Secret Synergy

Posted on October 20, 2023

I'll open by saying that my password solution up until about yesterday was not great. I spend most of my computer time in Emacs and I prefer to use it wherever I can, so at first I kept my sensitive info in my .authinfo.gpg file, an old Emacs standby. This is great for logins, but the format is pretty rigid. Each line wants a host, username, password, and maybe a port and a URL if you have one. However, for things like a social security number or a bank account number, this format can feel very forced.

Since I share my life with my SO who will never use such a file, another tool was required in order to share passwords. I was accomplishing this by accessing a password file on my webDAV server with KeePassXC (on my PC) and KeePassDX (on my phone). Needing KeePassXC to be open in order to access my passwords was not ideal (although it did expose me to a neat feature of Sway1), but it worked. I even wrote a little elisp utility to create a diff between the passwords in my KeePass file and my auth file for when things got out of sync. While some good times were had in the coding, I would not refer to this as a "good system".

The catalyst for what I have now happens to be Nyxt. Nyxt is an interesting web browser, and it's got a fairly steep learning curve. I might write a more focused post about it eventually, but the important part about it here is that it supports KeePassXC, which helped me buy into it initially, but it also supports the classic Pass package. I didn't pay much attention to this at first, but the warm fuzzies I got from configuring Nyxt to synergize with Emacs (and a couple other things) inspired me to re-evaluate my password storage and consider Pass, since both Nyxt and Emacs support Pass natively.

Pass's strategy to managing secrets is to keep each one in a separate file and encrypt it with GPG. I looked at it years ago when I was just getting started with Linux, but at that point I wasn't trying to share passwords and was more inclined to use a single-file solution. One nice thing about Pass is that it sort of has baked-in support for Git2, so sharing is as simple as pushing passwords to a privately hosted repository. Since we live in the mobile world, I was relying on the implicit assumption that an app supporting Pass exists.

This assumption turned out to be sound, as there is indeed such an app called Password Store. The setup is fairly straightforward, but I still managed to get myself confused. For posterity (since I will doubtless forget again and don't intend to write an entire post about Password Store), when opening the app for the first time, it will ask if you want to use a local repository or a remote, I picked remote. It then will prompt you for the location, branch, and authentication method. The first two are more or less self-explanatory, but at first I thought I wanted to use the openkeychain authentication method, but it turns out I didn't really understand how that worked. After a half hour of fiddling with things, I realized I wanted to use the ssh auth method, have Password Store generate the key pair, and follow the prompt to share the public key with myself over email (but there are the other usual options for the more savvy). From there, key just needs be added to the authorized keys of the desired hosting platform. Once the repository is set up, you still need to auth into it using a key that was used to set up the Pass repository in the first place. Password Store doesn't manage these keys (which seems a bit awkward to me), so OpenKeyChain is required. There are a few ways to import keys into OpenKeyChain, I just saved a file to a share my phone had access to, imported it real quick, and deleted the file from my share. Once the key is imported, Password Store knows to talk to OpenKeyChain about unlocking the password files, so that's good I guess. After writing all this out, I'm realizing that it may seem like the setup involved in the mobile component gets in the way of synergy vibe this post is going for. This is difficult to measure for me because I always have a period of struggle (however brief it may be) before I understand what I'm doing well enough to repeat it. My only strategy is to evaluate how I'm feeling along the way to determine if the endeavor seems worth it, and at this point I'm still feeling pretty good!

A bonus I discovered about Password Store is that it integrates with Android's auto-fill API. Not only is there no need to download a browser extension (which is great because most of the browsers I use don't support them), but password fill also gets added in native apps (and anything else that can leverage auto-fill)! At first I thought Password Store was some cutting edge app because this is the first time I've heard of auto-fill integrations, but after doing some research I'm realizing it's not that big of a deal. It's been around since Android 8, and the KeePass app I was using before had this capability, I just didn't know about it. I like Password Store's completion a little better, though, so I'm sticking with it for now.

In the end, I'm a little disappointed that it took me so long to discover that other apps can integrate into Android's auto-fill, and this also takes away some of the shine of Password Store, but this adventure still wrapped itself up surprisingly neatly, and I'm looking forward to riding that wave of satisfaction as long as I can.

Footnotes

1 Sway has what the developer describes as a "bag of holding" that you can dump open applications to if you want them to run but don't want them in a specific workspace. I have my workspaces organized by function, so this was a great discovery. Unfortunately, getting rid of KeePassXC means getting rid of my only use for this bag of holding, but so it goes.
2 Baked-in might be a stretch. You run git as you would normally, just with pass in front of it, which appears to just set the working directory for the git command. Hardly an integration, but what more could a command-line interface do, really?