After adopting a variation of the Gentoo policy for managing OpenPGP (GnuPG) keys I now feel confident enough to use OpenPGP to save sensitive passwords in the cloud. Gentoo’s GLEP 63 policy takes the guesswork out of key management and provides some best practices valuable when encrypting sensitive information.
Although saving sensitive passwords in the cloud may seem a foolish endeavor the alternative is to keep passwords on the sneakernet and risk losing them. Given the abundance of thumb drives and their general multi-purpose use one might, for example, accidentally erase their only backup. Not to mention saving data on any physical medium carries the risk the physical media becomes corrupted.
With this in mind I personally have switched from my previous techniques to a terminal-based solution called gopass. Gopass is a drop-in replacement for Jason Donenfeld’s password store with an elegant, ncurses-style terminal-user interface. What’s more, gopass provides out of the box functionality to use Git to keep passwords synced between devices with a one-time per device set-up cost and driven entirely from the keyboard and ideal for copying an pasting passwords quickly and securely even while others are watching your screen.
If you’re not a terminal user or want to sync with your mobile device there are some fantastic GUIs for pass/gopass as noted on the pass website. I suspect as more users adopt this approach to password management the desire to place trust on third-parties such as 1Password will decrease, thereby improving Web security on the whole by reducing the number of honeypots.
How passwords are protected
Using end-to-end encryption with data encrypted at rest. Thanks to GPG users may also leverage multi-factor authentication via password + key. Users who set-up their OpenPGP keys using --expert mode can also leverage elliptic curve encryption via the ECC option for added security and durability during transit.
Where to store passwords online
There are many free options for storing your passwords in Git. You could use a GitHub private repository, or even GitLab or a Gitea host such as codeberg.org.
Syncing with mobile
As mentioned earlier there are a number of GUI clients for mobile. If you’re using Android, you can connect your Git repository to the Password Store app and both gopass and Password store will automatically update your connected Git repository anytime you make a change (manual syncs also possible). There are also some iOS apps for pass as mentioned on the pass site you could try out if you’re stuck running an Apple device.
Don’t want to store passwords online
You don’t have to. If you’d prefer to keep all of your passwords offline just don’t set-up a Git remote. You will, however, need to find a way to sync them manually between your devices. And you’ll most certainly want to back them up using the 3-2-1 backup rule which could become arduous but some may prefer.
What about hardware wallets
You can use those. Just be aware if they become lost so will your access to your passwords. If you rely on GPG you can set-up on on a few machines so losing one device (let alone a small USB dongle) won’t lock you out of your digital life.
Multi-factor authentication
OTPs are one-time passwords used for two-factor authentication. If you’re a pass/gopass user you can keep OTPs stored alongside your passwords and eliminate the need for an additional applications such as Aegis Authenticator. Gopass has the ability to generate OTPs based on an otpauth URI which are easy to produce and modify using an offline-first security tool I built called OATHqr. But there are other ways as well so please use what works best for you.