Your Own Password Vault

Long, random, complex passwords are an absolute must in today’s world. Storing them securely is just as important. This project is for the Linux desktop, and incorporates OpenPGP encryption algorithms based on  GnuPG Privacy Guard.

Our project consists of a collection of text files that we encrypt and  store in a subdirectory named “gpg.”  We interact with the encrypted files through bash scripts that we store in our home directory.

Our process eliminates the need to ever type passwords, thus defeating key loggers, and it provides complete control over their use and storage.  Package requirements include the following:

  • gnupg
  • secure-delete

Make sure you sudo apt -install those two modules before starting this project. Also go through the process of creating a public/private set of keys for yourself using your email address. We recommend the documentation of GnuPG to accomplish your key creation.  You will need to create a passphrase for your secret key during the key-generation process.  We recommend something memorable like a line from your favorite movie, or lyrics, or something you can easily type out from memory.  Make it something you never need to write down.  Although you may worry that dictionary terms or sentences are easy to guess, this particular passphrase isn’t likely to be run through a brute force crack attack unless it is by a federal government agency that has taken your computer under a search warrant, and if so, you’ll be forced to give them your private key password anyway.

For the rest of us mortals, nobody is going to crack your passphrase or even get their hands on your private key unless they’ve broken a lot of laws. If you are super paranoid, store your keys on a machine that is never connected to the internet. I’d recommend using a set on your regular box for dealing with simple stuff like this, and storing a completely different set on a secure, non-connected box if you have reason to live like that.

Either way, make your passphrase long, memorable, and feel free to obfuscate it to your heart’s content. Chmod 400 the key if it isn’t already permissioned like that.

Now into the meat of the project:

create a subdirectory of home called gpg. The full path for user “pi” is /home/pi/gpg.

Create a text file for your first few passwords.  We create the file, “bank.txt” and add our banking credentials into it.  Note that we also store the full url.  This will come in handy as you begin to use this system.  You can simply right-click on the url and launch it in a browser as needed.

Create another text file named “general.txt.”  General.txt is going to be our default file to interact with, and we will design our bash script so that it automatically chooses this file if we don’t provide the name of a file when we execute the script.

Below we use nano to create general.txt and add a few urls and login credentials to the file.

Did you notice the cool passwords? We generated them using our Password Generator.  Don’t use those listed here.  They are on a hacker’s cracker list by now.  They scrape sites for just such morsels.

We are about to write bash scripts for encrypting/decrypting our files, but you should practice manually encrypting and decrypting. Once you know how, you will find all sorts of things you might want to start keeping encrypted. You can also encrypt some text and send that encrypted text to a friend if you happen to have your friend’s public key.

To encrypt the file general.txt:  (replace the email address shown below with your own email address that you used to create your set of encryption keys.) Do this within your gpg directory:

gpg --recipient you@email.com --encrypt general.txt

Note that your directory now includes the original, unencrypted general.txt file and also the encrypted version named “general.txt.gpg.”

This is where you use the secure removal tool “srm” which is included in the secure-delete package you installed earlier.

srm general.txt

You have now secure-removed the original general.txt file. Note that srm and other disk overwriting methods aren’t failproof on solid-state drives or on multi-disk RAID systems.

Let’s manually decrypt general.txt.gpg. Do this from within your gpg directory:

gpg --output general.txt --decrypt general.txt.gpg

Notice we used the –output flag to pass the name of an output file. This causes gpg to write a new text file.

One of the features of gpg is the ability to decrypt your file to the screen rather than to a new text file.  This cuts down on file I/O, and eliminates the possibility of leaving an unencrypted file around.  Always decrypt to screen unless you need to add some info to an actual text file. Our decryption scripts will handle that shortly. You decrypt to screen by using the command above without the –output flag and the associated filename.

Like this:
gpg --decrypt general.txt.gpg

First, lets write the encryption script.  This script is going to do a few things for us.  By default, it will encrypt the file general.txt if we don’t give it any other filename. If a filename is passed to it, it will encrypt that file instead.  When engaging in any type of file I/O, some systems create intermediate files with a tilde ~ on the tail of the filename. This script looks for them and srm wipes them if they have been created. It also srm wipes the original .txt file for you.

I name the encryption script “u” which is short for “update” in my simple world.  Be sure to chmod +x the script once you create it. Below is the code:


#! /bin/bash

if [ “$1” != “” ]
then
FILE1=$1
else
FILE1=”general.txt”
fi

FILEPATH=”/home/pi/gpg/” #EDIT THIS
FILE_OPEN=”$FILEPATH$FILE1″

if [ -e “$FILE_OPEN” ]
then
CMD_STRING=”gpg –yes -r  you@your-email.com –encrypt $FILE_OPEN”  #EDIT THIS
$CMD_STRING
SRM_CMD_STRING=”srm $FILE_OPEN”
$SRM_CMD_STRING
fi

FILE2_tail=”~”
FILE2_FULL=”$FILEPATH$FILE1$FILE2_tail”
if [ -e “$FILE2_FULL” ]
then
NEW_CMD_STRING=”srm $FILE2_FULL”
$NEW_CMD_STRING
fi

LS_CMD_STRING=”ls -alF $FILEPATH”
$LS_CMD_STRING

Now we will write our “o” and “r” scripts. The o script is my shortcut for “output.” The r script is short for “read.” The only difference between o and r is the output command. o writes a file, r prints the decrypted text to your screen only.

Below is o. Remember to chmod +x the script once you finish editing it.


#! /bin/bash

if [ “$1” != “” ]
then
FILE1=$1
else
FILE1=”general.txt”
fi

if [ “$1” == “ls” ]
then
CMD_STRING=”ls -alF /home/pi/gpg”  #EDIT THIS TO YOUR PATH
$CMD_STRING
exit 1
fi

FILE_tail=”.gpg”
FILEPATH=”/home/pi/gpg/”  #EDIT THIS TO YOUR PATH
FILE_OPEN=”$FILEPATH$FILE1″
FILE_gpg=”$FILEPATH$FILE1$FILE_tail”

if [ -e “$FILE_OPEN” ]
then
gedit $FILE_OPEN &
else
if [ -e “$FILE_gpg” ]
then
CMD_STRING=”gpg –output $FILE_OPEN –decrypt $FILE_gpg”
$CMD_STRING
gedit $FILE_OPEN &
else
echo “$FILE1 doesn’t exist in ~/gpg”
fi
fi

I indent things, but typing for this web display makes that a little more difficult.  Indent your own for readability.

Note above that once o is run it will launch a text editor named “gedit” with your decrypted file open and ready for your modifications.

Below is the similar code for r:


#! /bin/bash

if [ “$1” != “” ]
then
FILE1=$1
else
FILE1=”general.txt”
fi

if [ “$1” == “ls” ]
then
CMD_STRING=”ls -alF /home/pi/gpg”
$CMD_STRING
exit 1
fi

FILE_tail=”.gpg”
FILEPATH=”/home/pi/gpg/”
FILE_gpg=”$FILEPATH$FILE1$FILE_tail”

if [ -e “$FILE_gpg” ]
then
CMD_STRING=”gpg –decrypt $FILE_gpg”
$CMD_STRING
else
echo “$FILE1 doesn’t exist in ~/gpg”
fi

The r script simply outputs the decrypted text to your screen rather than to a text file. Once r decrypts and prints to your screen, use your mouse to open the appropriate url you want to log into by hovering over it and right-clicking. You’ve now launched a browser from some text in a terminal. Are you feeling nerdy yet? Then use your mouse to copy/paste your username into the web form on the url you just launched, and do that again for your password. Copy/paste. Don’t you think the keyloggers are just going to love that?

Super paranoid note: your clipboard stores a copy of whatever you copy/paste. If you are on Linux, no big deal. Simply copy anything once you’re done with your credentials, and your clipboard will now only have that last bit of gibberish you just copied rather than your password. Get in the habit of always clearing your clipboard this way. I tend to write the word “delete” in a few lines of my password files just to have something to quickly copy/paste for my clipboard clear routine.  But anything will do.  Even a single letter.

I’m not sure how Windows users go about clearing their clipboard so be careful if you are modifying this to work on Win boxes.

Note how easy it will be for you to modify any one of these scripts to handle all of the execution cases you need. Edit and streamline them as you see fit.

If you have changed the mode of these scripts to make them executable (chmod +x), you can launch any of them like this:

[This assumes that you’ve already encrypted bank.txt manually or with ./u so that you now have the encrypted version, bank.txt.gpg]

Here we decrypt the existing version of bank.txt.gpg and create bank.txt:
./o bank.txt

Note that we only need to specify the .txt file. You don’t need to write the entire string of the encrypted file with the .gpg tail like you did when decrypting manually. The batch script handles it now.

for r (which simply prints your decrypted text to your screen):
./r bank.txt

and u to update your .gpg file with the latest version of your unencrypted text file:
./u bank.txt

Remember that u will also srm (wipe delete) your unencrypted text file.

Separation

A component of security is separation.  We don’t need to be storing our banking credentials with passwords for our social media sites or our email accounts, or other less critical info.  Above, we created the file “general.txt” to store our everyday credentials. You can create as many files as you like.  The more compartmentalized you are, the more secure your data is.  Evey website could have its own file if you like.  It’s totally up to you. I currently have about 15 to 20 separate encrypted credentials files.

Note that your o and r scripts will list the ~/gpg directory contents if you pass “ls” to the script rather than passing nothing (or passing a filename to decrypt).
./o ls

The encryption script will list the directory contents as it wraps up the encryption process.

So now for a fun task for you:

Combine all these scripts into one, making them do different things based on a parameter you feed into it.  Also look at using relative paths in the code so that anyone can easily copy the code and use it without modification.

When you’ve completed your edits, manually encrypt a copy of your script and email the encrypted copy to us using our public key. This will give you a chance to practice coding, and to send an encrypted message.

{Our email address is in one of the photos above.  The public key for that address is below.}

So get busy. We want to post an updated, blended script here, and we’ll credit you for the work. We’ll keep your contact info confidential unless you tell us otherwise. If you send us your public key, we’ll write you back an encrypted message that only you will be able to decrypt.

Here is our public key:

—–BEGIN PGP PUBLIC KEY BLOCK—–

mQENBFuhIL4BCADam8kgLT6+fI1YVFKhVLMbbNiKFLJitYwI7dajynmUMuTMWIXU
C1XBoNNHuIa/4iEStBJhOtQVlEx7SuuJZsOdn+WmqUlNXdewajIZQbAOjdKKaW5Q
80Xeks64kaf5EvhF1sUD1QJm4UOWNLqpAlDEO3RRKz2wnsRrsRTxZtcT6a7MmFh2
tF9DKOidvBe9298M7tuwbx2GXiHGaAyaKL+5OLDKcs1/+TLz+ReQSRDp5wB2GUn+
EQ6ngKJWqOe1jq+CIoySiopy0RuJ44KSx3z3r1zW8rlU/HFVoMe0/2cl07H0GhOV
FJwEn4AcWyXKqHa/M4XBH2pmZa1F/sJtW8HzABEBAAG0HEFkbWluIDxhZG1pbkBn
cmlkdmlzaW9uLm5ldD6JAVQEEwEIAD4WIQQ7bvNh0boAM9d4ZlUoyaEox4mSDAUC
W6EgvgIbAwUJA8JnAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAAKCRAoyaEox4mS
DPGPCACAbyH+drlPyxulvkELKz6hGmVOj258l5zFXO9pOE6AVRQTiAJYrpxA2jdt
XvTHEFUh/Wu/Vwm9rSD8wNLAkwbaPGp5VDrGyO2P5jmJzRl0IMHfK84Wb/O/3o2B
0ZM4VLr6+psPdor1nELHZJXy1u/wbjsMqd9V5L1WbZ0lfYoEmnHU+qIGcR9sWQHE
np3Wmziy0k+gi2gYwqIP2SJaMiUBtzPDQ1FjoNZd/iXdBt8Ti61Gy/y1Nj64FB+5
/yAV5xTg/ley+USMNHTpSSEJoRML2LSxEC3rhhcv0WpHVLdwfMb8x4M4tQjjX0oe
GmzTDleUk2yUnaQPaK3FIGHe39uIuQENBFuhIL4BCACxBRGJgqod7NuTgTsjiBLc
iy6kLCzTZ+XbpDhS+wkXTxoGYasO3elo8RqOUAKYXW2OnJayXFD7GHsi7ecfR4Gt
60WXu0N/1rauZyhSWqboh9wQJlPoOcPyxU+fhYXNXyRggwS9WxJWMI0VZmo2PJ/g
6k17AOXv9h/fsdNw2eZ6LYvorCaErLl1SqAObH3w96Gu7VvPURALU62s7x8+zTVs
v0ObchTWNYqGacUyF1TBAGpr45MEla7E577IGyuHrZ9vkaBIxpbED38HYhau5XFc
o8w7HUT+cySID+IL6hbo6NJdBS7AIVaoDQ3TyRlAMiTpcxN3APt8u2cVK2POqjEz
ABEBAAGJATwEGAEIACYWIQQ7bvNh0boAM9d4ZlUoyaEox4mSDAUCW6EgvgIbDAUJ
A8JnAAAKCRAoyaEox4mSDNaFCACYHeacwkIQz3xmRJBKuSG143TgskNnPk9fxhyG
Tenu/8CLJUkbxC7dJZJ6P0eHmsKbtIwXMYoeOmj/EA7mzBvLq6kNvd7lwbGmKBvz
ZhbL63IpJIYfnO5kuiQr45bO7tEo7c+e25HhAOOjTxongKxM/agr1VGMmz8NdKby
92nxRNfJrLribwiupN+B3gbhneV966Y8pcoODdee+M7icFD3kJz+Aj6+LB7AovVO
zrIk5Mpdt6KlHtx8D9jhNGALNWmHKj1Y6OZGBT661cwN2ynYpvHsmH3x8lJztGjb
YWIVifx7z/BD68/cD0fKXviKQok/+RIniqoWe504nXrwHtD7
=68Xc
—–END PGP PUBLIC KEY BLOCK—–

Check the bottom of our “Contact” page as well.  We’ve got a base64 encoded email address there for you to decode along with the public key associated with it.

Good luck, and welcome to the world of gpg encryption.