Keep your passwords in a safe

Let us build a keystore

Do not roll your own, technology is dangerous, cryptography will bite you! But still...

If you use a computer, if you have a smartphone, you also have passwords, a lot of them. They grow everyday, everywhere. All of them should be different, since you don't want some random newsletter guy to have the exact same or some variation of the password you use to unlock your bank account.

And it does not have to be the name of a loved one (a hated one), a sibling or some meaningful date in your life with some random variation at the end, in other words, if it means anything, it is a bad password. If it means almost anything, it is still a bad password, because it is still possible to overcome little entropy with some computing.

If you want to sleep and not being tormented by your password being reused where you least like it, you should be probably using a password store.

Nice, let us just download from the internet a random dude's binary that will at least prove I didn't intentionally throw away all of my precious data, and see what it can do for me. There is actually a lot of random dudes around that offer fancy password stores, with integrated chat and maybe stickers... seriously?

They're so much safe and fun because... they sync! I love to sync around, where did you last sync your bank account password to? Who knows, but the pin of the front door is in some other continent for sure, and it sounds so cool!

Ok, enough, I bet you know a couple of ways to generate a keypair and store the private key in a safe place, possibly with a password (another one!) that you possibly don't tattoo in a visible area.

You will now need a bunch of ugly scripts to enable you to do some operations. I'd say the bare minimum is the following:

  • lock a provided secret
  • unlock a provided secret
  • write a secret to a provided location
  • copy a secret to the clipboard
  • remove the secret, possibly with multiple overwrites
  • maybe spawn a given script as child with the value for a given secret

Plus, this builds on top of some command that you use to encrypt/decrypt. You might want to use x509crypt or fold your sleeves and hook it to something you trust.

It is of course possible to do much better, what follows is only a MVSSS (Minimum Viable Stupid Shell Script) and you should be able to use it like this:

ugly <-l|-u|-w|-e> <name>

ugly -l <name>       		: lock secret <name>
ugly -u <name>       		: unlock secret <name>
ugly -w <name><dest> 		: write secret <name> to <dest>
ugly -c <name>       		: write secret <name> to clipboard
ugly -r <name><file> 		: read secret <name> from <file> - delete <file>
ugly -e <name><env><command>  	: runs <command> with secret <name> in environment <env>

This can be the base for some other product, and if there is a demand, it can possibly be rewritten in some other language, but the structure would fundamentally remain the same.

The code for the project can be downloaded from here: ugly and here: x509crypt

Paolo Lulli 2021

Keywords: [ x509 ] [ cryptography ]