07-24joedoe47 (D7D9DC93B1538725)8607d56git-annex in joedoe47@greatfox-lylat2:/media/sdh1/documents/public/gpass
2018-04-24joedoe47 (D7D9DC93B1538725)5dbcde9git-annex in joedoe47@pc-stick:~/bin/gpass
2018-04-24joedoe47 (D7D9DC93B1538725)788a8cfgit-annex in joedoe47@pc-stick:/media/sda1/documents/public/gpass
2018-04-24joedoe47 (D7D9DC93B1538725)b0c5f13git-annex in joedoe47@pc-stick:~/bin/gpass
2018-04-24joedoe47 (D7D9DC93B1538725)f483d6agit-annex in joedoe47@pc-stick:~/bin/gpass

Readme

gpass

About

This isn't a fork of the pass app. I just got an idea to use/make something similar to pass thats easier and a bit more flexible for me to use.

it is a wrapper for gpg and uses (pgp)[https://ssd.eff.org/en/glossary/pgp] to encrypt data and it defaults to AES256 and uses sha512 to verify the file.

You will want to try this if:

Pass already exists but this is something I thought would be cool to make anyways.

This leaks less metadata because its a script that uses GPG to store multiple passwords into a file in CSV format. Where as pass will store 1 password per file and you organize these passwords using folders. Thus allowing an adversary to know that you have an account on a specific site, eg. 'facebook'. However with gpass I could have a file called "social-media.gpg" and I may or may not have my facebook accounts there.

Please do not misunderstand, pass isn't insecure or flawed in anyway; both pass and gpass, at worst case scenario an attacker knows how big an encrypted file is, what might be inside based on the name, and when it changed but not necessarily what changed. Both also use GPG.

I made gpass to lessen the amount of data an adversary can get from the name of a file (via security through obscurity), the ability to use a password or a GPG ID, and 2 other forms of password generation.

The main difference with gpass is that with gpass, you have 1 file with multiple passwords. An adversary would have a harder time figuring out what passwords are in file "X.gpg", should they somehow grab a hold of your LUKS drive or see your git server.

Naturally the larger a password file the slower sed is to find/add/delete data but you would probably need around a 900,000 passwords on a raspberry pi 3 to really notice slow downs but performance will vary depending on your hardware and what its doing.

This can be as secure or as relaxed as you want it, depending on how you use it!

How to try/install

Clone: https://git.joepcs.com/porjects/gpass https://github.com/orien3243/gpass https://gitlab.com/joedoe47/gpass

To try:

$ bash /path/to/gpass [arguments]

if you want something more permanent you can just use an alias:

$ cd gpass && echo "alias gpass=\"$(pwd)/gpass\"" >> "$HOME/.bashrc"

every so often just do "git pull" in this directory every so often to make sure it stays up to date.

Configuration

There are some configuration options that can be set via evnironment variables to tweak how gpass operates. you can add these variables to your .bashrc or .profile to properly make gpass work to your liking.

Backwards compatibility

I have tested gpass in a few environments. Debian, Fedora, Archlinux, Termux (no proot). Because these are the linux and linux-like environments I use the most. So rest assured it will work on linux mint, windows new ubuntu bash, and any operating system so long as it has gpg, bash, and coreutils.

I hate this program!

Since the program uses a simple CSV standard and uses gpg, you can switch to any alternate method of managing your passwords if you think this program isn't for you. (using a terminal only method for passwords can be an issue, I've tried to get my freinds to use this to no avail)

I hate the concept of being locked down so CSV seemed like a good choice. There are a ton of converters from CSV to keepass, lastpass, 1pass, pass, etc.

Suggested Security Practices

Updated Thu 11 Oct 2018 09:48:00 PM UTC. Back to top

© 2017-2018 MCM Git · Privacy