Howdy, This is more of a howto or rough guide. As most know, I have several encrypted hard drives, or sets of hard drives using LVM. I don't even know how much data I have stored here at the moment. I started a thread a while back about how to come up with and remember passwords. I got some pretty good ideas. Thing is, those come with problems when you need to have over half a dozen passwords and each needs to be something that can not be guessed. I came up with passwords and made little post it notes with info that helps me remember the passwords. Thing is, if a person could figure out what was on the note, then they could crack the password. Some people are smart that way. Online password test tools, as good or bad as they are, claim it would take centuries or longer to crack the passwords. However, that little note that helps me remember it could also help the person trying to crack it. So, ever since I been trying to come up with a new way to do this. I wanted passwords that would be virtually impossible to crack but that I didn't have to remember either, or write notes to remember them. I also wanted to avoid the desktop copy and paste, or clipboard, mechanism. I'm not sure how that data is stored in the clipboard and how good it is at erasing it when I clear it.
First, I needed to generate a password. I googled, a lot. I had trouble finding a way to generate the type of passwords I wanted but I finally found one. It gives me a lot of control including on what characters it uses and length. I can actually change the allowed characters if something on the receiving end can't use certain characters. This is what I found, with a few characters added to the original command: </dev/urandom tr -dc '1234567890!@#$%^&+=?{}[]qwertQWERTasdfgASDFGzxcvbZXCVB' | head -c 20; echo "" To give credit to the person who provided the base command, it's like number 8 I think here: https://www.howtogeek.com/30184/10-ways-to-generate-a-random-password-from-the-command-line/ I added some characters to the list it filters to have even more of them. I plan to add all I can, every letter on the keyboard in upper and lower case, plus any I missed later on. It generates passwords like this as shown above: eg@^04f[C@AvTQRWX242 A!q@wSa5TTE?Z2xg9wX{ ]rqC^swC#sAza]24F%9B CA&?&E8]SD+1#&$rbgwD T8x@cWaEZc##4WDfd!Qv It is set to do 20 characters but I sometimes increase that. I guess one could go to a huge number if one wanted too. I'm not sure what the limit is on cryptsetup but have seen people use files generated by /dev/random at over 4,000 characters. That is pretty long!! Point is, try to guess one of passwords generated above. While typing this, I added some things to the list of allowed characters in the command above. You have to leave out the ' or single quote, since the command uses it. I also left out the double quote, ", as well. New command. </dev/urandom tr -dc '~!@#$%^&*()_+`{}[]:;<>?,.1234567890QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm' | head -c 40; echo "" It generates passwords like this. {sVao%ezpr&o8YHi&AjDrTLiwoRr<[B[,b$5C8j( L_7g{JUh39%Da`l!<A^hb%eyJ^&.tJfw1!6eAqr} I set it to 40 so that it would include more characters to show the difference from earlier command better. I'd hate to know I had to type that thing in and not make a mistake. O_O Keep in mind, you can edit out any characters you don't want used. Some sites do limit what characters can be included. Some allow pretty much anything and everything. Just edit as needed. Now that I have a password, how do I keep track of them? I did some more searching. I wanted something that was command line not GUI. After all, I have BitWarden for websites and such already. Thing is, it's GUI since it is a Firefox add-on. I'd need to use the clipboard to copy and paste. I want to avoid that remember? I also wanted something that is on its own, separate from my main password tool BitWarden. I found kpcli in the tree. It's command line and fairly easy to setup. Even comes with a help option for me, who forgets easily. I got it installed and set up to remember my passwords. During the switch, I put the LV name with -old or -new depending on which password I was storing. Old passwords I came up with were under -old. You get the idea. Once all have a working and well tested -new password using the command above, I'll remove the -old from kpcli and the key from the drive(s). Then I needed some way to handle if the password file kpcli uses got lost or damaged. If I were to lose that file, all drives and the data on them is lost. I'd lose everything because there is no way to remember the password. The kpcli file itself appears to be encrypted. So, it protects itself. That's good. I don't need to put the file on something that is also encrypted, just copy it to a plain file system as it is. I have a USB stick that I store things on. Things like drive info, what drives go to what volume group, what drive has the OS on it etc and the portage world file on it. I also have some scripts in /root that I don't want to lose either so I copy them to the stick as well. Then one important file, my file that contains frequently used commands. It is rather lengthy and is 15 years or more of additions. I copied all that info to a USB stick. It lives in the fire safe. I copied the kpcli file to that and for extra protection, I created a second USB stick. I plan to stick it in a out building, in a glass jar with a silica pack maybe. Just in case. ;-) So, I have the working copy and two backups. I don't have any online storage things. I really need to do that for small stuff like this but . . . . :/ I could do a lot with just 1GB of data storage. How I use all this. I do this in a Konsole, within KDE, which has tabs. Might work on a plain console to tho. If I need to open a encrypted drive, or set of drives, I open kpcli and get it to show the password for that drive in one tab. I then run the little script to open and mount that drive in another tab. When it asks for the password, I highlight the password from kpcli tab and then switch tabs and middle click to paste the password in. I don't use the desktop clipboard to do this. Once the drive is open, I then highlight random things, 3 or 4 of them, to make Konsole forget the password. It seems to only remember one thing at a time. I'm not aware of any history being stored within Konsole. If someone knows otherwise, please let me know and if there is a way to clear it. I repeat those steps if needed on other drive(s). Once I'm done, I quit kpcli. So, found a way to generate some pretty random passwords, whatever length and characters I want. I found a good way to store them. I'm also able to copy and paste them in a way that has no history of the passwords that I'm aware of. I've also made copies of the file in case the OS drives goes out on me or the file gets erased or corrupted. Overall, I'm kinda liking this so far. One thing I messed up on when creating some LVM drives, I left off the luks part in some command options when creating them with cryptsetup. If you leave that off, it works still but leaves out luks. The downside, you can't change the password or keys. It doesn't have the keys like it does with luks, just a single password used when first set up. So, don't leave that off when creating the encryption. I'm having to redo some of my backup drives as I type. To be honest, one should change the password if it is something you come up with yourself. May not be a bad idea even if you use the steps I use and generate a password as well. I don't see a downside as long as one tests the new changes well before removing the old key. I get a LOT of help from this mailing list. Rich, Micheal, Neil and several others. I hope at least one person will read all this and find it useful in some way and I get to give back a little. Having a way to generate and remember passwords is a important thing if you encrypt your drives. If you want to keep evil doers out, they need to be really good passwords. That command I found generates some good passwords. The one I went back and added characters to should be even better, especially for longer passwords. Kpcli remembers them and protects itself as well. All in all, unless there is something I don't know, this is a good method to generate and remember passwords. I hope others will find it useful. If you do, please reply and let me know if you can. I try to let others know when they help me. I'd like to know if I help others as well, if they subscribed to this list and can. Some may find this with google or something. Hope I didn't bore anyone to tears. ROFL Dale :-) :-)