Am Tue, May 14, 2024 at 06:28:17AM -0500 schrieb Dale: > Howdy, > […] > remember either, or write notes to remember them. I also wanted to > avoid the desktop copy and paste, or clipboard, mechanism. I'm not sure > how that data is stored in the clipboard and how good it is at erasing > it when I clear it.
The mark-and-middleclick you describe further down is the very same as the “normal” clipboard. It is just accessed differently. > First, I needed to generate a password. I googled, a lot. I had > trouble finding a way to generate the type of passwords I wanted but I > finally found one. Care to elaborate regarding the “password you wanted”? There is the obvious pwgen, which can generate passwords with given character sets and length. Keepass can do this, too, so I assume, Bitwarden (which you use) has a similar function. And if you don’t like parts of the generated PW, keep the part you like, generate new and pick the part you like again. Or just let pwgen generate a big bunch and pick what you like best from the output. > […] > Now that I have a password, how do I keep track of them? I did some > more searching. I wanted something that was command line not GUI. > After all, I have BitWarden for websites and such already. Thing is, > it's GUI since it is a Firefox add-on. I'd need to use the clipboard to > copy and paste. I want to avoid that remember? I also wanted something > that is on its own, separate from my main password tool BitWarden. I > found kpcli in the tree. I didn’t know about kpcli and it is not available in Arch. So I looked it up. Turns out it is a non-graphical Keepass client (that’s what the kp stands for, after all). Interestingly, there is also a bitwarden CLI client. Did you know Keepass (the graphical one) has an autotype feature? This means that it simulates the pressing of keys, so it bypasses the clipboard entirely. Another advantage of that is that you can set up custom key sequences in the autotype field, so you can for example say “first enter the username, then press enter, then wait for a second, then enter the password and press enter again.” Useful for sites that use a dynamic login screen with animations or non-standard input fields. > Then I needed some way to handle if the password file kpcli uses got > lost or damaged. If I were to lose that file, all drives and the data > on them is lost. I'd lose everything because there is no way to > remember the password. The obvious answer is: backup – encrypted or not. ;-) My Keepass database is a simple file in my home that is backed up together with all the other home files by Borg. Meaning I even have a versioned backup of my passwords. Needless to say my backup drives are LUKSed with a long passphrase that I have never ever once written down anywhere on paper. I’ve been using it for so long now and on several drives, that it is ingrained in my brain. > The kpcli file itself appears to be encrypted. > So, it protects itself. That's good. I don't need to put the file on > something that is also encrypted, just copy it to a plain file system as > it is. I have a USB stick that I store things on. Things like drive > info, what drives go to what volume group, what drive has the OS on it > etc and the portage world file on it. I also have some scripts in /root > that I don't want to lose either so I copy them to the stick as well. Be mindful that USB sticks aren’t very reliable. The flash chips in them are what is left after quality control deemed them unfit for duty in SSDs (first tier) and memory cards (second tier). So always keep several copies, possibly on different types of storage media (HDDs, SSDs, optical, whatever). > Then one important file, my file that contains frequently used > commands. It is rather lengthy and is 15 years or more of additions. I > copied all that info to a USB stick. It lives in the fire safe. TBH, I wouldn’t put all my horses on one USB stick in a fire safe. (Or however the saying goes) After a flimsy USB stick with questionable flash chips has been subjected to high temperatures for a longer time, chances are you may not be able to access its data ever again. > How I use all this. I do this in a Konsole, within KDE, which has > tabs. Might work on a plain console to tho. If I need to open a > encrypted drive, or set of drives, I open kpcli and get it to show the > password for that drive in one tab. I then run the little script to > open and mount that drive in another tab. When it asks for the > password, I highlight the password from kpcli tab and then switch tabs > and middle click to paste the password in. Since you’ve already scripted most of it, you could possible go the full way. Use the HDD’s UUID as key and either store the password in a file that is named with the UUID, or in keepass with the UUID as entry title. Then you can let the script retrieve the password all by itself without any need for copy-pasting – except for unlocking the keepass file. I don’t know how often you insert, unlock and mount a drive. But given you have so many drives, I imagine it to happen regularly. > I don't use the desktop > clipboard to do this. Once the drive is open, I then highlight random > things, 3 or 4 of them, to make Konsole forget the password. It seems > to only remember one thing at a time. I'm not aware of any history > being stored within Konsole. It’s not Konsole that does any of the clipboard handling. It merely accesses it. You have the primary clipboard (Ctrl+X/C/V) and optionally the KDE clipboard manager that remembers the last x entries. And you have the secondary clipboard (marking text and pasting with middle-click). That’s an X feature from yesteryear. There is an option in the KDE clipboard manager whether it should observe the secondary clipboard or not. BTW: if you copy something within the Keepass GUI (a username, password etc), then Keepass itself will clear the clipboard after a configurable delay (default is 10 seconds). > So, found a way to generate some pretty random passwords, whatever > length and characters I want. I found a good way to store them. Is your home encrypted with a good passphrase? And your home backup, too? If the answer is yes to both, then any additional encryption step may be nice for peace of mind, but technically unnecessary. My keepass file is passphrase-protected, because it stores my entire digital life. But for stuff like offlineimap and fetchmail/fdm, I have no problem with storing passwords in plaintext in their config files, because those files are protected by the file system encryption. > I'm also able to copy and paste them in a way that has no history of the > passwords that I'm aware of. Clipboard history is a desktop feature – if you enabled it. If you want to be fully sure, use alternatives like the aforementioned autotype or reading files directly into your script. > I've also made copies of the file in case > the OS drives goes out on me or the file gets erased or corrupted. That’s always a good idea. > I get a LOT of help from this mailing list. Rich, Micheal, Neil and > several others. I hope at least one person will read all this and find > it useful in some way and I get to give back a little. Having a way to > generate and remember passwords is a important thing if you encrypt your > drives. There is of course also the possibility to let KDE remember the passphrase. I have some LUKS passphrases in my KDE wallet and the wallet itself has no password – because all filesystems are encrypted anyways. -- Grüße | Greetings | Salut | Qapla’ Please do not share anything from, with or about me on any social network. There is only one way to the lung and it must be tarred.
signature.asc
Description: PGP signature