summary refs log tree commit diff
diff options
context:
space:
mode:
authornoa@gaiwan.org2024-07-03 14:11:27 +0000
committernoa@gaiwan.org2024-07-03 14:11:27 +0000
commit54a7994d14076f8857d1f01c76ed183b53b93d03 (patch)
tree0a5b43f662d61d366c924817cdf784a71da1df3d
parente4492bd2120213fd3d1293141271e692883fff68 (diff)
Replace pass with keepassxc
-rw-r--r--config.org35
1 files changed, 10 insertions, 25 deletions
diff --git a/config.org b/config.org
index 92bd3ab..295d595 100644
--- a/config.org
+++ b/config.org
@@ -1672,40 +1672,25 @@ This is equivalent to the message of the day present in some shells.  I wanted i
 (setenv "GPG_AGENT_INFO" nil)
 #+end_src
 
-* Pass(1)
-The auth-source library allows packages to request password information.  It has a password store backend, which is nicer to work with than netrc files.
+* Password management
+I mostly don't use emacs for passage management.  Instead i use the wonderful [[https://keepassxc.org/][keepassxc]].  Keepassxc has many great features i make use of, including one time passwords, an ssh agent, and checking if my password appears in leaks.
 
-#+begin_src elisp :tangle no
-(require 'auth-source-pass)
-(add-to-list 'auth-sources 'password-store)
-(auth-source-forget-all-cached)
-#+end_src
-
-I'm trying out using passage instead of pass.  To work properly, we also need to setup age decryption.  I set the age identities file to the file where i keep my identities for the passage store.  I don't really use it for anything else, so this is fine for now.
-
-#+begin_src elisp
-  (require 'age)
-  (setopt age-default-identity "~/.passage/identities")
-  (age-file-enable)
-#+end_src
+I used keepassxc for over a year, before deciding to throw the towel in and move to bitwarden for the convenience of having my passwords easily on multiple devices.  It turns out that things i took for granted with keepassxc, like not having to pay for one time password support, the ssh agent, browser integration that worked well all the time, and a decent desktop application, were not present in bitwarden.  Instead of running back to bitwarden, i moved again, first to pass, the so-called standard unix password manager, and then to passage, which does the same thing but uses age encryption instead of the fire-engine-on-fire that is gpg.
 
-We also need to make sure we are using rage instead of age.  Rage is an implementation of the age command line which allows us to input passwords with pinentry.
+The motivation for this move was because i wanted to start using a hardware token as extra protection for the passwords.  But sadly, the infrastructure around this solution just isn't there and it became a pile of jank.  I stopped accessing my email and xmpp from my computer, because it felt like too much of a headache.
 
-#+begin_src elisp
-  (setopt age-program "rage")
-#+end_src
+And so i'm back with keepassxc.  Luckily keepassxc supports the secret service api, and so does emacs's very own auth-source package, so everything should be perfect.  Right?
 
-Then we can set up auth-source-passage to allow us to use passage as an auth-source backend.
+Not quite.  The keys that auth-source expects don't quite align with the keys that keepassxc has.  So any passwords i want emacs to be able to easily deal with have to be moved around a little.  Luckily the passwords key itself is just where it should be, but i had to go the advanced options in my keepassxc entry and add things in the :user, :host, and :port slots.  I probably won't be updating these very often, so it's not a big deal.  But i'm writing it here because otherwise i will forget.
 
 #+begin_src elisp
-  (require 'auth-source-passage)
-  (add-to-list 'auth-sources 'passage-store)
+  (require 'secrets t nil)
+  ;; (secrets-open-session)
+  (setopt auth-sources '("secrets:Passwords"))
   (auth-source-forget-all-cached)
 #+end_src
 
-#+begin_src elisp
-  (package-ensure 'pass)
-#+end_src
+* Other
 
 #+begin_src elisp
 (setopt confirm-kill-emacs 'y-or-n-p)