From 54a7994d14076f8857d1f01c76ed183b53b93d03 Mon Sep 17 00:00:00 2001 From: noa@gaiwan.org Date: Wed, 3 Jul 2024 14:11:27 +0000 Subject: Replace pass with keepassxc --- config.org | 35 ++++++++++------------------------- 1 file changed, 10 insertions(+), 25 deletions(-) (limited to 'config.org') diff --git a/config.org b/config.org index 92bd3ab..295d595 100644 --- a/config.org +++ b/config.org @@ -1672,40 +1672,25 @@ This is equivalent to the message of the day present in some shells. I wanted i (setenv "GPG_AGENT_INFO" nil) #+end_src -* Pass(1) -The auth-source library allows packages to request password information. It has a password store backend, which is nicer to work with than netrc files. +* Password management +I mostly don't use emacs for passage management. Instead i use the wonderful [[https://keepassxc.org/][keepassxc]]. Keepassxc has many great features i make use of, including one time passwords, an ssh agent, and checking if my password appears in leaks. -#+begin_src elisp :tangle no -(require 'auth-source-pass) -(add-to-list 'auth-sources 'password-store) -(auth-source-forget-all-cached) -#+end_src - -I'm trying out using passage instead of pass. To work properly, we also need to setup age decryption. I set the age identities file to the file where i keep my identities for the passage store. I don't really use it for anything else, so this is fine for now. - -#+begin_src elisp - (require 'age) - (setopt age-default-identity "~/.passage/identities") - (age-file-enable) -#+end_src +I used keepassxc for over a year, before deciding to throw the towel in and move to bitwarden for the convenience of having my passwords easily on multiple devices. It turns out that things i took for granted with keepassxc, like not having to pay for one time password support, the ssh agent, browser integration that worked well all the time, and a decent desktop application, were not present in bitwarden. Instead of running back to bitwarden, i moved again, first to pass, the so-called standard unix password manager, and then to passage, which does the same thing but uses age encryption instead of the fire-engine-on-fire that is gpg. -We also need to make sure we are using rage instead of age. Rage is an implementation of the age command line which allows us to input passwords with pinentry. +The motivation for this move was because i wanted to start using a hardware token as extra protection for the passwords. But sadly, the infrastructure around this solution just isn't there and it became a pile of jank. I stopped accessing my email and xmpp from my computer, because it felt like too much of a headache. -#+begin_src elisp - (setopt age-program "rage") -#+end_src +And so i'm back with keepassxc. Luckily keepassxc supports the secret service api, and so does emacs's very own auth-source package, so everything should be perfect. Right? -Then we can set up auth-source-passage to allow us to use passage as an auth-source backend. +Not quite. The keys that auth-source expects don't quite align with the keys that keepassxc has. So any passwords i want emacs to be able to easily deal with have to be moved around a little. Luckily the passwords key itself is just where it should be, but i had to go the advanced options in my keepassxc entry and add things in the :user, :host, and :port slots. I probably won't be updating these very often, so it's not a big deal. But i'm writing it here because otherwise i will forget. #+begin_src elisp - (require 'auth-source-passage) - (add-to-list 'auth-sources 'passage-store) + (require 'secrets t nil) + ;; (secrets-open-session) + (setopt auth-sources '("secrets:Passwords")) (auth-source-forget-all-cached) #+end_src -#+begin_src elisp - (package-ensure 'pass) -#+end_src +* Other #+begin_src elisp (setopt confirm-kill-emacs 'y-or-n-p) -- cgit 1.4.1-2-gfad0