WIP: Production release #6
91
content/posts/pass-android-yubikey.md
Normal file
91
content/posts/pass-android-yubikey.md
Normal file
@ -0,0 +1,91 @@
|
||||
+++
|
||||
title = "Unix pass and Android Password Store with YubiKey"
|
||||
date = 2025-01-01
|
||||
description = "Setting Up Unix pass with YubiKey and Android Password Store"
|
||||
+++
|
||||
|
||||
Using a secure and versatile password manager is a must for managing your digital life, and [pass](https://www.passwordstore.org/), the Unix password manager, is a fantastic choice. If you store your GPG key on a YubiKey and use the [Android Password Store](https://github.com/android-password-store/Android-Password-Store) app with [OpenKeychain](https://github.com/open-keychain/open-keychain), this guide will help you set everything up while addressing a common compatibility issue with `throw-keyids` in `gpg.conf`.
|
||||
|
||||
## What You’ll Need
|
||||
|
||||
- A YubiKey configured with your GPG key (see the excellent [YubiKey-Guide by drduh](https://github.com/drduh/YubiKey-Guide)).
|
||||
- The [pass](https://www.passwordstore.org/) command-line utility.
|
||||
- [OpenKeychain](https://github.com/open-keychain/open-keychain) installed on your Android device.
|
||||
- The [Android Password Store](https://github.com/android-password-store/Android-Password-Store) app.
|
||||
|
||||
## Configuring `pass` with a YubiKey-Stored GPG Key
|
||||
|
||||
1. **Set up your YubiKey and GPG key**
|
||||
- Follow the steps in [drduh’s YubiKey guide](https://github.com/drduh/YubiKey-Guide) to create and configure your GPG key on your YubiKey.
|
||||
|
||||
2. **Install `pass`**
|
||||
- Install the `pass` utility on your Linux system. Most distributions have it in their package repositories:
|
||||
|
||||
```bash
|
||||
apt install pass # For Debian/Ubuntu-based distros
|
||||
xbps-install -S pass # For Void Linux
|
||||
```
|
||||
|
||||
3. **Initialize `pass` with your GPG key**
|
||||
- Run the following command to initialize the `.password-store` directory:
|
||||
|
||||
```bash
|
||||
pass init <KEYID>
|
||||
```
|
||||
- Replace `<KEYID>` with your GPG key ID stored on the YubiKey.
|
||||
|
||||
4. **Sync passwords to your Android device**
|
||||
- Clone your `.password-store` repository to your Android device and set up the `Password Store` app with `OpenKeychain`.
|
||||
|
||||
## The `throw-keyids` Issue
|
||||
|
||||
While working through this issue, I found a helpful discussion in [GitHub issue #173](https://github.com/android-password-store/Android-Password-Store/issues/173) for the Android Password Store repository. This thread provided insights that clarified the root cause of the problem and its resolution.
|
||||
|
||||
During setup, you might encounter an error in the Android Password Store app. OpenKeychain could report that the `.gpg` files are encrypted for a different key, even if they are not. This issue arises due to the `throw-keyids` option in `~/.gnupg/gpg.conf`.
|
||||
|
||||
### What Does `throw-keyids` Do?
|
||||
|
||||
The `throw-keyids` option in `gpg.conf` hides the recipient’s key ID during encryption. While this enhances privacy by preventing others from identifying the intended recipient(s), it can cause issues with OpenKeychain. OpenKeychain relies on visible key IDs to identify the correct decryption key, and without them, it assumes the files were encrypted for an unknown key.
|
||||
|
||||
### Fixing the Issue
|
||||
|
||||
To resolve this, you need to disable `throw-keyids` and re-encrypt your password store.
|
||||
|
||||
1. **Comment Out `throw-keyids` in `gpg.conf`**
|
||||
- Open `~/.gnupg/gpg.conf` in your favorite text editor and comment out the line:
|
||||
|
||||
```
|
||||
# throw-keyids
|
||||
```
|
||||
|
||||
2. **Re-encrypt Your Password Store**
|
||||
- Run the following command to re-encrypt all passwords with the new GPG options:
|
||||
|
||||
```bash
|
||||
PASSWORD_STORE_GPG_OPTS="--no-throw-keyids" pass init <KEYID>
|
||||
```
|
||||
|
||||
- Replace `<KEYID>` with your GPG key ID.
|
||||
|
||||
3. **Optional: Update Your Environment**
|
||||
- To ensure `--no-throw-keyids` is always used, add the following line to your `~/.bashrc`:
|
||||
|
||||
```bash
|
||||
export PASSWORD_STORE_GPG_OPTS='--no-throw-keyids' # Fix for OpenKeychain
|
||||
```
|
||||
|
||||
- While this step is not strictly necessary (since the change in `gpg.conf` resolves the issue), it can serve as a safeguard.
|
||||
|
||||
4. **Sync the Updated Password Store**
|
||||
- Push the updated `.password-store` to your remote repository and pull it on your Android device.
|
||||
|
||||
## Conclusion
|
||||
|
||||
With these steps, you can seamlessly use `pass` with a YubiKey and the Android Password Store app. The issue with `throw-keyids` is a minor hurdle that can be resolved by adjusting your `gpg.conf` and re-encrypting your password store. Disabling `throw-keyids` makes your key IDs visible, which slightly reduces privacy but is necessary for compatibility with OpenKeychain.
|
||||
|
||||
For further details on `pass`, GPG, or YubiKey, refer to their respective documentation. A secure password manager setup like this ensures your sensitive information stays safe across devices.
|
||||
|
||||
# References
|
||||
- [Standard unix password manager](https://www.passwordstore.org/)
|
||||
- [drduh's YubiKey Guide](https://github.com/drduh/YubiKey-Guide)
|
||||
- [Android Password Store issue](https://github.com/android-password-store/Android-Password-Store/issues/173#issuecomment-453686599)
|
Loading…
Reference in New Issue
Block a user