So I have Chromium (137), and Kwallet, and they work ok, Chromium saves and offers passwords on sites, and they are correct. But I want to backup my passwords to external drive (and there are another use cases when I need plain-text password, like console github login), so I opened Chromium password manager - and it was empty. No passwords at all. Offering passwords on login screen still works OK. Do you know how I can extract passwords from 'Login Data' sqlite using Kwallet key (I tried kwalletcli -f "Chromium Keys" -e "Chromium Safe Storage" and it returned me something looks like a key) or just make Chromium password manager work? Thanks

A few years ago, I read about secrets being passed to commands without displaying and in an automated or scripting manner. Is possible to do this using pass? I figure if it is setup in a way in which upon boot something similar to ssh-agent to keep the GPG encryption key in memory.

Is there a way to encrypt single files with a Yubikey that doesn't use OpenPGP? I use my Yubikey for ssh logins and encrypting individual files (password stores.) The Yubikey is operating in CCID mode only (I don't currently use OTP or U2F.) All operations require the physical presence test. Up until now I've been using my Yubikey as an OpenPGP smart card along with: - gpg-agent --enable-ssh-support for ssh support; and - gnupg.vim plugin for encrypting files. GnuPG is clunky, unreliable, and hard to script. I'd like to stop using the Yubikey in this mode. I have another Yubikey that is configured as a NIST PIV smart card. I use OpenSSH's PKCS11 support and a regular ssh-agent. This is much more reliable than the gpg tools, but it *doesn't provide the individual-file-encryption support*. As I see it, there are a few possible options to using a PIV smart card for individual file encryption: - some sort of ssh-agent + vim hack? - maybe there's a seamless PKCS11 based file encryption tool? - using one of the other slots on the yubikey for file encryption, maybe with OpenSC or some of libccid stuff? - open source password manager that talks directly to the Yubikey?

I found many guides on how to mount a NAS drive via fstab. Quite some enter username and password right into the fstab file, others use a file .smbcredentialsfor that. I'd like to manage all my credentials with KeePassXC or some other portable database. Is there a way to tell the fstab fetching the username and password from such credential manager? My probably-a-lot-of-work-around idea was, to use some kind of [scriptfs](https://github.com/frodonh/scriptfs) (_this one seems unmaintained, but maybe there is a modern alternative_) to create a virtual filesystem, exposing a virtual file as proxy between the password store and the fstab (.smbcredentials). So any hints in this direction may be appreciated, if no simpler solution is available.

I need to connect by SSH to a remote server that does not accept SSH keys. They only allow SSH authentication by username and password. Is there a way to setup things such that my terminal (or shell, or something) remembers my password for this remote, so I don't have to type it every time I login?

I have been using pass (cli pw manager) for a couple of years now, and I just started using yubikeys. I have (2) YKs which I configured as duplicates of each other, transferring the same gpg subkeys (S, E, and A) to each one. I added the YK gpg-key id to my ~/.password-store/.gpg-id file, and re-initialized the store to re-encrypt the entries using the new key. I can now use pass with either of my YKs to open a password-store entry using pass, however, when I try either to edit an existing entry or to add a new one, I am met with:

$pass add test
Enter password for test: 
Retype password for test: 
gpg: B7C0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1BB7: skipped: No public key
gpg: [stdin]: encryption failed: No public key
Password encryption aborted.

A check on the key returns:

$gpg -K YUBI
sec#  rsa4096/289xxxxxxxxxx8B5 2024-11-01 [SC] [expires: 2034-10-30]
      Key fingerprint = 8C6B xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 58B5
      Keygrip = E7608xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx37AFD
uid                 [ultimate] Fname Lname (YUBIKEY) 
ssb>  rsa4096/130xxxxxxxxxxA7D 2024-11-01 [S] [expires: 2034-10-30]
      Keygrip = 18DD9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1599B
ssb>  rsa4096/A39xxxxxxxxxxEBD 2024-11-01 [E] [expires: 2034-10-30]
      Keygrip = 5BD06xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8B9FD
ssb>  rsa4096/779xxxxxxxxxxBAA 2024-11-01 [A] [expires: 2034-10-30]
      Keygrip = 0A10BxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAFA2F

and

gpg -k YUBI
pub   rsa4096/289xxxxxxxxxx8B5 2024-11-01 [SC] [expires: 2034-10-30]
      Key fingerprint = 8C6B xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx 58B5
      Keygrip = E7608xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx37AFD
uid                 [ultimate] Fname Lname (YUBIKEY) 
ssb>  rsa4096/130xxxxxxxxxxA7D 2024-11-01 [S] [expires: 2034-10-30]
      Keygrip = 18DD9xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1599B
ssb>  rsa4096/A39xxxxxxxxxxEBD 2024-11-01 [E] [expires: 2034-10-30]
      Keygrip = 5BD06xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx8B9FD
ssb>  rsa4096/779xxxxxxxxxxBAA 2024-11-01 [A] [expires: 2034-10-30]
      Keygrip = 0A10BxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxAFA2F

Trying to re-import the **pub** made no changes, as expected. Encrypting a file like: $ gpg -r YUBIKEY -e file then decrypting it with: $ gpg -d file.gpg works as expected. I am prompted for the passphrase and file contents are listed afterward. Now I am confused and unsure what the issue is. If anyone has any suggs or advice I would sure appreciate it. Thks.

Is it possible to store the Firefox Primary Password (formerly known as the Master password) using the freedesktop secret service dbus API, in order to bypass the password prompt when Firefox starts and attempts to sync? If this were possible, the primary password would be stored in your local password manager (such as KWallet, gnome-keyring, KeePassXC, ...)."

I have two arch linux machines: desktop & laptop; Both have pass as the password manager, with the same gpg key, versions, passwords; but when asking for password on the laptop popup that asks for master key is instantaneous, while desktop can take up to a minute. Any ideas?

$ time pass 10fastfingers.com
*********
pass 10fastfingers.com  0.02s user 0.01s system 0% cpu 28.751 total

$ gpg --version
gpg (GnuPG) 2.2.32
libgcrypt 1.9.4-unknown
...

I am trying to use the Secret Service (not NSA/CIA, but the Linux one, through secret-tool command) outside of X. I managed to use it with kwalletd and with keepassxc. But kwalletd needs KDE and hence graphic environment, and keepassxc is a pain because it asks for authorizations every-single-time it is used. Is there a way to use the Secret Service outside X?

If KeePassXC is sandboxed [in a Flatpak](https://flathub.org/apps/details/org.keepassxc.KeePassXC) , browsers can only access it, if they are _not_ sandboxed, i.e. installed as an deb/rpm package or similar on the host. Sandboxing both the browser, i.e. [Firefox](https://flathub.org/apps/details/org.mozilla.firefox) , and KeePassXC – or at least the browser and installing KeePassXC natively, which you'd actually want for security reasons – is not possible. TL;DR: * this should work out-of-the box: Firefox (host-installed), KeePassXC (flatpak from flathub) * this does not: Firefox (sandboxed), KeePassXC (host or sandboxed, does not matter) So how to make that communication work?

I have a keepassxc database with passwords on my laptop with Lubuntu. I have a backup on flash drive via rsync. I'd like to use the same database on my Android phone and Windows machine at work as well. What is the most efficient and secure way to have a database synchronized (actual) and utilize it on all of these devices? Now, I have an idea of a cumbersome solution. To bring the flash with synchronized database every day to my work and have another copy on Android phone. What is a better solution?

The pass program is a command line utility to store passwords plus free form extra data in small files encrypted with gpg. It provides a grep sub-command in particular to find passwords by the extra data. But this grep sub-command is painfully slow on my machine. I have nearly 200 passwords stored and internally each file is decrypted with gpg like so (without the time in front, of course):

% time gpg -d --quiet --yes --compress-algo=none --no-encrypt-to stackoverflow.gpg
  the password output
user=0,000 sys=0,006 wall=0,382 (1,61)

Wall time is nearly 0.4 seconds which adds up to around 1 minute to grep through all files. The gpg-agent is running and I have this version: > gpg (GnuPG) 2.2.27 Two suspicions why this is slow: 1. Startup of gpg and communication with gpg-agent is slow, supported by the fact that user+sys times are small in comparison. 2. gpg-agent is slow, supported by the fact that after a pass grep run its cumulative CPU time is increased by 60 seconds, nicely matching the total time of the complete run. Together, both point to gpg-agent, though I have no idea why the agent should be so slow. With ps I see it running as

/bin/gpg-agent --sh --daemon

Can someone shed some light on whether ~ 0.3 CPU seconds is reasonable for the agent per file or whether there is a way to improve this? EDIT: **Further Findings** Attaching strace to the agent, I find this:

20200 14:57:03.701648 getrusage(RUSAGE_SELF, {ru_utime={tv_sec=133, tv_usec=890780}, ru_stime={tv_sec=0, tv_usec=99975}, ...}) = 0
20200 14:57:03.701666 clock_gettime(CLOCK_PROCESS_CPUTIME_ID, {tv_sec=133, tv_nsec=990762100}) = 0
20200 14:57:04.063523 getpid()          = 18035

where we have 360ms between clock_gettime and the getpid call. And with ltrace:

20472 15:04:55.035574 strlen("my-password-here")                                                      = 10
20472 15:04:55.035641 gcry_kdf_derive(0x7d884b82c008, 10, 19, 2)                                = 0
20472 15:04:55.394727 gcry_cipher_setkey(0x7d884b82cbc0, 0x7d884b82c030, 16, 0x7d884b83c000)    = 0

So gcry_kdf_derive takes 360ms. Whatever it does, can I get it to cache its result for a few seconds with some config setting. (... goes fetching the source code).

Recently, I’ve tried to install nheko, a Matrix client, but I failed using it because it complains it cannot store password and other secrets because there are no providers for org.freedesktop.secrets available on my machine. Not knowing what that meant, I googled it, and found out it’s some standard API for a keyring, the example implementation being GNOME Keyring. Since I use neither Gnome nor KDE, I don’t really want to use software that’s supposed to integrate in these DE, so I looked for alternatives, and I found pass secret service, which is a provider for org.freedesktop.secrets using the GNU Pass backend, which is a good thing for me because I otherwise use pass as my password manager. I tried installing using it by enabling services.passSecretService system-wide, then rebooted. However, that didn’t work: nheko now complains that it timeouts when it tries to store things, and retrieving passwords using GNU Pass takes a significant amount of time. I suspect the issue is the following: - whenever my GPG key is required, the GPG agent tries to obtain the password, first by checking if it’s in the keyring, and resorting to pinentry (ie. a password-asking popup) otherwise - my GPG key is required both when trying to read and write in the password store using GNU Pass, because it has to uncipher the crypted passwords, and because when it writes something, it commits it to the underlying repo, which in turn tries sign the commit using the same key. - checking if a secret information is in the keyring requires reading the password store, since I’ve connected the keyring interface to the GNU Pass backend. That creates a cycle: whenever I need to get the password of my GPG key, it tries to query the keyring first, which in turn queries the password store, which in turns asks GPG the decipher its content, which in turn makes GPG try to get the password for the key, … This, I think, ends with a timeout, explaining why nheko fails with an error message about a timeout, and why the password store takes more time to retrieve the password: it just fails to get the password until the timeout occurs, and then it reverts to asking me for the password. How can I setup things properly to avoid these issues? Ideally, the solution would be not to put GPG key passwords in the keyring at all, if my understanding of the situation is correct.

I just migrated from keepassxc to the linux pass password utility. But I often find myself **su**'ing to my user's account from another user's session, and when I try to run any pass commands on entries in my store, I get a "no secret key" error, which seems odd to me because I would think when one logs into their shell account that everything associated with that user would be available at the cli. So how then can I **su** into my user's account from another's user's session in a way that I can access my gpg keys and manage my pass files?

I'm using the pass for quite a long time; but after exporting my key storage and gpg keys to another machine I see following output: $ gpg --list-key /home/shved/.gnupg/pubring.gpg ------------------------------ pub 2048R/FA829B53 2015-04-28 uid [ultimate] Yury Shvedov (shved) sub 2048R/74270D4A 2015-04-28 My key imported and trusted, but not usable: pass insert test Enter password for test: Retype password for test: gpg: 2048R/FA829B53: skipped: No public key gpg: [stdin]: encryption failed: No public key fatal: pathspec '/home/shved/.password-store/test.gpg' did not match any files What can I do to use my key again?

I Have rented a VPS and I want to encrypt it's data, at least on the /home directory, because I don't want the owners of the VPS to have a look at the content of my data. But the server **already has data** on it. my questions are: 1- /home isn't a separate partition, neither /boot .. in this case can I encrypt it? 2- How would the server boot, it's running headless, and I don't have access to it. 3- I have a trusted server on my home, can I use it somehow to hold the password so the VPS server would access it and get the password hash and boot? Thanks a lot, have a nice day.

I've installed pass-import via pip.

pip install pass-import

Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: pass-import in ./.local/lib/python3.12/site-packages (3.4)
Requirement already satisfied: pyaml in /usr/local/lib/python3.12/site-packages (from pass-import) (23.9.7)
Requirement already satisfied: zxcvbn in /usr/local/lib/python3.12/site-packages (from pass-import) (4.4.28)
Requirement already satisfied: requests in /usr/lib/python3.12/site-packages (from pass-import) (2.28.2)
Requirement already satisfied: PyYAML in /usr/lib64/python3.12/site-packages (from pyaml->pass-import) (6.0.1)
Requirement already satisfied: charset-normalizer=2 in /usr/lib/python3.12/site-packages (from requests->pass-import) (3.2.0)Requirement already satisfied: idna=2.5 in /usr/lib/python3.12/site-packages (from requests->pass-import) (3.4)
Requirement already satisfied: urllib3=1.21.1 in /usr/lib/python3.12/site-packages (from requests->pass-import) (1.26.18)

but when I try to execute:

pass import bitwarden bitwarden_export_20240104164527.json
Error: import is not in the password store.

This is my path:

/home/hhlp/.local/bin:/usr/lib64/ccache:/usr/local/bin:/usr/local/sbin:/usr/bin:/usr/sbin:/opt/p4v/bin:/opt/p4v/bin

but I think is not enough to make it work. https://github.com/roddhjav/pass-import#readme one solution is this, from fedora COPR repo just enable and install it https://copr.fedorainfracloud.org/coprs/tofik/password-store/packages/

sudo dnf copr enable tofik/password-store

and then install it

sudo dnf install pass-import

but I would like to do it with the official one under pip.

I use *Aerc eMail-client* on Archlinux. I have an **gmail**-account, which I was setting up like this: . So I integrated the special password-App. How can I integrate pass password-manager in my aerc eMail client? So that I don't have to insert plaintext password in my ~/.config/aerc? The wiki is too cryptic for my level:

Unfortunatelly I made mistake somewhere but can't get where. I had issues with ssh and github, tried different things and they didn't work. Later I decided .. i think.. moved file i balieve it was home/username/known.hosts or smth like that. Additonally I deleted everything from folder, where id_25519 and id_25519.pub files (maybe they are related to github, i don't know). And somewhere in between or afteer all. I could not provide my password in terminal. I 200% sure it's correct, no caps/num/ other things used. and now i can't log in to my linux mint cinamon 20. I will really appreciate any help how can I recover my laptop. It starts, but requires pass. And I can't understad how coudl it change ......

I have a NAS I want to mount on access. I can do this by adding //xxx.xxx.xxx.xxx/directory /mountpoint smb3 x-systemd.automount,credentials=home/user/.smbcredentials 0 0 to my fstab. I also want to centralize my passwords using pass passwordmanager. No problem, I can do: mount -t smb3 //xxx.xxx.xxx.xxx/directory /mountpoint -o username=user,password=pass home/localnetwork If the GPG-key passphrase is not cached yet, it will promt me to enter it, otherwise it will mount the directory immediatly. This is nice. Now I want to do this using fstab, however: //xxx.xxx.xxx.xxx/directory /mountpoint smb3 x-systemd.automount,username=user,password=pass home/localnetwork 0 0 Does not work. Any proper (or hacky) idea how to achive the intended behavior? Edit: I am runnig manjaro with Linux 6.1 kernel.