Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
-
Android-Password-Store
Discontinued Android application compatible with ZX2C4's Pass command line application [Moved to: https://github.com/android-password-store/Android-Password-Store] (by zeapo)
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
passage
Password store and secret manager using age encryption. This is my attempt to replace passwordstore's use of PGP, with age encryption. I am sure there are more elegant ways to accomplish this, but it is working for my purposes. (by chrisswanda)
-
docker-credential-helpers
Programs to keep Docker login credentials safe by storing in platform keystores
-
yubitouch
Bash script for setting or clearing touch requirements for # cryptographic operations the OpenPGP application on a YubiKey 4
-
rage
A simple, secure and modern file encryption tool (and Rust library) with small explicit keys, no config options, and UNIX-style composability.
-
age
A simple, modern and secure encryption tool (and Go library) with small explicit keys, no config options, and UNIX-style composability.
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Sadly no yubikey support though - https://github.com/mssun/passforios/issues/42
The stdout from `pass` is awful, even for copy-pasting. OTOH, gopass [1], an otherwise 100% compatible drop-in replacement does the job much better and has some neat collaborative features as well.
[1] https://github.com/gopasspw/gopass
FYI for those interested in CLI password management, there is a pretty good CLI for LastPass called lpass that even supports your Yubikeys.
https://github.com/lastpass/lastpass-cli
there is a pass import pluging allowing you to import bitwardn csv
https://github.com/roddhjav/pass-import
maybe you can "bridge it" with bitwarden-cli via some export/import commands or may as well use bitwarden-cli directly (but i find the pass ui much bettwer than bw cli command)
You can do this by mounting procfs with the hidepid= option. But it breaks systemd when enabled system-wide: https://github.com/systemd/systemd/issues/12955
Individual units can opt-in to this behaviour with the ProtectProc= option though. But I don't think there's currently a good way to apply it to users' interactive processes.
I also use this for OTP tokens instead of my phone!
https://github.com/tadfisher/pass-otp
I use pass with Emacs, using this package [1], and it's very nicely integrated and useful.
[1] https://melpa.org/#/pass
Here's one I have been playing with with success.
https://github.com/chrisswanda/passage
Oh dammit. I have stopped using Gopass and started rewriting pass just for that reason - missing AGE encryption. At least I have learned something new and I feel better while my fuzzy finder UI instead of their TUI. However, big kudos to Gopass team for awesome work and really useful tool.
Before I start working on next project... Do you recognize any mobile app, which could replace PasswordStore.app for Android but with AGE support?
[0]: https://github.com/android-password-store/Android-Password-S...
Oh dammit. I have stopped using Gopass and started rewriting pass just for that reason - missing AGE encryption. At least I have learned something new and I feel better while my fuzzy finder UI instead of their TUI. However, big kudos to Gopass team for awesome work and really useful tool.
Before I start working on next project... Do you recognize any mobile app, which could replace PasswordStore.app for Android but with AGE support?
[0]: https://github.com/android-password-store/Android-Password-S...
Docker supports a credential-helper module[0], which supports 4 different backends for fetching the docker registry credentials: osxkeychain, pass, wincred, and secretservice.
pass lets you use GPG-smartcards, and many of those (such as Yubikeys) will let you enforce touch-policies for signing/encruption.
As a combination of both these however, I must touch my Yubikey every time I pull a new docker image.
Another cool use-case is that I use the terraform-pass-provider to save secrets for my personal terraform project.
[0]: https://github.com/docker/docker-credential-helpers
Here's a script that will set that mode, in case you'd like to use it. It prevents someone/malware from being able to use your key after you've unlocked it. For example if you hacked my computer and tried to use it to ssh to another machine you'd be unable because you'd need me to tap the key.
I'd suggest trying 'on' before 'fix', but then switching to 'fix' for the extra security it provides.
https://github.com/a-dma/yubitouch
Besides pass-tomb, there's also pass-coffin which doesn't need to rely on a 3k+ line ZSH script. I'll add support for using age and signify in pass-coffin soon.
https://github.com/ayushnix/pass-coffin
As yepguy mentioned AGE is simpler. I can also mention few things:
- It works smoothly with SSH keys (generated from ssh-keygen), which are perfectly recognized by possibly any developer.
- No need for external client, such as OpenKeychain for Android or GpgWin/Kleopatra for Windows.
- Embed-able in Rust[0] and Go[1] (there are libraries), no need to call `gpg --decrypt ...` from the command line.
- Encrypted files by pass and keys are smaller. I guess it is thanks to ecliptic-curve encryption.
[0]: https://github.com/str4d/rage
[1]: https://github.com/FiloSottile/age
As yepguy mentioned AGE is simpler. I can also mention few things:
- It works smoothly with SSH keys (generated from ssh-keygen), which are perfectly recognized by possibly any developer.
- No need for external client, such as OpenKeychain for Android or GpgWin/Kleopatra for Windows.
- Embed-able in Rust[0] and Go[1] (there are libraries), no need to call `gpg --decrypt ...` from the command line.
- Encrypted files by pass and keys are smaller. I guess it is thanks to ecliptic-curve encryption.
[0]: https://github.com/str4d/rage
[1]: https://github.com/FiloSottile/age