Linux Password Manager

Jul 26, 2020

This isn't really about Linux password manager, it's more about password managers in general. It seems like everyone is going for "cloud storage" of my passwords. This is nuts. I know they "claim" they are fully encrypted and they don't have access to the passwords, but why should I trust them? These passwords are my life. It's crazy that this has become standard practice in the password manager world.

I use 1Password version 6, because after that they went subscription with MY passwords stored in the cloud with a "promise" that they couldn't decrypt them. I can't get (or find where to get) 1password 6 for Linux.

I might opt for one of the command line managers. I loose browser extensions, but honestly, those are probably way more insecure then cloud storage.


move.l Jul 26, 2020
The cloud is just the 'computer' from someone else, and due to the patriot act ...

Jack Jul 26, 2020
You might be interested in Bitwarden. It offers a self-hosting option, which I recognize is somewhat annoying, but a super cheap basic-tier VPS is enough to run it comfortably, and you don't lose the convenience of extensions/etc. You could even run it locally in Docker if you don't care about shared access.

Oh, and it does have a command line interface!

Tim Jul 26, 2020
I don't know whether this is of any interest...
https://1password.com/es/downloads/linux/

Tim Jul 26, 2020
Ron, now that you're on a Linux machine, I strongly recommend you switch to KeePassXC. It's free and multiplatform: https://keepassxc.org/download/

Ron Gilbert Jul 26, 2020
I am running KeePassXC and I'm not overly impressed.  Getting TFA auth to work involves hand entering the "key".  Most password mangers can read QR codes.  Once it has the TFA, there is no easy way to see the pin.  Not sure why this isn't just a field like username/password.  I'll play around with it some more.

Tim Jul 26, 2020
Then there's https://buttercup.pw/ and several others. There's an article addressing password managers for Linux here:  https://www.fossmint.com/linux-password-managers/

Thanks!

Chris Jul 27, 2020
Who the hell trusts a passwort manager with a cloud option? All glory to a locally saved, highly encrypted Veracrypt container with text files in it. ^^

Yeah, I know...I'm old school as one can be. ๐Ÿ˜€

Bjรถrn Tantau Jul 27, 2020
I use the password app of my Nextcloud installation. Browser integration with Firefox and Chrome is good and if I have to access the passwords from an unsupported system I can just open the webclient.
It's running on my own server  so I don't have to trust some third party to keep their promises. And I get the benefits of runnig it in the cloud.

BTW: Your blog seems to be missing a title-tag.

silmeth Jul 27, 2020
> I might opt for one of the command line managers. I loose browser extensions, but honestly, those are probably way more insecure then cloud storage.

You still have browser extensions for auto-fill with things like pass (the GPG-based command-line password manager, https://www.passwordstore.org/). As pass just manages a directory (with optional git repository) of PGP-encrypted files, you can synchronize the password database through any git repository you want (any server with git and ssh will do, but you could use private repo in a 3rd party provider too โ€“ since you encrypt the passwords with a key you generated yourself, you may be sure the host cannot decrypt them), and there are compatible clients for mobile platforms too. I use pass with the passff extension on Firefox and the Password Store app on Android.

I didn't play with TFA though.

Winfried Maus Jul 27, 2020
I've yet to see a password manager that is usable and "impressive". I work at the Max Planck Society and KeePassXC is being used by many people at many of our institutes, simply because it is free and available on all major platforms. It seems to be the most viable option, especially on Linux.

The best "enterprise-level" commercial application for that purpose that I have seen, unfortunately,  is extremely expensive and requires a Windows Server: Mateso Password Safe. https://www.passwordsafe.com/

VeraCrypt... The fork of TrueCrypt, which in turn had a major security flaw that made its encrpytion easily breakable, which was the reason why the project was abandoned?

Let's state the obvious, gentlemen: All these things will at best protect you from nosy neighbors and script kiddies, but none of them will protect you from your own government. It also doesn't matter whether that information is stored locally or on some cloud storage: The moment you use your credentials, they are being sent over the Internet, and all that Internet traffic --is-- being intercepted at your ISP's core routers. This is not paranoia, since Edward Snowden all suspicions have been confirmed. For example, here in Germany, all  Internet traffic is being routed through DE-CIX in Frankfurt, and all traffic going through there is mirrored - not by German intelligence services, but by US intelligence services. And what the Americans don't intercept, GCHQ in Britain does.

Seriously, we need to be more afraid of our "friendly" government agencies than we should be afraid of Nigerian spammers or Russian or Chinese hackers. The Nigerians are at least only interested in our money, the others want to control our lives.

Daniel Rollins Jul 27, 2020
Are you looking for FOSS?

If not I can recommend Enpass. It's an offline password manager with great browser plugins and you can sync up your encrypted password database to almost any online backup provider (Google Drive, Dropbox, etc). Works great on Linux too. I use the mobile app too which also works great.

Dennis Jul 27, 2020
My personal recommendation: Pass + Passff.

Pass is a *nix command line-based password manager. It runs fully locally, so no cloud-based crap. There are some graphical front-ends for it which you could use if you prefer that.

Passff is a browser extension so you can easily access your passwords stored by Pass in the browser.

Installing it will require a bit of work, reference the Git pages or Arch Wiki if you run in to issues and for how-to's.

Ian Hunter Jul 27, 2020
I've you are familiar with git I can recommend pass (command line tool). Use any cloud git provider and sync the GPG encrypted data blob to it. Passes are in the cloud but the key (of course) is not. You only need to trust GPG, which I would prefer every day over a fishy browser plugin.

el0j Jul 27, 2020
For historical reasons I'm still using the pwsafe.org client, originally designed by Bruce Schneier, which uses a local database only. It's hard to recommend given how basic and clunky it is (especially the linux version). Has some basic support for Yubikeys for 2FA, but that's about it for features. It doesn't interface with anything, and that's just fine for me.

dada Jul 27, 2020
@Winfried Maus: I am concerned and do find some of these spying practices of our "friendly" government agencies unacceptable, but to pretend that strictly authoritarian governments with huge capabilities just want to play on their turf and don't care about people outside exercising their freedoms including the freedom to express opinion about their practices and that at no point they could have big impact on our rights, is to put it mildly, naive.

Dragoon Jul 27, 2020
In KeePassXC, you can just hit Ctrl-T to copy the TOTP code or Ctrl-Shift-T to see it. KeePassXC-Browser can autofill TOTP codes on associated sites if you want, too.

Kalao Jul 27, 2020
I personally use keepassXC, but I think Bitwarden ( https://bitwarden.com/ ) is also very good for people who don't want to bother managing (centralizing) their password database and synchronizing it across devices all the time. It's open-source, has been audited, seems reliable and trustworthy.

Gerry Jul 27, 2020
As others have mentioned Pass is the one you want: https://www.passwordstore.org/ all your passwords in seperate gpg encrypted files managed via git with a hook to prompt for the key when running things such as `git log -p`

It's awesome and there are Chrome extensions.

Dale Jul 27, 2020
I didn't see another recommendation here so I figured I'd mention FPM2 (Figaro's Password Manager 2). It works well.

Gabriel Jul 27, 2020
I used KeePass for the longest time, recently I installed a self hosted NextCloud instance (using docker, really easy to manage) and it comes with a KeePassWeb app that fully executes locally, it's pretty neat.

Federico Jul 27, 2020
The 1Password browser extensions works in Linux. At least I had it working with Chrome.

Ron Gilbert Jul 27, 2020
1Password does work on Linux, but it's only 1PasswordX, which is their evil subscription service with them storing my passwords.  I've been using KeePassXC. It works but is clunky. It will do.

Hovakim Jul 27, 2020
Maybe just try encryptpad, which is basically notepad with password protection. And there is no "cloud" involved.

Tibo Jul 27, 2020
If you want to use your existing keychain, you can use https://icculus.org/1pass/  (It's very limited though)

Kyriacos Jul 27, 2020
En pass is the best password manager available for Linux
https://www.enpass.io/

I have all my passes on Google Drive stored and synched with all my devices which uses android all for $10 but now it seems they have  increased the price to 40-50

thejahh Jul 27, 2020
If you don't want cloud based; but still want portable and easy to use/integrate you might want to take a look as physical password managers. I have used the mooltipass mini (https://www.themooltipass.com/) for a few years, and it works great on linux and has full support for mac/windows/smartphones as well. It has browser plugins, and desktop daemon that can automate detecting password fields, but even without those it works flawlessly without anything installed since it emulates a keyboard.
It's secure, portable, and easy to use. Only con is you do you need to remember to keep it with you if you want to use it on your phone/laptop on the go. But for the added peace of mind knowing your passwords are not likely to show up in bulk in a leak; I think that's a worthwhile tradeoff.

marcomausf Jul 27, 2020
Maybe you want to try https://qtpass.org/
Basically it is a nice GUI for GPG-encrypted textfiles that makes use of the "pass"-utility, that is the very same thing for the terminal.

Tim Jul 27, 2020
@Cris I find the idea of using Veracrypt to store plain text files quite interesting โ€“ specially since you can fool 'enforcers' with two different VC passwords. I also remove drive letters on Windows and let VC mount them when a correct password is entered. I have yet to check if this is feasible on Ubuntu ๐Ÿ˜€

plf Jul 27, 2020
Try keepassXC, it's opensource. You can sync the kencrypted keyfile to your cloud storage and be done with it. It's compatible with a lot of opensource mobile applications.

Sslaxx Jul 27, 2020
@plf - that is what he's using.

Scott Jul 27, 2020
Run your own Bitwarden server and enjoy all the benefits of a cloud based server with all the privacy of controlling it yourself.

Shmerl Jul 27, 2020

Jim Jul 27, 2020
Bitwarden is a great option

Ian Sterling Jul 27, 2020
I'm a big fan of Bitwarden. I do use their cloud-based version, but I've been considering hosting my own server and ditching the cloud-based version.

dirk dierickx Jul 28, 2020
you might also consider running 1Password in wine? i know you want nothing to do with windows, but for those applications you really need to have, wine is actually a pretty nifty solution. If used correctly all windows applications run in their 'own windows environment' keeping it clean (and actually better then on a real windows pc).
you can check the status of application wine compatibility on https://appdb.winehq.org/

HexDSL Jul 28, 2020
I use "pass" it puts all my passwords in ~/.password-Store encrypted by default. Then i sync them to my own cloud storage. been using it for years. there are rofi/dmenu plugins for it as well as firefox and crom*

NeoTheFox Jul 28, 2020
KeePassXC gets my vote. Local storage, strong encryption. TOTP, browser plugins - everything you could ever ask for. And it's fully open source as well!

NeoTheFox Jul 28, 2020
Also, I forgot to mention it, but you can export 1Password to CSV and import it to KeePassXC!   https://support.1password.com/export/

Gene Malkin Jul 28, 2020
I use 1password 4 windows on Linux through Wine. Does 6's master key file open in 4? I think it should. Sadly I feel the same exact way as you about the whole Cloud storage concept for passwords. I don't mind my key file being on dropbox since I know I can do 2FA with it and the file itself is encrypted, but it bothers me that 1password and LastPass basically want the keys to the kingdom.

Gene Malkin Jul 28, 2020
I forgot to say. I'll probably be slowly transitioning to Bitwarden because it seems to be compatible for all my desired platforms.

Not to hijack this post, but I  just want to say congrats on making the jump to Linux. I'm a long time Mac & Windows user (from System 7.1 & Win3.1 onward) but this year I forced myself to transition off both to Linux to avoid using Windows10. I don't want to buy a modern Mac to run modern MacOS. Ubuntu/Debian based Linux distros have been really great for me.
I highly recommend you check out PopOS. I experimented with like 20 different distros before settling on PopOS. The auto-tiling shell is absolutely the best way to get lots of work done with multiple windows. Its so fast cand clean and still totally gnome3 based so you can do whatever you'd want.
For home server use I have several SBC and converted chromebooks running DietPi. I totally recommend you checking that out too. Its fantastic for low power/older machines.

Matt Jul 29, 2020
Bitwarden is super easy to use. Is free, or paid. Can be self hosted if you like. Works on your desktop, browser and mobile. Can do autofill as.

Matt Jul 29, 2020
Bitwarden is super easy to use. Is free, or paid. Can be self hosted if you like. Works on your desktop, browser and mobile. Can do autofill as.

Sriram Ramkrishna Jul 29, 2020
https://flathub.org/apps/search/password

Has several options - I personally use bitwarden.

Sophie Jul 30, 2020
Keypass XC is what i use. And the keyfile is synchronized using my own nextcloud.

I am rubber, you are glue. Aug 03, 2020

Old dog Aug 03, 2020
Your posts lately have reminded me what made me switch back to Windows after 6 years of Linux exclusive life. Everything works, almost. And that ALMOST drove me nuts in the end.

mj Aug 04, 2020
Ron, this might make you happy. 1Password for Linux - https://twitter.com/dteare/status/1290643598787186689?s=21

Francesco di Marciare Aug 05, 2020
I agree with some other users here. Enpass works very well. Synch to cloud storage is only an option.  You pay only for mobile version.

David Amador Aug 05, 2020
Im also using the "offline" version of 1Password but I'm on version 7. I'm not sure if still possible but 7 also used to allow to install and purchase a regular perpetual version, on Windows at least. It's really hidden during install but the option was there in one of the steps.

JP Aug 05, 2020
I've been using Firefox Lockwise, the password manager that comes built into Firefox these days (and also has an iOS app, I believe). As I understand it, it doesn't store anything on a server, it just syncs between the various machines you run Firefox on. It also has the ability to generate strong passwords for new or existing accounts.

Kyusan Aug 06, 2020
If you don't mind to use command line, I really like this one :
https://github.com/peff/pass

Simply store your passwords in a hidden directory where you can use subfolders to organize and where every files contain a password encrypted with your GPG key. Shell completion make it really pleasant to use. So in the end, your passwords are stored using only standard tools (filesystem + gpg), no cloud, no heavy Electron GUI, as KISS as possible :)

Kyusan Aug 06, 2020
Then I keep this folder synced using Syncthing, so no cloud, only my personal machines :)

Nils Breunese Aug 09, 2020
1Password also still supports sync via iCloud and Dropbox AFAIK, and you can still get a one-time-payment license if you really dig for it. I personally went for their subscription service, because I think 1Password is one of the best pieces of software I know, in terms of UX, documentation, support, etc. Also they have quite extensive documentation and white papers on their security models, so you don't need to just believe their "claims". I personally trust 1Password more to handle this than I'd trust myself to safely sync my vaults across devices, but if you see issues with 1Password's security model, I'm sure the security world would like to hear!

https://support.1password.com/1password-security/

Man without Collar Aug 10, 2020
I do gopass but it might not be right for you.

Vinicius Garcia de Rezende Aug 12, 2020
https://masterpassword.app/ you don't have to store anything anywhere.

Downside: you'll have to change your current passswords

Jon Aug 23, 2020
In KDE, I use https://github.com/akermu/krunner-pass with https://www.passwordstore.org/.

Then I just have to ress Super+Space (or Alt+F2) and I can quickly select my password.

Also check out this open source/hardware password manager, which just completed its kickstarter for the next new BT enabled version: https://www.kickstarter.com/projects/limpkin/mooltipass-mini-ble-security-on-the-go

alexandre derumier Sep 16, 2020
we are using bitwarden at work, with opensource rust reimplementation for the server (https://github.com/dani-garcia/bitwarden_rs).
official clients/browser plugins are compatibles.

Add your comment:


Here are the rules for commenting.