Self-host Password Solution with NO sacrifice

GPG + ECC + Passwordstore + Git, Simple as duck

Writing abt Fries at The Pier
3 min readSep 23, 2024

What you will enjoy

Tell me if you think below features are impossible to be combined together:
1. SOTA cryptography algorithm, fully open source solution, widely available and well maintained programs (not some random new sh*t);
2. One master key controlling all passwords, and convenient Chrome/Mobile client just like commercial solutions e.g. 1Password. Therefore you don’t need to worry about forgetting things.
3. Passwords are encrypted and stored as files, with arbitrary tree structure of accounts and any plain-text metadata.
4. Entire history of passwords git-controlled and easy to backup/restore.

All of above features work beautifully together using just those old classic tools mentioned in subtitle. The whole stack takes 10min to setup if you follow a tutorial, or a few hours if you’d like also learn a bit about everything.

Core Components Explained

TL;DR: You will generate a strong “master” key to encrypt all your other passwords. The master key itself is further protected by a master passphrase you choose. Passwords are stored as encrypted plaintext, one file per account. You could still read and edit their original human-readable form with your key. Everything is a text file so all can be version-controlled by Git.Everything is plain-text so you could add whatever extra notes for each accoutn. With Chrome extensions you get to decrypt and copy password on the fly when you login.

Public-key cryptography is human’s state of the art encryption technology, the same thing as what secures trillions of wealth in crypto world. It’s based off solid math but still simple to use. Encryption with such keys make your passwords difficult and costly to crack.

Eliptic-Curve Cryptography (aka “ECC”) is the most safe and widely available algorithm used in public-key cryptography. It should be used by default when you generate a key.

GPG i.e. GnuPG is the OG and most popular key management system. It provides CLI command gpg wrapping above cryptography algorithms and provide a lot of encrypt/decrypt/sign/verify functionalities.

Passwordstore is “the standard unix password manager”. It leverages GPG to encrypt/decrypt password and store them as files. It provides functionalities under CLI command pass.

All configurations and artifacts when using above tools are all text files so they live happily under git control.

Self-host Them

Essentially you only need two things to use/update your passwords anywhere:
1. GPG key as the master key of your passwords;
2. A repo of your encrypted passwords.

#2 is safe so feel free to store it on any cloud or even as public git repo (tho I don’t recommend)! #1 is the one and only important piece where you want to carefully copy around your devices and don’t get lost or stoled.

It’s easy to sync #2 frequently using Git operations. #1 rarely changes so it’s ok to manually copy around.

Backup your master key like Voldemort — Shamir secret sharing

Public-key cryptograph provides unparralled security but act like a double sword — you lose all your passwords when you lose your key. Here’s a dillema:
- If you just throw it to some cloud drive, then it’s equivalent to store your plain text passwords directly. You lose security benefits;
- If you print it and store it under some personal nuclear-war-grade shelter, then it’s too inconvenient.

Thanks to mathematics (again!) Shamir secret sharing solves this. In layman words it enables you to split to master key to 4 pieces and with at least 2 pieces you are able to restore it (4 and 2 here could be configured to be any number between 2 and 255).

Now you have everything in place, have fun and be secure!

--

--

No responses yet