That sounds great! Any “newbie” guide out there step-by-step? How to set up. How to use, how to backup to new machines and set it up with the nitrokey? Yeah i would use pass any day before keepass2! Thank you!
Can i use hotp in the nitrokey and paste into pass or how do i set it up? Why is there no guide already on this site? There is a keepass guide already…
Do you mean something like this, and that i should paste it into totp on the nitrokey?
I’m not a coder. Any computer guide for “dummies” out there on how to use this with the nitrokey? Do i need the pass-otp plugin and use those codes in the nitrokey then?
This is the best password manager i have ever tried!!! Combined with nitro. Sweet pass is brilliant! It just beats keepass with its simplicity and no errors, and it has way stronger encryption.
It’s the only password manager you will ever have to have really…
So i can also just paste the pass otp i borrow from totp.ssch.dev onto the nitrokey as token and then save that token as a backup if i switch computers and so on then? Then it’s a really secure password manager! And you could back it up to different keys even if you wanted…
Even having 2fa one one, and keys on another if you wanted, but that seems “overkill” for me though.
Gotta learn how to back up passwords and restore them and so on though… On other computers.
Thanks for your help!
A few questions… When the key is in and the database is unlocked… Could the thief/attacker download the keys un-encrypted then? Or would he get the files, but need to un-encrypt them on his/her machine?
How easily can passwords be stolen? How hard can you make it if someone hacks your machine… Plus you need to take backups of the tree ~/.password-store/ right, for all machines? Do you usually unplug the key after you have used the passwords for security? Thanks!
The password manager pass stores all data gpg encrypted at rest. Accessing the data needs the unlock of the gpg key. The passphrase gets cached some time (AFAIR 600 seconds; timer resets on use).
Your nitrokey passphrase is being verified via scdaemon CHECKPIN on card and cached with gpg-agent. The most secure way is unplugging the Nitrokey. killall -s HUP gpg-agent lets gpg-agent forget the entered passphrase. Killing gpg-agent should also work gpgconf --kill gpg-agent.
If you decide to print the password to screen, it could be added to the backlog buffer of your terminal and written on disk (some terminals have that as a feature to scroll back previous sessions or large output and might write that to disk)
When you copy / paste passwords, it could be recorded in convenience tools like gpaste that allow to access a clipboard history. Also other tools have access to the clipboard and may access copied passwords.
Having a second factor token that cannot be copied is considered as a plus for some users and use cases. Everyone that has access to your OTP secret can generate valid OTP codes.
ok thanks. I could then use the nitro to generate otp’s. Just paste the demo token on the nitrokey… that would be the safest.
But i have backed up the secret-key…
How can i add that on another card? Do i wait with that or can i do that now already? Or can i use one card at a time? What if i drop one usb key?
What’s the best way to back up the secret key on two usb sticks, and/or how do i do if i have a new computer and want to restore the password database and the secret keys and so on?
Thanks again. Good answers!
I get that the key is on the first nitrokey…
Can you even have two cards as devices for this or do you have one at a time, and if you lose one, you need to set it all up from scratch with the sec-key ?
I’m new to gpg.
You can backup the password store with the gpg encrypted secrets (3-2-1 backup strategy), take a note on how you installed pass and the plugins, maybe even backup the iso to install the os and the software packages in order to be able to install the exact same versions. As pass is very open, I doubt that the latter would be necessary but for completeness, I would back it up.
Make sure to also backup the PUBLIC key! Especially when created on the Nitrokey. It is a hassle/sometimes impossible to regenerate it!
The gpg key can be generated externally and stored on multiple Nitrokeys. After that, you could save the key in pass, store it somewhere safe (e.g. self-encrypted usb key), print it out or whatever suits your disaster recovery strategy.
Make sure to not loose User PIN and Admin PIN for your Nitrokeys.
That should be quite safe.
I backup top-most important data on steel plates with embossed letters/digits to be safe from fire.
Haha, you take your security seriously… I like it.
Link the plates in PM. That sounded smart! What do you mean by make an iso? How would that look like?
Yeah i can back up the public key also… Might have deleted it. I think i can generate it again, and if not i can start over… Just testing this system out some.
I like pass! But how do i take an backed up sec-key.asc and make other nitrokeys have it?
Do you do that when you create everything at the start or can you do it later on?
Any good guides out there on how you restore everything? Yeah i’m gonna read some. But i definitely prefer pass over keepass. And no i would not loose the pins. I remember stuff like that.
Thanks for the answers!
How do i import another pass instance in another debian machine if i have the secret.asc and the public.asc?
Just import them? Any link or could you write how i set up pass init and my passwords if i just copy the password files from pass on one machine, and then set up gpg with privatekey.asc and publickey.asc? Thanks
I did import both keys… But i might have intilized the new pass init wrong i choosed a random name… Now when i try to generate a pass i get this:
gpg: user: skipped: No public key
gpg: [stdin]: encryption failed: No public key
Password encryption aborted.
You know what i could try now?
Do i need to init this on every computer then? pass init <gpg_key_in_hex>
I need to look up which key i picked last time or if email did work…
Now when i tried to use a key as init and generate a pass i get this instead:
gpg: 727randomnumbers657: There is no assurance this key belongs to the named user
gpg: [stdin]: encryption failed: Unusable public key
Password encryption aborted.
What do i do now? I’m gonna try to set this up later on… A step-by-step guide online would been nice to have… How to set up this on a machine, and backup, that’s done… But to start on a new machine, i need to learn this. Thanks again for your good answers.
Yes everything is the same… Just a copy of everything… What should i copy over exactly? And how do i set up pass init on the new machine? Could you write some steps?
Others are free to answer also, but you seem to know this in detail. Thanks