[prev in list] [next in list] [prev in thread] [next in thread]
List: gentoo-user
Subject: Re: [gentoo-user] Encrypted drives, password generation and management howto, guide.
From: Frank Steinmetzger <Warp_7 () gmx ! de>
Date: 2024-05-14 22:17:36
Message-ID: ZkPjALOZPaX6aTXG () kern
[Download RAW message or body]
Am Tue, May 14, 2024 at 06:28:17AM -0500 schrieb Dale:
> Howdy,
> […]
> remember either, or write notes to remember them. I also wanted to
> avoid the desktop copy and paste, or clipboard, mechanism. I'm not sure
> how that data is stored in the clipboard and how good it is at erasing
> it when I clear it.
The mark-and-middleclick you describe further down is the very same as the
"normal" clipboard. It is just accessed differently.
> First, I needed to generate a password. I googled, a lot. I had
> trouble finding a way to generate the type of passwords I wanted but I
> finally found one.
Care to elaborate regarding the "password you wanted"? There is the obvious
pwgen, which can generate passwords with given character sets and length.
Keepass can do this, too, so I assume, Bitwarden (which you use) has a
similar function.
And if you don't like parts of the generated PW, keep the part you like,
generate new and pick the part you like again. Or just let pwgen generate a
big bunch and pick what you like best from the output.
> […]
> Now that I have a password, how do I keep track of them? I did some
> more searching. I wanted something that was command line not GUI.
> After all, I have BitWarden for websites and such already. Thing is,
> it's GUI since it is a Firefox add-on. I'd need to use the clipboard to
> copy and paste. I want to avoid that remember? I also wanted something
> that is on its own, separate from my main password tool BitWarden. I
> found kpcli in the tree.
I didn't know about kpcli and it is not available in Arch. So I looked it
up. Turns out it is a non-graphical Keepass client (that's what the kp
stands for, after all).
Interestingly, there is also a bitwarden CLI client.
Did you know Keepass (the graphical one) has an autotype feature? This means
that it simulates the pressing of keys, so it bypasses the clipboard
entirely. Another advantage of that is that you can set up custom key
sequences in the autotype field, so you can for example say "first enter the
username, then press enter, then wait for a second, then enter the password
and press enter again." Useful for sites that use a dynamic login screen
with animations or non-standard input fields.
> Then I needed some way to handle if the password file kpcli uses got
> lost or damaged. If I were to lose that file, all drives and the data
> on them is lost. I'd lose everything because there is no way to
> remember the password.
The obvious answer is: backup – encrypted or not. ;-)
My Keepass database is a simple file in my home that is backed up together
with all the other home files by Borg. Meaning I even have a versioned
backup of my passwords. Needless to say my backup drives are LUKSed with a
long passphrase that I have never ever once written down anywhere on paper.
I've been using it for so long now and on several drives, that it is
ingrained in my brain.
> The kpcli file itself appears to be encrypted.
> So, it protects itself. That's good. I don't need to put the file on
> something that is also encrypted, just copy it to a plain file system as
> it is. I have a USB stick that I store things on. Things like drive
> info, what drives go to what volume group, what drive has the OS on it
> etc and the portage world file on it. I also have some scripts in /root
> that I don't want to lose either so I copy them to the stick as well.
Be mindful that USB sticks aren't very reliable. The flash chips in them are
what is left after quality control deemed them unfit for duty in SSDs (first
tier) and memory cards (second tier). So always keep several copies,
possibly on different types of storage media (HDDs, SSDs, optical, whatever).
> Then one important file, my file that contains frequently used
> commands. It is rather lengthy and is 15 years or more of additions. I
> copied all that info to a USB stick. It lives in the fire safe.
TBH, I wouldn't put all my horses on one USB stick in a fire safe. (Or
however the saying goes) After a flimsy USB stick with questionable flash
chips has been subjected to high temperatures for a longer time, chances are
you may not be able to access its data ever again.
> How I use all this. I do this in a Konsole, within KDE, which has
> tabs. Might work on a plain console to tho. If I need to open a
> encrypted drive, or set of drives, I open kpcli and get it to show the
> password for that drive in one tab. I then run the little script to
> open and mount that drive in another tab. When it asks for the
> password, I highlight the password from kpcli tab and then switch tabs
> and middle click to paste the password in.
Since you've already scripted most of it, you could possible go the full
way. Use the HDD's UUID as key and either store the password in a file that
is named with the UUID, or in keepass with the UUID as entry title. Then you
can let the script retrieve the password all by itself without any need for
copy-pasting – except for unlocking the keepass file.
I don't know how often you insert, unlock and mount a drive. But given you
have so many drives, I imagine it to happen regularly.
> I don't use the desktop
> clipboard to do this. Once the drive is open, I then highlight random
> things, 3 or 4 of them, to make Konsole forget the password. It seems
> to only remember one thing at a time. I'm not aware of any history
> being stored within Konsole.
It's not Konsole that does any of the clipboard handling. It merely accesses
it. You have the primary clipboard (Ctrl+X/C/V) and optionally the KDE
clipboard manager that remembers the last x entries. And you have the
secondary clipboard (marking text and pasting with middle-click). That's an
X feature from yesteryear. There is an option in the KDE clipboard manager
whether it should observe the secondary clipboard or not.
BTW: if you copy something within the Keepass GUI (a username, password
etc), then Keepass itself will clear the clipboard after a configurable
delay (default is 10 seconds).
> So, found a way to generate some pretty random passwords, whatever
> length and characters I want. I found a good way to store them.
Is your home encrypted with a good passphrase? And your home backup, too? If
the answer is yes to both, then any additional encryption step may be nice
for peace of mind, but technically unnecessary. My keepass file is
passphrase-protected, because it stores my entire digital life.
But for stuff like offlineimap and fetchmail/fdm, I have no problem with
storing passwords in plaintext in their config files, because those files
are protected by the file system encryption.
> I'm also able to copy and paste them in a way that has no history of the
> passwords that I'm aware of.
Clipboard history is a desktop feature – if you enabled it. If you want to
be fully sure, use alternatives like the aforementioned autotype or reading
files directly into your script.
> I've also made copies of the file in case
> the OS drives goes out on me or the file gets erased or corrupted.
That's always a good idea.
> I get a LOT of help from this mailing list. Rich, Micheal, Neil and
> several others. I hope at least one person will read all this and find
> it useful in some way and I get to give back a little. Having a way to
> generate and remember passwords is a important thing if you encrypt your
> drives.
There is of course also the possibility to let KDE remember the passphrase.
I have some LUKS passphrases in my KDE wallet and the wallet itself has no
password – because all filesystems are encrypted anyways.
--
Grüße | Greetings | Salut | Qapla'
Please do not share anything from, with or about me on any social network.
There is only one way to the lung and it must be tarred.
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic