From ca322277b2628fb20b8a53d16836e683ce4b2520 Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Mon, 10 Oct 2022 16:16:50 -0400 Subject: [PATCH 1/3] Supress git errors when the pass store is not a git repo --- gocrypt.bash | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/gocrypt.bash b/gocrypt.bash index 37cf4ae..f0cacfa 100755 --- a/gocrypt.bash +++ b/gocrypt.bash @@ -32,6 +32,10 @@ gocrypt_die() { exit 1 } +_cmd_git() { + [ -d '.git' ] && cmd_git "$@" +} + gocrypt_derive_password() { local data="$1" local key="$2" @@ -94,10 +98,10 @@ gocrypt_init() { echo "# Gocrypt" >> .gitignore echo "gocrypt" >> .gitignore - cmd_git add .gitignore - $needs_passphrase && cmd_git add "$gocrypt_needs_passphrase_marker" - cmd_git add "$gocrypt_dir" - cmd_git commit -m "Initialized encrypted storage for gocrypt plugin" + _cmd_git add .gitignore + $needs_passphrase && _cmd_git add "$gocrypt_needs_passphrase_marker" + _cmd_git add "$gocrypt_dir" + _cmd_git commit -m "Initialized encrypted storage for gocrypt plugin" } gocrypt_open() { @@ -134,8 +138,8 @@ gocrypt_delegate() { # Delegate command to another `pass` instance that manages what is inside of the mountpoint PASSWORD_STORE_DIR="$PWD/$gocrypt_dec_dir" "$PROGRAM" "$@" # Commit if there has been changes due to this operation - cmd_git add "$gocrypt_dir" - cmd_git commit -m "Encrypted pass operation inside gocrypt" "$gocrypt_dir" || echo "No git commit created" + _cmd_git add "$gocrypt_dir" + _cmd_git commit -m "Encrypted pass operation inside gocrypt" "$gocrypt_dir" || echo "No git commit created" } gocrypt_crypt() { From 124a293a33c3d20152cd77bd15b9682d04e0bafc Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Mon, 10 Oct 2022 16:18:30 -0400 Subject: [PATCH 2/3] Only allow alphanumeric passphrases for now We would need to sanitize the input for perl, or find a better way to do hmac_sha256 here. --- gocrypt.bash | 1 + 1 file changed, 1 insertion(+) diff --git a/gocrypt.bash b/gocrypt.bash index f0cacfa..d33c97c 100755 --- a/gocrypt.bash +++ b/gocrypt.bash @@ -67,6 +67,7 @@ gocrypt_init() { if $needs_passphrase; then echo -n "Enter passphrase: " read -s passphrase + [[ "$passphrase" =~ [^a-zA-Z0-9\ ] ]] && gocrypt_die "Only alphanumeric characters are allowed for now" local passphrase_confirm="" echo echo -n "Confirm passphrase: " From d6e7763de3fa1f5836bfb5879827ff229514619f Mon Sep 17 00:00:00 2001 From: Peter Cai Date: Mon, 10 Oct 2022 17:35:08 -0400 Subject: [PATCH 3/3] Add README --- README.md | 103 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 103 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..29c1d20 --- /dev/null +++ b/README.md @@ -0,0 +1,103 @@ +pass-gocrypt +=== + +An extension for [pass](https://www.passwordstore.org/) that hides part of the password files inside a subdirectory encrypted by +[gocryptfs](https://github.com/rfjakob/gocryptfs). + +`pass-gocrypt` serves a somewhat similar purpose as [pass-coffin](https://github.com/ayushnix/pass-coffin) and +[pass-tomb](https://github.com/roddhjav/pass-tomb) -- because `pass` does not encrypt the directory structure (metadata) by +default, anyone who has access to the password store is able to deduce what websites / services does the owner have accounts on. +Both `pass-coffin` and `pass-tomb` provide workarounds to this limitation by placing the entire password store inside an encrypted +format when unused, shielding metadata from offline attacks. + +This approach, in general, works perfectly fine, but comes with some shortcomings that, in the author's view, defeat the point of +using `pass`. For example, when a password store is locked inside a `coffin` or a `tomb`, you lose the ability to synchronize +the store using `git`, at least not without seriously compromising the security model of `coffin` and `tomb`. Furthermore, the +all-or-nothing approach renders the entire password store unusable on mobile clients of `pass` (again, at least without compromising +`coffin` and `tomb` themselves). + +In `pass-gocrypt`, only a subtree of the password store will be encrypted. This encryption is done transparently with `gocryptfs`, +with a password generated and managed by `pass` itself. You can optionally supply another passphrase when initializing this +extension, which will be used along with the one managed by `pass` to derive the symmetric encryption key used by `gocryptfs`. + +When the encrypted subtree is unlocked, it simply appears as a subdirectory +of the original password store (`gocrypt/`), and all read operations from `pass`, including from web browser plugins, can be done +without any special care (other than remembering to unlock the subtree first). The encrypted subdirectory is stored in the original +password store under `.gocrypt/`, and can be managed by `git` just like how it was without encryption. + +The biggest caveat of this is that write operations (such as `edit` and `generate`) **has** to be prefixed by the `gocrypt` subcommand +to ensure compatibility when the outer password store is a git repository. Without the prefix, git commits that are normally created +automatically by `pass` will not be generated during a write. See the Usage section of this document for examples. + +Installation +=== + +This extension is consisted of only one script, `gocrypt.bash`, and can be simply copied into the `.extensions` folder inside your +password store to be installed. You will need `PASSWORD_STORE_ENABLE_EXTENSIONS` to be set to `true` for `pass` to load the extension. + +Alternatively, the extension can be installed to the system extension directory in `/usr/lib/password-store/extensions`. + +Dependencies: + +- pass +- bash +- perl +- gocryptfs + +Usage +=== + +Please run `pass gocrypt help` after installation for detailed help. Below is a simple example of using `pass-gocrypt` to encrypt +a subset of your passwords. + +To initialize: + +```sh +pass gocrypt init +# With extra passphrase: +# pass gocrypt init -p +``` + +To generate a password inside the encrypted subdirectory: + +```sh +pass gocrypt generate "My/Password" +``` + +To view a password from inside the encrypted subdirectory: + +```sh +pass gocrypt show "My/Password" +# or simply: pass show "gocrypt/My/Password" +# or from any other pass-compatible GUI, when the subdirectory is opened +``` + +To move a password from outside of the encrypted subdirectory to inside: + +```sh +pass gocrypt crypt "My/Insecure Password" +``` + +To close (unmount) the encrypted subdirectory: + +```sh +pass gocrypt close +``` + +To re-open (mount) the encrypted subdirectory: + +```sh +pass gocrypt open +``` + +To make the encrypted subtree a git repository of its own: + +```sh +pass gocrypt git init +``` + +__Note__: This will allow changes inside the subdirectory to be recorded separately from the git repo of the outside password +store. This has the benefit of retaining the unencrypted changelog once the subdirectory is opened (decrypted). The git log +of the outside password store will still contain the encrypted form of the full inner repository, and the inner repository does +not need to be synchronized separately. This is **not** a recommended mode of operation, but some users may prefer to do this +to retain a full human-readable history of the encrypted part of their password store.