ayushnix / pass-coffin Goto Github PK

A password store extension to hide data inside a signed and encrypted coffin

License: GNU General Public License v3.0

Shell 92.44% Makefile 7.56%

pass-coffin's Introduction

pass-coffin

pass-coffin is a pass extension that hides password store data inside a GPG encrypted file, which we'll call a coffin.

Because of how pass works, directory and file names aren't encrypted by default and anyone who has access to your computer can see which websites you use and your usernames on those websites. This is different from how password managers like keepassxc work by keeping your entire password store database inside an encrypted file and can also automatically lock access to the application itself after a certain amount of time. pass-coffin has been created to provide these missing features to pass.

pass-coffin is heavily inspired from pass-tomb and pass-grave. A lot of credit goes to the authors of these extensions for making pass-coffin possible.

Why use `pass-coffin`?

pass-coffin doesn't depend on a 3000+ line ZSH script and it doesn't need root access to work like pass-tomb does
if PASSWORD_STORE_SIGNING_KEY is set, pass-coffin will sign the encrypted coffin file as well which ensures data integrity and authenticity
pass-coffin focuses on being (mostly) compatible with the interface of pass-tomb while writing "better" quality shell script code than pass-grave
the encrypted coffin is just a tar file which can be easily synced to other devices or cloud storage to create backups, similar to how keepassxc databases work
the code is linted using shellcheck and formatted using shfmt

⚠️ Please Create Backups or Use Git

Before using this extension or any other password store extension, I highly recommend that you check in your password store in a local git repository and sync it with a remote git repository (doesn't have to be an online remote repo) or make regular backups of your password store using tools like borgbackup. You don't want to lose your password store data because of an unintentional bug in this, or any other, pass extension.

Use pass git init to initialize a local git repository in your password store and add a remote git repository using pass git remote add backup <location>. For more details, please read the "EXTENDED GIT EXAMPLE" section of the man page of pass.

Installation

Before installing pass-coffin, make sure that the PASSWORD_STORE_ENABLE_EXTENSIONS environment variable is set to true. If this environment variable isn't set, password store extensions will not work.

Since pass-coffin has a similar interface as pass-tomb, both of these password store extensions cannot exist and cannot be used at the same time. Please install either pass-tomb or pass-coffin, not both.

Dependencies

pass
GNU tar (busybox tar and FreeBSD tar should work as well)
GNU find (busybox find, FreeBSD find, and OpenBSD find should also work)
systemd-run (optional, if you want to use the timer functionality)

Arch Linux

pass-coffin is available in the Arch User Repository.

Git Release

git clone https://git.sr.ht/~ayushnix/pass-coffin
cd pass-coffin
sudo make install

You can also do doas make install if you're using doas, which you probably should.

Stable Release

curl -LO https://git.sr.ht/~ayushnix/pass-coffin/refs/download/v1.2.1/pass-coffin-1.2.1.tar.gz
tar xvzf pass-coffin-1.2.1.tar.gz
cd pass-coffin-1.2.1/
sudo make install

or, you know, doas make install.

Usage

The password store data can be hidden inside a coffin using pass close

$ pass close
password store data has been signed and buried inside a coffin

If PASSWORD_STORE_SIGNING_KEY is set, pass close will automatically create and verify a signature for the coffin.

The hidden data can be retrieved using pass open

$ pass open
the signature for the coffin is valid
password store data has been retrieved from the coffin

If PASSWORD_STORE_SIGNING_KEY is set, pass open will automatically verify the signature for the coffin.

The hidden data can be retrieved and closed automatically after a certain amount of time using pass open -t <systemd time>

$ pass open -t 10min
the signature for the coffin is valid
password store data has been retrieved from the coffin
password store data will be hidden inside a coffin after 10min

The time syntax should be valid systemd time.

The status of any active timers to hide password data can be viewed using pass timer

$ pass timer
NEXT                        LEFT     LAST PASSED UNIT              ACTIVATES
Mon 2021-10-04 19:44:13 IST 28s left n/a  n/a    pass-coffin.timer pass-coffin.service

If you want to stop a timer prematurely, execute pass timer stop

$ pass timer stop
the timer to create the coffin has been stopped

pass-coffin uses yellow color for printing warnings and red color for printing error messages. If you don't want to see colors while using pass-coffin, use the NO_COLOR environment variable and set it to anything you like (1, true, yes).

Using `pass close`

The pass close command can be used in a variety of ways to ensure that your password store metadata isn't exposed when you're not using your computer. Although screen locker security is mostly a joke on Xorg, you can write something like this

$ cat "$HOME"/.local/bin/screenlock_script
pass close > /dev/null 2>&1 || printf "%s\n" "unable to close password store" >&2
yourscreenlockprogram || "$HOME"/.local/bin/screenlock_script

to try and respawn your screen lock program if it exits abnormally. Alternatively, you could switch to a wayland compositor and a screen lock program which support ext-session-lock-v1, which should hopefully provide a secure screen lock utility for the Linux desktop.

You can also run pass close before your system goes to sleep and before it is issued a shutdown/reboot command. On Linux distributions with systemd, systemd-lock-handler can help with this.

Contributions

Please see this file.

pass-coffin's People

Contributors

Stargazers

Watchers

Forkers

tromcho jessonsotoventura torstello

pass-coffin's Issues

Integration with Git?

Is there an easy workflow for using Git with pass-coffin?

Ideas to integrate pass coffin on android?

I'm wondering what's the best way to use password store with coffin on android?

I'm synchronizing a .coffin.tar.gpg file with rclone to shared storage on android. I guess that one way would be to log into termux and run pass open there (I assume it would work).

I'm wondering though if someone might have created or can think of another way to better integrate it into android? Typing on termux android keyboard a few dozen times every day doesn't sound very smooth.

better error messages and state detection

If the password store isn't inside a coffin and is already decrypted, detect and indicate that instead of printing a scary message like "Unable to find an encrypted GPG coffin"

close operation may fail when using a timer if gpg-agent cache has expired

If gpg-agent's cache expires before a transient timer started using pass open -t <time> finishes and if a user cancels the pinentry prompt when the pass close command is automatically executed, a coffin is created but not signed and the password store tree isn't deleted.

How about 'pass open'ing only a specific file from the coffin instead of everything?

I think that it would be more secure if there was an option not to open the whole coffin, but only a selected file inside it, e.g.:

pass open password-account-1

Besides general privacy it would be also useful for secret files that other programs use - for example aws-cli-credentials file (aws-cli). Programs that don't support gpg require secrets stored in plain text. It would be more secure if these were not extracted from the coffin until explicitly instructed (or if you could blacklist them somehow).

It's just an idea, maybe there is a simpler way to achieve the same thing. Occurred to me when looking at .env files in web development. Curious to know what you think.

.coffin empty directory created in $HOME

A .coffin directory is sometimes created inside $HOME

Use timer by default when opening a coffin

I think that pass open command should start a timer by default (e.g. pass open -t 1min) and have an option to open it indefinitely (e.g. -t 0) rather than the other way around. It sounds more secure.

If PASSWORD_STORE_SIGNING_KEY is not set, don't chmod the missing file

I was getting errors when running pass close regarding a chmod error. This was because I didn't have PASSWORD_STORE_SIGNING_KEY set. Here is a quick patch to fix the issue:

index 17c8ff3..1c910a1 100755
--- a/coffin.bash
+++ b/usr/lib/password-store/extensions/coffin.bash
@@ -77,8 +77,10 @@ coffin_close() {

   chmod 400 "$coffin_file" \
     || coffin_warn "unable to make the coffin a readonly file"
-  chmod 400 "$coffin_file.sig" \
-    || coffin_warn "unable to make the coffin signature a readonly file"
+  if [[ -n $PASSWORD_STORE_SIGNING_KEY ]]; then
+    chmod 400 "$coffin_file.sig" \
+      || coffin_warn "unable to make the coffin signature a readonly file"
+  fi

   # delete the remaining data inside PREFIX (PASSWORD_STORE_DIR)
   # CAVEAT: pass init supports specifying different .gpg-id files for different

parse the output of systemctl list-timers

The systemctl list-timers command shows a verbose output that isn't needed when using pass timer. pass timer should only show the amount of time left before the password store data will be hidden inside a coffin. Ideally, this should be done without resorting to hacks from sed and awk. If systemctl supports JSON output for its commands, that would help a lot. There's jc but it doesn't support converting output from list-timers into JSON yet.

add fish completion

Install on Termux (without sudo privilages)?

I'm trying to install pass coffin on a non-rooted Android device via termux. I'm stuck on sudo make install step. It complains that it can't find /etc/bash_completion.d directory:

install: creating directory '/data/data/com.termux/files/usr/lib/password-store'
install: creating directory '/data/data/com.termux/files/usr/lib/password-store/extensions'
install: cannot change permissions of ‘/etc/bash_completion.d’: No such file or directory
make: *** [Makefile:18: install] Error 1

There may be two things here:

no sudo access
location is wrong (by default termux uses $PREFIX - /data/data/com.termux/files/usr)

Any advice would be really appreciated.