puflogh300X74.gif

Polarwave's OpenBSD
Tips and Tricks for Newbies

| Password Keeper |

| Home | Tips and Tricks | Links | News Feeds | Fun | Contact | Blog (Opens in New Page) |

Passwords and Personal Information

There are lots of programs around for storing passwords and pesonal information,
but I always like to do things with as many base system programs as possible. In this
case I do have to use gpg(1), but it's already installed since I use it on a daily basis.
So, first thing to do if you don't already have it installed is to install it.

$ sudo pkg_install gnupg
Now you need to generate your keys. Here's a typical scenario:
$ gpg --gen-key

You'll have to answer a bunch of questions:

a. What kind and size of key you want; the defaults are probably good enough.

b. How long the key should be valid. You can safely choose a non-expiring key
   for your own use. If you plan to use a key for public signing, you might
   want to consider a yearly expiration.

c. Your real name and e-mail address; these are necessary for identifying your
   key in a larger set of keys.

d. A comment for your key, perhaps to distinquish a key used for special tasks
   like signing software releases. The comment can be empty.

e. A passphrase. Whatever you do, don't forget it! Your key, and all your
   encrypted files, will be useless if you do.
Now that you've got that done, you need to create a text file with all your passwords,
information for different accounts, and whatever else you want to keep around handy
but keep it protected, too. After that, you need to encrypt it. Let's say you named the
file myinfo and you put it in ~/personal.
$ cd ~/personal
$ gpg --list-keys (memorize your key or write it down)
$ gpg --encrypt -r yourkey -o myinfo.gpg myinfo
$ chmod 600 myinfo.gpg
$ rm -fP myinfo (The -P switch makes rm overwrite the file before deleting it)
NOTE
In the example above we overwrote the text file before deleting it. For added security,
before you do that and for the extra paranoid, you can use the dd(1) command.
You'll need the file bytes first:

$ ls -l afile

-rw-r--r-- 1 username  username  3769 Feb 23 03:11 afile

$ dd if=/dev/arandom of=afile bs=3769 count=1 conv=notrunc
1+0 records in
1+0 records out
3769 bytes transferred in 0.000 secs (7901468 bytes/sec)
Now you need to create a script that will make things even easier. I keep my personal
scripts in ~/bin. Below is the script I use.
#!/bin/sh
# Filename: dcgr.sh (decrypt and grep)

echo "Enter the character string to grep for in myinfo.gpg: "
read n
echo "Enter your gpg password: "
stty -echo      # stty toggles echo off so the password doesn't show on the screen
read p
/usr/local/bin/gpg --passphrase $p --decrypt $HOME/.personal/myinfo.gpg | \
grep -i $n      # the -i switch makes grep perform case insensitive searching
stty echo       # stty toggles echo's output back to the screen
Okay, set the permissions on the new script. You probably want to be the only one who
can run it or even see it, so do chmod 700 dcgr.sh. Let's say you're looking for your
password for your MySpace account.
~/bin/dcgr.sh
Enter the character string to grep for in myinfo.gpg: (do it and hit enter)
Enter your gpg password:                              (do it and hit enter)

The output to the screen will look like this:

You need a passphrase to unlock the secret key for
user: "Your Name <mailuser@somewhere.net>"
1024-bit ELG-E key, ID XXXXXXXX, created 2009-02-22 (main key ID XXXXXXXX)

gpg: encrypted with 1024-bit ELG-E key, ID XXXXXXXX, created 2009-02-22
"Your Name <mailuser@somewhere.net>"

      myspace         mailuser@someplace.com B!gD@dDyN0bu(kZ1
I'm lazy and put a lot of stuff in my file in lower case. The above output shows myspace,
not MySpace when it outputs my search results. Hence, the -i switch on grep(1). Also,
if you'd like to quiet down gpg's output a little, you can add the --quiet switch to the
command string. Also, before going on, notice the really long password above that the
search found. Long string with numbers, symbols, upper and lower case letters. If you
look at it closely, you'll see it says it's a good hint for the name Big Daddy No Bucks 1.
The 1 was tacked on the end just to make the string an even 16 characters long. Longer
and more diverse, the better. A word to the wise and paranoid.

One last thought. If you just want to decrypt the entire file to the screen, you can put
an alias in .kshrc something like:
alias info=´/usr/local/bin/gpg --decrypt $HOME/personal/myinfo.gpg |less´
Hope this makes it a little easier for anyone trying to keep their personal information
handy and still keep it safe, too.

Cheers!

Back to Tips and Tricks
Home
Delicious Bookmark this on Delicious

No affiliation between this site and the OpenBSD project exists or is implied.

valid-html401.png