Raspberry Pi Password Manager

As data breaches become increasingly common, securing our online accounts is more important than ever. Cloud-based password managers serve to free us from the need to remember passwords but what of those who don’t want to store their passwords online (or are excessively paranoid)? In this post, we will set up a Raspberry Pi 3 with Raspbian and a Git repository which we will use to store our passwords.

We will use pass to manage our passwords.

Once set up we will have the ability to access our password from any *nix operating system.

Content

Raspberry Pi setup

This part documents how to install the Raspbian operating system, setup a SSH connection, create a Git repository and a little configuration to secure our device.

Download latest Raspbian image

$ wget https://downloads.raspberrypi.org/raspbian_lite_latest

Extract the image

$ unzip raspbian_lite_latest

Write image to our SD card

# dd if=./*raspbian*.img of=/dev/sd<XX>

Mount the boot partition from our SD card

# mount /dev/sd<X>1 ./boot

Enable SSH

$ touch ./boot/ssh

Set Wi-Fi credentials

$ echo "network={\n \
    ssid=\"<your ssid>\"\n \
    psk=\"<your password>\"\n \
}" > ./boot/wpa_supplicant.conf

Unmount boot partition

$ umount ./boot

Clean up files no longer needed

$ rm *raspbian*

The SD card has been prepared. We have configured it to automatically connect to our Wi-Fi network and enabled SSH.

It is time to insert the SD card into our Raspberry Pi and turn it on.

The next step is to setup the SSH connection and Git repository.

Generate SSH key pair

ssh-keygen -q -t rsa -f $HOME/.ssh/id_rsa -P "<passphrase>"

Copy SSH public key to Raspberry Pi

$ ssh-copy-id pi@raspberrypi.local

SSH into Raspberry Pi

$ ssh pi@raspberrypi.local

Change the default password to something secure

# echo 'pi:<newpassword>' | chpasswd

Disable SSH password authentication

$ sudo grep -q "^[^#]*PasswordAuthentication" /etc/ssh/sshd_config && sed -i "/^[^#]*PasswordAuthentication[[:space:]]yes/c\PasswordAuthentication no" /etc/ssh/sshd_config || echo "PasswordAuthentication no" >> /etc/ssh/sshd_config
$ systemctl restart sshd

Install Git

# apt-get update -y && apt-get install git -y

Initialise Git repository

$ git init --bare ~/.password-store

Local machine setup

Password Store

Now we will initialise the password store and push it to the repository we have created on the Raspberry Pi.

Install gnupg and pass

The command you need will differ depending on your distribution, e.g.:

Arch:

# pacman -Syu gnupg pass

Ubuntu:

# apt-get install gnupg pass

GPG setup

Create GPG keys

$ cat >foo <<EOF
     Key-Type: default
     Key-Length: 4096
     Subkey-Type: default
     Subkey-Length: 4096
     Name-Real: <John Doe>
     Name-Email: <johndoe@example.com>
     Passphrase: <passphrase>
     %commit
EOF
$ gpg --batch --generate-key foo
$ rm foo

Export the GPG key pair

$ gpg --export-secret-keys --armor <johndoe@example.com> > \<<johndoe@example.com>\>.gpg-secret
$ gpg --export --armor <johndoe@example.com> > \<<johndoe@example.com>\>.gpg-public

You might want to look into using seperate siging keys for each device. This would make it easier to revoke a single key if you lose that device.

Pass setup

Initialise password store

$ pass init <johndoe@example.com>

Initialise Git repo

$ pass git init

Add remote Raspberry Pi repository

$ pass git remote add origin pi@raspberrypi.local:~/.password-store

Push to Raspberry Pi repository

$ pass git push

Secondary machine setup

We will learn how to use our password store on other devices

Generate new SSH key pair for new machine

ssh-keygen -q -t rsa -f <id_newmachine> -P "<passphrase>"

Copy public SSH key to Raspberry Pi

$ ssh-copy-id -i <id_newmachine> pi@raspberry.local

Copy private SSH key to new machine

$ scp <id_newmachine> <user@newmachine>:~/.ssh/id_rsa

Copy GPG key pair to new machine

$ scp \<<johndoe@example.com>\>.gpg-* <user@newmachine>:~/

SSH into new machine

$ ssh <user@newmachine>

Import GPG keys

$ gpg --import \<<johndoe@example.com>\>.gpg-public
$ gpg --allow-secret-key-import \<<johndoe@example.com>\>.gpg-secret

Use Git to clone password store from Raspberry Pi to our machine

$ git clone ssh://pi@raspberry.local:~/password-store

You should now be able to use pass in the same way as you do on your other machine.

Software used

Conclusion

You can only push and pull passwords when on the same local network as the Raspberry Pi.

You must pull your passwords when on your local network. You are able to use them while disconnected. If you add new passwords while disconnected you must join your local network to be able to push them to the Raspberry Pi.

Here’s the reason I chose not to expose my password store to the Internet: There could be undiscovered security bugs in the software used. If it is exposed to the the Internet and a bug is discovered, in the time between realising the issue and updating the software the passwords may be comprimised

If you would like access to you password store over the internet you will need to forward ports on your router to allow access to your Raspberry Pi.

In the next post we will look at how to use your password store on other operating system (Android & Windows).

Did you find this page helpful? Consider sharing it 🙌

Rosh Beed
Rosh Beed
Consultant

I am an enthusiastic advocate of technology and am passionate about helping others learn and grow. I am always eager to share my knowledge and skills. My inquisitive nature drives me to explore new concepts and bring innovative ideas to my projects.

Next
Previous