Pass, pass-otp and nitrokey?

bqcuhvnvqs · June 13, 2022, 2:49pm

Could you implement pass or pass-otp in the nitrokey? Maybe just the secret in a slot? How? That would make pass as secure as keepass2 but much more minimal and clean right… Would it work?

I’m not satisfied with keepass2 because i have had issues with it earlier. Wanna try this one instead if i can get it as secure as keepass2 with otp codes to log in, that are stored on the nitrokey.

nku · June 13, 2022, 3:10pm

pass already supports gpg keys on a token like Nitrokey. I guess also the plugins like pass-otp

pass init <gpg_key_in_hex> initializes a new password store and protects it with the key that may be a regular gpg key or a token. You just need to load the key into gpg-agent.

bqcuhvnvqs · June 13, 2022, 3:41pm

That sounds great! Any “newbie” guide out there step-by-step? How to set up. How to use, how to backup to new machines and set it up with the nitrokey? Yeah i would use pass any day before keepass2! Thank you!

Can i use hotp in the nitrokey and paste into pass or how do i set it up? Why is there no guide already on this site? There is a keepass guide already…

Do you mean something like this, and that i should paste it into totp on the nitrokey?

I’m not a coder. Any computer guide for “dummies” out there on how to use this with the nitrokey? Do i need the pass-otp plugin and use those codes in the nitrokey then?

bqcuhvnvqs · June 13, 2022, 4:12pm

ok now i saw i get some key in hex… yeah i could just copy in that instead of base32 you are right… Need to find some good guide and try it.
Yeah this is for advanced users…
https://plkt.io/a/2019/08/09/configuring-and-integrating-nitrokey-into-your-workflow/

I can try it out though.

nku · June 14, 2022, 12:53pm

The hex keyid or your email address just needs to match the gpg key on your token. Via gpg-agent you then decrypt the credentials in pass using your token.

Please be aware that you also need to safeguard your public key as it cannot be recreated from the data on the token.

bqcuhvnvqs · June 14, 2022, 5:26pm

Any step-by-step guide im to tired for this right now…Can i use the guide i linked earlier?
I still don’t get why it’s an keepass guide here and not for pass and a nitrokey on their site. thanks

nku · June 15, 2022, 10:58am

$ gpg --card-status
Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2xxx-xxx) 00 00
Application ID ...: D27xxx
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: xxx
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 4
KDF setting ......: off
Signature key ....: AF45 BC55 0B79 2328 FDA8  FDDF 52C4 7BAA 4A43 C43D
      created ....: 2022-06-15 10:32:37
Encryption key....: D214 2C33 7BB8 BCD1 A408  BCE6 9DB9 9182 D416 D26A
      created ....: 2022-06-15 10:32:37
Authentication key: 8457 9611 C3FE 28D0 5069  5B06 2320 EE45 DDBF A285
      created ....: 2022-06-15 10:32:37
General key info..: pub  rsa2048/52C47BAA4A43C43D 2022-06-15 nku demo key <nku@example.com>
sec>  rsa2048/52C47BAA4A43C43D  created: 2022-06-15  expires: never     
                                card-no: FFFE xxx
ssb>  rsa2048/2320EE45DDBFA285  created: 2022-06-15  expires: never     
                                card-no: FFFE xxx
ssb>  rsa2048/9DB99182D416D26A  created: 2022-06-15  expires: never     
                                card-no: FFFE xxx


$ gpg -k
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/nku/.gnupg/pubring.kbx
----------------------------
pub   rsa2048 2022-06-15 [SC]
      AF45BC550B792328FDA8FDDF52C47BAA4A43C43D
uid           [ultimate] nku demo key <nku@example.com>
sub   rsa2048 2022-06-15 [A]
sub   rsa2048 2022-06-15 [E]


$ pass --version
============================================
= pass: the standard unix password manager =
=                                          =
=                  v1.7.4                  =
=                                          =
=             Jason A. Donenfeld           =
=               Jason@zx2c4.com            =
=                                          =
=      http://www.passwordstore.org/       =
============================================


$ pass init AF45BC550B792328FDA8FDDF52C47BAA4A43C43D
mkdir: created directory '/home/nku/.password-store/'
Password store initialized for AF45BC550B792328FDA8FDDF52C47BAA4A43C43D


$ pass generate support.nitrokey.com/nku
mkdir: created directory '/home/nku/.password-store/support.nitrokey.com'
The generated password for support.nitrokey.com/nku is:
|0stdqFIVgjzCX/C9dvD?x"g}


$ pass
Password Store
`-- support.nitrokey.com
    `-- nku


$ tree ~/.password-store/
/home/nku/.password-store/
└── support.nitrokey.com
    └── nku.gpg

1 directory, 1 file


$ pass show support.nitrokey.com/nku
|0stdqFIVgjzCX/C9dvD?x"g}


$ pass otp insert --secret --issuer totp.ssch.dev
Enter secret for this token: GZ4FORKTNBVFGQTFJJGEIRDOKY
Retype secret for this token: GZ4FORKTNBVFGQTFJJGEIRDOKY
Insert into totp.ssch.dev/totp.ssch.dev? [y/N] y
mkdir: created directory '/home/nku/.password-store/totp.ssch.dev'


$ pass otp totp.ssch.dev/totp.ssch.dev
949416