So, I’ve been using keepassxc for some time now, but I wanted a viable alternative for command line usage (there is keepassxc-cli, that I use, but it is really a pain in the ass). So, I searched and found pass and gopass.

However, I’ve seen that they store each entry in a gpg encrypted file, inside a plain directory hierarchy. And, don’t get me wrong, I believe that there are use cases for this, but if someone got their hands in your password_store, they would know every single login that you have (the only information that is protected is the password, or whatever is in the gpg file).

So, my question is, there is a password manager, cli based, that encrypts the whole database, and not the single entries?

Update: there is a pass extension made specifically to address this issue

  • Arkhive (they/she)@lemmy.blahaj.zone
    2·
    5 hours ago

    I use Unix pass and KeePassXC before that. When I was switching I shared the concern of the names and structure of my passwords . A couple things convinced me it was fine.

    First: It’s an arbitrary folder structure. You can name the folders whatever you want. Same is true for individual files. There is a field you can populate with the url the password is for, and when using browser extensions, or a mobile Unix pass manager, they use this field to check which password to offer, so the name of the encrypted file can be anything and so I often name them seemingly random things.

    Second: how I chose to sync them made it kind of a non-issue. Some people literally store their password store folder on GitHub. This freaked me out a bit for the reason you are concerned, people even knowing the names of my files. The solution was to self host a git repo on my home LAN and then using Tailscale sync my devices to it from anywhere. Could also be done with syncthing, but the mobile app I use has git functionality built in. This way none of my files even touch the clear net, so I worry a lot less about people knowing the names of my passwords.

  • harsh3466@lemmy.ml
    9·
    2 days ago

    With pass, everything in the store is gpg encrypted. Unless they have your master password, getting the password_store itself will give them nothing but encrypted data blobs.

    Imo pass is great for CLI password management

    • grumt@lemmy.mlOPEnglish
      2·
      2 days ago

      So even the sub-directories of the password store are encrypted? For example, even if I put my password int the name of a subdirectory, they wouldn’t be able to see it?

      • ebc@lemmy.ca
        4·
        2 days ago

        No, only the file contents are encrypted. The file names and folder structure is visible to anyone who has access to the files.

        The files themselves can contain a ton of stuff if you want, but the convention is to put the password on the first line and that’s what “pass -c my/file” will copy.

        • grumt@lemmy.mlOPEnglish
          2·
          2 days ago

          Hmm I get it. As I said, I think there is good use cases for it, specially because of the simplicity, but I personally prefer to have the entire database encrypted, kinda like keepassxc does

          • ebc@lemmy.ca
            3·
            2 days ago

            pass probably isn’t for you then, unless you find a wrapper or something that lets you put all in one file. I’ve switched to keepassxc as well, I could never get the browser integration to work with pass.

  • TechieDamien@lemmy.ml
    2·
    2 days ago

    It depends how you use it. There is no requirement as to how you set up your directory structure, so you could have one file “passwords” with all your credentials in, including the website. That would break a lot of plugin’s functionality though.

  • christopher@programming.dev
    2·
    2 days ago

    I’m using the Gnome Keyring on my Arch Linux system with Xfce desktop environment, and access its secrets from the command line with secret-tool, but I believe KeepassXC also supports the DBus Secret Service API, so that you can use secret-tool with it also.

  • Xanza@lemm.eeEnglish
    3·
    2 days ago

    but if someone got their hands in your password_store

    There’s really no way around this. If someone “gets their hands on” your anything you’re pretty much fucked. Pass is good enough privacy to justify its usage.

    • grumt@lemmy.mlOPEnglish
      4·
      2 days ago

      I agree, but picture this: if someone get their hands in a kdbx database, they would need to brute force through the master password; they couldn’t possibly know any sites or logins. In the other hand, if someone got your password store, and you used this hierarchy structure, they could try to attack directly the logins, which increases the attack surface. That being said, yes, I completely agree with your last statement.

      edit. For example, if you want to host the password database in a host service not owned by yourself, pass is entirely out of question in this case. A kbdx database, however, would offer a good deal of privacy

      • Xanza@lemm.eeEnglish
        2·
        2 days ago

        In the other hand, if someone got your password store, and you used this hierarchy structure, they could try to attack directly the logins

        The .pass file is encrypted just like the kbdx database and is also protected by a password. Apples to apples its the same amount of security.

        • Prunebutt@slrpnk.net
          4·
          2 days ago

          OP is talking about hhe meta-structure being visible.

          If my filesystem gets compromised (stolen, confiscated, etc.) and I use pass, the infiltrators will know that I have a password that I labeled “slrpnk.net”. They won’t have access to the password itself, but they’ll be able to determine all the services I have accounts at.

            • Prunebutt@slrpnk.net
              31·
              2 days ago

              That’s a non-sequitur.

              How is encrypting the metadata, as well as the data security through obscurity? O.o

              • Xanza@lemm.eeEnglish
                11·
                2 days ago

                Because if the data is secure, it makes no difference if a bad actor knows you have an account with a service or not. In the same way, I’m sure I could scrape lemmy for usernames and assume those usernames are emails, but that doesn’t mean your account is less secure for using your email prefix as your lemmy username.

                This is an example of security through obscurity. Not even the usernames are exposed IIRC. It’s just the domain/service. Hell, I could guess that you have a gmail account. That doesn’t make your account less secure for me knowing that.

                • Prunebutt@slrpnk.net
                  3·
                  2 days ago

                  Because if the data is secure, it makes no difference if a bad actor knows you have an account with a service or not

                  Bullshit. It’s not about the obvious services, but rather the ones that give more info about my profile.

                  If the police confiscates my PC because of e.g. piracy, they could nail me down if they also knew that I had an account at a darkweb marketplace, or that I am a member of an organization that’s deemed to be “terrorist”.

                  The only way to hide that info with pass is to give it a cryptic name which make it less obvious, what the account is actually for. That is both inconvenient and I would argue: also quite security of obscurity.

                  This is an example of security through obscurity.

                  It is not. Security through obscurity relies on having a visible secret hidden somewhere where “no one would think to check”. That’s different than encrypting the whole meta-structure of your digital life.