not logged in | [Login]

Store encrypted passwords in an encrypted filesystem with EncFS and pass

Introduction

This guide walks you through setting up a command line based system for storing encrypted passwords (and metadata) inside of an encrypted filesystem on both Mac and Ubuntu. The encrypted filesystem can be stored in source control. EncFS is used for the encrypted file system and pass for the password manager.

pass stores information in GPG encrypted files in your ~/.password-store directory. We will encrypt that directory with EncFS. It'll look something like this:

cd ~/.password-store
find . -type f

gmail/your_email@example.com
banks/bank-of-america
banks/shinsei-bank

Setup GPG

pass stores each its data in GPG encrypted files, so you'll need GPG setup.

gpg --gen-key
  • What keysize do you want? 4096
  • Key is valid for? 0
  • Is this correct? y
  • Real name: your real name here
  • Email address: your_email@example.com
  • Comment: Optional comment that will be visible in your signature
  • Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
  • Enter passphrase: Enter a secure password

GPG stores data in ~/.gnupg.

Setup EncFS

This part is optional but I prefer it since pass leaks info in its directory structures and filenames -- the password and metadata is secure however.

Install EncFS

# For Mac
brew install Caskroom/cask/osxfuse
brew install homebrew/fuse/encfs

# For Ubuntu
sudo apt-get install encfs

Create the encrypted filesystem

Now create an encrypted filesystem to store your pass files. The unencrypted mount will be at ~/.password-store. The .password-store.encrypted directory is the encrypted version. You can store that in source control or back it up however you like.

encfs ~/path-to-where-you-want-this/.password-store.encrypted ~/.password-store

Setup pass

Intall it

# Mac
brew install pass

# Ubuntu
sudo apt-get install pass

Configure it

# Here, your_email@example.com is the ID of your GPG key
pass init "your_email@example.com"

Insert a password

pass insert gmail/your_email@example.com

Or create an auto-generated password

# 20 is the password length
pass generate gmail/your_email@example.com 20

Copy a password to the clipboard

pass -c gmail/your_email@example.com

Print a password to the screen

pass gmail/your_email@example.com

Conclusion

That's it, all done.