PeterCxy/pass-gocrypt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: PeterCxy:d6e7763de3fa1f5836bfb5879827ff229514619f
Branches Tags
PeterCxy:master
..
compare: PeterCxy:f9902f8989f105c3838e9918b34bb3a44c174052
Branches Tags
PeterCxy:master

No commits in common. "d6e7763de3fa1f5836bfb5879827ff229514619f" and "f9902f8989f105c3838e9918b34bb3a44c174052" have entirely different histories.
d6e7763de3 ... f9902f8989

2 changed files with 6 additions and 114 deletions
Show stats Expand all files Collapse all files

103
README.md
View file

@ -1,103 +0,0 @@
pass-gocrypt
===
An extension for [pass](https://www.passwordstore.org/) that hides part of the password files inside a subdirectory encrypted by
[gocryptfs](https://github.com/rfjakob/gocryptfs).
`pass-gocrypt` serves a somewhat similar purpose as [pass-coffin](https://github.com/ayushnix/pass-coffin) and
[pass-tomb](https://github.com/roddhjav/pass-tomb) -- because `pass` does not encrypt the directory structure (metadata) by
default, anyone who has access to the password store is able to deduce what websites / services does the owner have accounts on.
Both `pass-coffin` and `pass-tomb` provide workarounds to this limitation by placing the entire password store inside an encrypted
format when unused, shielding metadata from offline attacks.
This approach, in general, works perfectly fine, but comes with some shortcomings that, in the author's view, defeat the point of
using `pass`. For example, when a password store is locked inside a `coffin` or a `tomb`, you lose the ability to synchronize
the store using `git`, at least not without seriously compromising the security model of `coffin` and `tomb`. Furthermore, the
all-or-nothing approach renders the entire password store unusable on mobile clients of `pass` (again, at least without compromising
`coffin` and `tomb` themselves).
In `pass-gocrypt`, only a subtree of the password store will be encrypted. This encryption is done transparently with `gocryptfs`,
with a password generated and managed by `pass` itself. You can optionally supply another passphrase when initializing this
extension, which will be used along with the one managed by `pass` to derive the symmetric encryption key used by `gocryptfs`.
When the encrypted subtree is unlocked, it simply appears as a subdirectory
of the original password store (`gocrypt/`), and all read operations from `pass`, including from web browser plugins, can be done
without any special care (other than remembering to unlock the subtree first). The encrypted subdirectory is stored in the original
password store under `.gocrypt/`, and can be managed by `git` just like how it was without encryption.
The biggest caveat of this is that write operations (such as `edit` and `generate`) **has** to be prefixed by the `gocrypt` subcommand
to ensure compatibility when the outer password store is a git repository. Without the prefix, git commits that are normally created
automatically by `pass` will not be generated during a write. See the Usage section of this document for examples.
Installation
===
This extension is consisted of only one script, `gocrypt.bash`, and can be simply copied into the `.extensions` folder inside your
password store to be installed. You will need `PASSWORD_STORE_ENABLE_EXTENSIONS` to be set to `true` for `pass` to load the extension.
Alternatively, the extension can be installed to the system extension directory in `/usr/lib/password-store/extensions`.
Dependencies:
- pass
- bash
- perl
- gocryptfs
Usage
===
Please run `pass gocrypt help` after installation for detailed help. Below is a simple example of using `pass-gocrypt` to encrypt
a subset of your passwords.
To initialize:
```sh
pass gocrypt init
# With extra passphrase:
# pass gocrypt init -p
```
To generate a password inside the encrypted subdirectory:
```sh
pass gocrypt generate "My/Password"
```
To view a password from inside the encrypted subdirectory:
```sh
pass gocrypt show "My/Password"
# or simply: pass show "gocrypt/My/Password"
# or from any other pass-compatible GUI, when the subdirectory is opened
```
To move a password from outside of the encrypted subdirectory to inside:
```sh
pass gocrypt crypt "My/Insecure Password"
```
To close (unmount) the encrypted subdirectory:
```sh
pass gocrypt close
```
To re-open (mount) the encrypted subdirectory:
```sh
pass gocrypt open
```
To make the encrypted subtree a git repository of its own:
```sh
pass gocrypt git init
```
__Note__: This will allow changes inside the subdirectory to be recorded separately from the git repo of the outside password
store. This has the benefit of retaining the unencrypted changelog once the subdirectory is opened (decrypted). The git log
of the outside password store will still contain the encrypted form of the full inner repository, and the inner repository does
not need to be synchronized separately. This is **not** a recommended mode of operation, but some users may prefer to do this
to retain a full human-readable history of the encrypted part of their password store.

17
gocrypt.bash
View file

@ -32,10 +32,6 @@ gocrypt_die() {
exit 1 exit 1
} }
_cmd_git() {
[ -d '.git' ] && cmd_git "$@"
}
gocrypt_derive_password() { gocrypt_derive_password() {
local data="$1" local data="$1"
local key="$2" local key="$2"
@ -67,7 +63,6 @@ gocrypt_init() {
if $needs_passphrase; then if $needs_passphrase; then
echo -n "Enter passphrase: " echo -n "Enter passphrase: "
read -s passphrase read -s passphrase
[[ "$passphrase" =~ [^a-zA-Z0-9\ ] ]] && gocrypt_die "Only alphanumeric characters are allowed for now"
local passphrase_confirm="" local passphrase_confirm=""
echo echo
echo -n "Confirm passphrase: " echo -n "Confirm passphrase: "
@ -99,10 +94,10 @@ gocrypt_init() {
echo "# Gocrypt" >> .gitignore echo "# Gocrypt" >> .gitignore
echo "gocrypt" >> .gitignore echo "gocrypt" >> .gitignore
_cmd_git add .gitignore cmd_git add .gitignore
$needs_passphrase && _cmd_git add "$gocrypt_needs_passphrase_marker" $needs_passphrase && cmd_git add "$gocrypt_needs_passphrase_marker"
_cmd_git add "$gocrypt_dir" cmd_git add "$gocrypt_dir"
_cmd_git commit -m "Initialized encrypted storage for gocrypt plugin" cmd_git commit -m "Initialized encrypted storage for gocrypt plugin"
} }
gocrypt_open() { gocrypt_open() {
@ -139,8 +134,8 @@ gocrypt_delegate() {
# Delegate command to another `pass` instance that manages what is inside of the mountpoint # Delegate command to another `pass` instance that manages what is inside of the mountpoint
PASSWORD_STORE_DIR="$PWD/$gocrypt_dec_dir" "$PROGRAM" "$@" PASSWORD_STORE_DIR="$PWD/$gocrypt_dec_dir" "$PROGRAM" "$@"
# Commit if there has been changes due to this operation # Commit if there has been changes due to this operation
_cmd_git add "$gocrypt_dir" cmd_git add "$gocrypt_dir"
_cmd_git commit -m "Encrypted pass operation inside gocrypt" "$gocrypt_dir" || echo "No git commit created" cmd_git commit -m "Encrypted pass operation inside gocrypt" "$gocrypt_dir" || echo "No git commit created"
} }
gocrypt_crypt() { gocrypt_crypt() {