Intro
Server
Client(s)
About ccrypt
For the past few years, the list of passwords I use for all the various websites, servers, and applications has been growing ever longer. Some people limit themselves to 3-4 passwords, or a handful of formulas for password generation. I used to do that, but it's insecure, and when you control the fate of numerous servers, it's irresponsible. These day, I generally create new passwords at random, and replace them every 3-4 months.
Every flavour of linux has its own system for managing passwords; for example, KDE has KWallet; Gnome has Keyring. Tuesday I started playing with Fedora for the first time in years, and discovered yet another way:
System > Preferences > System > Authorizations
(polkit-gnome-authorization). And, of course, even Mozilla (Firefox, Thunderbird) handles password management like this... but each application has its own repository, and each one will get out of sync in time.
So, for a password management system that doesn't care about window manager, application, or even OS (this works with under cygwin on Windows, too), I've designed my own method.
How do you remember 100s of passwords which have nothing in common? Store them in a database, encrypted by a passphrase/password, then use a simple query engine to retrieve them.
Here's how it works, and how you can set up something similar.
Home Server / CVS Server
First, define these 3 scripts.
- /home/user/passwds/PWget.sh
#!/bin/bash
dir=/home/user/passwds;
mkdir -p $dir;
echo -n "Retrieve latest? [y/N] "; read yn;
if [[ $yn == "y" ]]; then
scp user@home-server:$dir/passwds.cpt $dir
fi
- /home/user/passwds/PWsearch.sh
#!/bin/bash
file="/home/user/passwds/passwds.cpt";
ccrypt -c $file | grep -i "$1";
- /home/user/passwds/PWedit.sh
#!/bin/bash
file="/home/user/passwds/passwds";
ccrypt -d $file.cpt; vi $file; ccrypt -e $file
Next, define 2 aliases -- one for password lookup, and one to modify the encrypted password file. I use ~/.alias, which I load as part of my ~/.bashrc file.
- /home/user/.alias
alias PW='/home/user/passwds/PWsearch.sh $1'
alias PWE='~/PWDs/PWedit.sh'
Now, on the home server, I can run `PW eclipse` to decrypt the file, look up any lines in the password file with "eclipse" in them, and return those entries to me. Or, I can run `PW | more` by itself to display the entire file (paged with `more`). To modify the file, I use `PWE` to decrypt, edit, and re-encrypt the file. I also periodically save this file into my CVS repository (cvs add -kb passwds.cpt; cvs ci -m "" passwds.cpt
) so I can track changes.
Remote Client(s) / Other Servers
Well, you think, that's great for a single system, but I need my passwords on 3 or 4 different systems. Plus, my home server may or may not always be accessible (eg., only when I'm on my home network).
So, once again, we start with the same three bash scripts.
Next, define a different version of the `PW` alias:
- /home/user/.alias
alias PW='/home/user/passwds/PWget.sh;/home/user/passwds/PWsearch.sh $1'
Now, on any other server which can reach the home server over ssh, `PW eclipse` can be used to (optionally) retrieve the latest version of the password file, then search it as in the example above. Can't reach the home server? That's fine, we keep a local cache of the encrypted password file -- good enough until the next synch.
Voila! Centralized encrypted password management for Windows & Linux clients!
About ccrypt
So, what handles the encryption, and how secure is it?
ccrypt is based on
the Rijndael block cipher, which was also chosen by the U.S. government
as the Advanced Encryption Standard (AES, see
http://www.nist.gov/aes/). This cipher is believed to provide very
strong cryptographic security.
If your linux or cygwin distro doesn't include ccrypt in its repositories, here are a couple places you can find it: