Jul 26, 2020

Linux Password Manager

This isn't really about Linux password manager, it's more about password managers in general. It seems like everyone is going for "cloud storage" of my passwords. This is nuts. I know they "claim" they are fully encrypted and they don't have access to the passwords, but why should I trust them? These passwords are my life. It's crazy that this has become standard practice in the password manager world.

I use 1Password version 6, because after that they went subscription with MY passwords stored in the cloud with a "promise" that they couldn't decrypt them. I can't get (or find where to get) 1password 6 for Linux.

I might opt for one of the command line managers. I loose browser extensions, but honestly, those are probably way more insecure then cloud storage.

move.l

Jul 26, 2020
The cloud is just the 'computer' from someone else, and due to the patriot act ...

Jack

Jul 26, 2020
You might be interested in Bitwarden. It offers a self-hosting option, which I recognize is somewhat annoying, but a super cheap basic-tier VPS is enough to run it comfortably, and you don't lose the convenience of extensions/etc. You could even run it locally in Docker if you don't care about shared access.

Oh, and it does have a command line interface!

Tim

Jul 26, 2020
I don't know whether this is of any interest...
https://1password.com/es/downloads/linux/

Tim

Jul 26, 2020
Ron, now that you're on a Linux machine, I strongly recommend you switch to KeePassXC. It's free and multiplatform: https://keepassxc.org/download/

Ron Gilbert

Jul 26, 2020
I am running KeePassXC and I'm not overly impressed.  Getting TFA auth to work involves hand entering the "key".  Most password mangers can read QR codes.  Once it has the TFA, there is no easy way to see the pin.  Not sure why this isn't just a field like username/password.  I'll play around with it some more.

Tim

Jul 26, 2020
Then there's https://buttercup.pw/ and several others. There's an article addressing password managers for Linux here:  https://www.fossmint.com/linux-password-managers/

Thanks!

Chris

Jul 27, 2020
Who the hell trusts a passwort manager with a cloud option? All glory to a locally saved, highly encrypted Veracrypt container with text files in it. ^^

Yeah, I know...I'm old school as one can be. ๐Ÿ˜€

Bjรถrn Tantau

Jul 27, 2020
I use the password app of my Nextcloud installation. Browser integration with Firefox and Chrome is good and if I have to access the passwords from an unsupported system I can just open the webclient.
It's running on my own server  so I don't have to trust some third party to keep their promises. And I get the benefits of runnig it in the cloud.

BTW: Your blog seems to be missing a title-tag.

silmeth

Jul 27, 2020
> I might opt for one of the command line managers. I loose browser extensions, but honestly, those are probably way more insecure then cloud storage.

You still have browser extensions for auto-fill with things like pass (the GPG-based command-line password manager, https://www.passwordstore.org/). As pass just manages a directory (with optional git repository) of PGP-encrypted files, you can synchronize the password database through any git repository you want (any server with git and ssh will do, but you could use private repo in a 3rd party provider too โ€“ since you encrypt the passwords with a key you generated yourself, you may be sure the host cannot decrypt them), and there are compatible clients for mobile platforms too. I use pass with the passff extension on Firefox and the Password Store app on Android.

I didn't play with TFA though.

Winfried Maus

Jul 27, 2020
I've yet to see a password manager that is usable and "impressive". I work at the Max Planck Society and KeePassXC is being used by many people at many of our institutes, simply because it is free and available on all major platforms. It seems to be the most viable option, especially on Linux.

The best "enterprise-level" commercial application for that purpose that I have seen, unfortunately,  is extremely expensive and requires a Windows Server: Mateso Password Safe. https://www.passwordsafe.com/

VeraCrypt... The fork of TrueCrypt, which in turn had a major security flaw that made its encrpytion easily breakable, which was the reason why the project was abandoned?

Let's state the obvious, gentlemen: All these things will at best protect you from nosy neighbors and script kiddies, but none of them will protect you from your own government. It also doesn't matter whether that information is stored locally or on some cloud storage: The moment you use your credentials, they are being sent over the Internet, and all that Internet traffic --is-- being intercepted at your ISP's core routers. This is not paranoia, since Edward Snowden all suspicions have been confirmed. For example, here in Germany, all  Internet traffic is being routed through DE-CIX in Frankfurt, and all traffic going through there is mirrored - not by German intelligence services, but by US intelligence services. And what the Americans don't intercept, GCHQ in Britain does.

Seriously, we need to be more afraid of our "friendly" government agencies than we should be afraid of Nigerian spammers or Russian or Chinese hackers. The Nigerians are at least only interested in our money, the others want to control our lives.

Daniel Rollins

Jul 27, 2020
Are you looking for FOSS?

If not I can recommend Enpass. It's an offline password manager with great browser plugins and you can sync up your encrypted password database to almost any online backup provider (Google Drive, Dropbox, etc). Works great on Linux too. I use the mobile app too which also works great.

Dennis

Jul 27, 2020
My personal recommendation: Pass + Passff.

Pass is a *nix command line-based password manager. It runs fully locally, so no cloud-based crap. There are some graphical front-ends for it which you could use if you prefer that.

Passff is a browser extension so you can easily access your passwords stored by Pass in the browser.

Installing it will require a bit of work, reference the Git pages or Arch Wiki if you run in to issues and for how-to's.

Ian Hunter

Jul 27, 2020
I've you are familiar with git I can recommend pass (command line tool). Use any cloud git provider and sync the GPG encrypted data blob to it. Passes are in the cloud but the key (of course) is not. You only need to trust GPG, which I would prefer every day over a fishy browser plugin.

el0j

Jul 27, 2020
For historical reasons I'm still using the pwsafe.org client, originally designed by Bruce Schneier, which uses a local database only. It's hard to recommend given how basic and clunky it is (especially the linux version). Has some basic support for Yubikeys for 2FA, but that's about it for features. It doesn't interface with anything, and that's just fine for me.

dada

Jul 27, 2020
@Winfried Maus: I am concerned and do find some of these spying practices of our "friendly" government agencies unacceptable, but to pretend that strictly authoritarian governments with huge capabilities just want to play on their turf and don't care about people outside exercising their freedoms including the freedom to express opinion about their practices and that at no point they could have big impact on our rights, is to put it mildly, naive.

Dragoon

Jul 27, 2020
In KeePassXC, you can just hit Ctrl-T to copy the TOTP code or Ctrl-Shift-T to see it. KeePassXC-Browser can autofill TOTP codes on associated sites if you want, too.

Kalao

Jul 27, 2020
I personally use keepassXC, but I think Bitwarden ( https://bitwarden.com/ ) is also very good for people who don't want to bother managing (centralizing) their password database and synchronizing it across devices all the time. It's open-source, has been audited, seems reliable and trustworthy.

Gerry

Jul 27, 2020
As others have mentioned Pass is the one you want: https://www.passwordstore.org/ all your passwords in seperate gpg encrypted files managed via git with a hook to prompt for the key when running things such as `git log -p`

It's awesome and there are Chrome extensions.

Dale

Jul 27, 2020
I didn't see another recommendation here so I figured I'd mention FPM2 (Figaro's Password Manager 2). It works well.

Gabriel

Jul 27, 2020
I used KeePass for the longest time, recently I installed a self hosted NextCloud instance (using docker, really easy to manage) and it comes with a KeePassWeb app that fully executes locally, it's pretty neat.

Federico

Jul 27, 2020
The 1Password browser extensions works in Linux. At least I had it working with Chrome.

Ron Gilbert

Jul 27, 2020
1Password does work on Linux, but it's only 1PasswordX, which is their evil subscription service with them storing my passwords.  I've been using KeePassXC. It works but is clunky. It will do.

Hovakim

Jul 27, 2020
Maybe just try encryptpad, which is basically notepad with password protection. And there is no "cloud" involved.

Tibo

Jul 27, 2020
If you want to use your existing keychain, you can use https://icculus.org/1pass/  (It's very limited though)

Kyriacos

Jul 27, 2020
En pass is the best password manager available for Linux
https://www.enpass.io/

I have all my passes on Google Drive stored and synched with all my devices which uses android all for $10 but now it seems they have  increased the price to 40-50

thejahh

Jul 27, 2020
If you don't want cloud based; but still want portable and easy to use/integrate you might want to take a look as physical password managers. I have used the mooltipass mini (https://www.themooltipass.com/) for a few years, and it works great on linux and has full support for mac/windows/smartphones as well. It has browser plugins, and desktop daemon that can automate detecting password fields, but even without those it works flawlessly without anything installed since it emulates a keyboard.
It's secure, portable, and easy to use. Only con is you do you need to remember to keep it with you if you want to use it on your phone/laptop on the go. But for the added peace of mind knowing your passwords are not likely to show up in bulk in a leak; I think that's a worthwhile tradeoff.

marcomausf

Jul 27, 2020
Maybe you want to try https://qtpass.org/
Basically it is a nice GUI for GPG-encrypted textfiles that makes use of the "pass"-utility, that is the very same thing for the terminal.

Tim

Jul 27, 2020
@Cris I find the idea of using Veracrypt to store plain text files quite interesting โ€“ specially since you can fool 'enforcers' with two different VC passwords. I also remove drive letters on Windows and let VC mount them when a correct password is entered. I have yet to check if this is feasible on Ubuntu ๐Ÿ˜€

plf

Jul 27, 2020
Try keepassXC, it's opensource. You can sync the kencrypted keyfile to your cloud storage and be done with it. It's compatible with a lot of opensource mobile applications.

Sslaxx

Jul 27, 2020
@plf - that is what he's using.

Scott

Jul 27, 2020
Run your own Bitwarden server and enjoy all the benefits of a cloud based server with all the privacy of controlling it yourself.

Shmerl

Jul 27, 2020
KeepassXC: https://keepassxc.org

Jim

Jul 27, 2020
Bitwarden is a great option

Ian Sterling

Jul 27, 2020
I'm a big fan of Bitwarden. I do use their cloud-based version, but I've been considering hosting my own server and ditching the cloud-based version.

dirk dierickx

Jul 28, 2020
you might also consider running 1Password in wine? i know you want nothing to do with windows, but for those applications you really need to have, wine is actually a pretty nifty solution. If used correctly all windows applications run in their 'own windows environment' keeping it clean (and actually better then on a real windows pc).
you can check the status of application wine compatibility on https://appdb.winehq.org/

HexDSL

Jul 28, 2020
I use "pass" it puts all my passwords in ~/.password-Store encrypted by default. Then i sync them to my own cloud storage. been using it for years. there are rofi/dmenu plugins for it as well as firefox and crom*

NeoTheFox

Jul 28, 2020
KeePassXC gets my vote. Local storage, strong encryption. TOTP, browser plugins - everything you could ever ask for. And it's fully open source as well!

NeoTheFox

Jul 28, 2020
Also, I forgot to mention it, but you can export 1Password to CSV and import it to KeePassXC!   https://support.1password.com/export/

Gene Malkin

6d ago
I use 1password 4 windows on Linux through Wine. Does 6's master key file open in 4? I think it should. Sadly I feel the same exact way as you about the whole Cloud storage concept for passwords. I don't mind my key file being on dropbox since I know I can do 2FA with it and the file itself is encrypted, but it bothers me that 1password and LastPass basically want the keys to the kingdom.

Gene Malkin

6d ago
I forgot to say. I'll probably be slowly transitioning to Bitwarden because it seems to be compatible for all my desired platforms.

Not to hijack this post, but I  just want to say congrats on making the jump to Linux. I'm a long time Mac & Windows user (from System 7.1 & Win3.1 onward) but this year I forced myself to transition off both to Linux to avoid using Windows10. I don't want to buy a modern Mac to run modern MacOS. Ubuntu/Debian based Linux distros have been really great for me.
I highly recommend you check out PopOS. I experimented with like 20 different distros before settling on PopOS. The auto-tiling shell is absolutely the best way to get lots of work done with multiple windows. Its so fast cand clean and still totally gnome3 based so you can do whatever you'd want.
For home server use I have several SBC and converted chromebooks running DietPi. I totally recommend you checking that out too. Its fantastic for low power/older machines.

Matt

6d ago
Bitwarden is super easy to use. Is free, or paid. Can be self hosted if you like. Works on your desktop, browser and mobile. Can do autofill as.

Matt

6d ago
Bitwarden is super easy to use. Is free, or paid. Can be self hosted if you like. Works on your desktop, browser and mobile. Can do autofill as.

Sriram Ramkrishna

5d ago
https://flathub.org/apps/search/password

Has several options - I personally use bitwarden.

Sophie

4d ago
Keypass XC is what i use. And the keyfile is synchronized using my own nextcloud.

I am rubber, you are glue.

1d ago
It could help:

https://wiki.debian.org/PasswordManagement

Old dog

23h ago
Your posts lately have reminded me what made me switch back to Windows after 6 years of Linux exclusive life. Everything works, almost. And that ALMOST drove me nuts in the end.
Here are the rules for commenting.