Howdy,
This is more of a howto or rough guide. As most know, I have several
encrypted hard drives, or sets of hard drives using LVM. I don't even
know how much data I have stored here at the moment. I started a thread
a while back about how to come up with and remember passwords. I got
some pretty good ideas. Thing is, those come with problems when you
need to have over half a dozen passwords and each needs to be something
that can not be guessed. I came up with passwords and made little post
it notes with info that helps me remember the passwords. Thing is, if a
person could figure out what was on the note, then they could crack the
password. Some people are smart that way. Online password test tools,
as good or bad as they are, claim it would take centuries or longer to
crack the passwords. However, that little note that helps me remember
it could also help the person trying to crack it. So, ever since I been
trying to come up with a new way to do this. I wanted passwords that
would be virtually impossible to crack but that I didn't have to
remember either, or write notes to remember them. I also wanted to
avoid the desktop copy and paste, or clipboard, mechanism. I'm not sure
how that data is stored in the clipboard and how good it is at erasing
it when I clear it.
First, I needed to generate a password. I googled, a lot. I had
trouble finding a way to generate the type of passwords I wanted but I
finally found one. It gives me a lot of control including on what
characters it uses and length. I can actually change the allowed
characters if something on the receiving end can't use certain
characters. This is what I found, with a few characters added to the
original command:
</dev/urandom tr -dc
'1234567890!@#$%^&+=?{}[]qwertQWERTasdfgASDFGzxcvbZXCVB' | head -c 20;
echo ""
To give credit to the person who provided the base command, it's like
number 8 I think here:
https://www.howtogeek.com/30184/10-ways-to-generate-a-random-password-from-the-command-line/
I added some characters to the list it filters to have even more of
them. I plan to add all I can, every letter on the keyboard in upper
and lower case, plus any I missed later on. It generates passwords like
this as shown above:
eg@^04f[C@AvTQRWX242
A!q@wSa5TTE?Z2xg9wX{
]rqC^swC#sAza]24F%9B
CA&?&E8]SD+1#&$rbgwD
T8x@cWaEZc##4WDfd!Qv
It is set to do 20 characters but I sometimes increase that. I guess
one could go to a huge number if one wanted too. I'm not sure what the
limit is on cryptsetup but have seen people use files generated by
/dev/random at over 4,000 characters. That is pretty long!! Point is,
try to guess one of passwords generated above.
While typing this, I added some things to the list of allowed characters
in the command above. You have to leave out the ' or single quote,
since the command uses it. I also left out the double quote, ", as
well. New command.
</dev/urandom tr -dc
'~!@#$%^&*()_+`{}[]:;<>?,.1234567890QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm'
| head -c 40; echo ""
It generates passwords like this.
{sVao%ezpr&o8YHi&AjDrTLiwoRr<[B[,b$5C8j(
L_7g{JUh39%Da`l!<A^hb%eyJ^&.tJfw1!6eAqr}
I set it to 40 so that it would include more characters to show the
difference from earlier command better. I'd hate to know I had to type
that thing in and not make a mistake. O_O Keep in mind, you can edit
out any characters you don't want used. Some sites do limit what
characters can be included. Some allow pretty much anything and
everything. Just edit as needed.
Now that I have a password, how do I keep track of them? I did some
more searching. I wanted something that was command line not GUI.
After all, I have BitWarden for websites and such already. Thing is,
it's GUI since it is a Firefox add-on. I'd need to use the clipboard to
copy and paste. I want to avoid that remember? I also wanted something
that is on its own, separate from my main password tool BitWarden. I
found kpcli in the tree. It's command line and fairly easy to setup.
Even comes with a help option for me, who forgets easily. I got it
installed and set up to remember my passwords. During the switch, I put
the LV name with -old or -new depending on which password I was
storing. Old passwords I came up with were under -old. You get the
idea. Once all have a working and well tested -new password using the
command above, I'll remove the -old from kpcli and the key from the
drive(s).
Then I needed some way to handle if the password file kpcli uses got
lost or damaged. If I were to lose that file, all drives and the data
on them is lost. I'd lose everything because there is no way to
remember the password. The kpcli file itself appears to be encrypted.
So, it protects itself. That's good. I don't need to put the file on
something that is also encrypted, just copy it to a plain file system as
it is. I have a USB stick that I store things on. Things like drive
info, what drives go to what volume group, what drive has the OS on it
etc and the portage world file on it. I also have some scripts in /root
that I don't want to lose either so I copy them to the stick as well.
Then one important file, my file that contains frequently used
commands. It is rather lengthy and is 15 years or more of additions. I
copied all that info to a USB stick. It lives in the fire safe. I
copied the kpcli file to that and for extra protection, I created a
second USB stick. I plan to stick it in a out building, in a glass jar
with a silica pack maybe. Just in case. ;-) So, I have the working
copy and two backups. I don't have any online storage things. I really
need to do that for small stuff like this but . . . . :/ I could do a
lot with just 1GB of data storage.
How I use all this. I do this in a Konsole, within KDE, which has
tabs. Might work on a plain console to tho. If I need to open a
encrypted drive, or set of drives, I open kpcli and get it to show the
password for that drive in one tab. I then run the little script to
open and mount that drive in another tab. When it asks for the
password, I highlight the password from kpcli tab and then switch tabs
and middle click to paste the password in. I don't use the desktop
clipboard to do this. Once the drive is open, I then highlight random
things, 3 or 4 of them, to make Konsole forget the password. It seems
to only remember one thing at a time. I'm not aware of any history
being stored within Konsole. If someone knows otherwise, please let me
know and if there is a way to clear it. I repeat those steps if needed
on other drive(s). Once I'm done, I quit kpcli.
So, found a way to generate some pretty random passwords, whatever
length and characters I want. I found a good way to store them. I'm
also able to copy and paste them in a way that has no history of the
passwords that I'm aware of. I've also made copies of the file in case
the OS drives goes out on me or the file gets erased or corrupted.
Overall, I'm kinda liking this so far.
One thing I messed up on when creating some LVM drives, I left off the
luks part in some command options when creating them with cryptsetup.
If you leave that off, it works still but leaves out luks. The
downside, you can't change the password or keys. It doesn't have the
keys like it does with luks, just a single password used when first set
up. So, don't leave that off when creating the encryption. I'm having
to redo some of my backup drives as I type. To be honest, one should
change the password if it is something you come up with yourself. May
not be a bad idea even if you use the steps I use and generate a
password as well. I don't see a downside as long as one tests the new
changes well before removing the old key.
I get a LOT of help from this mailing list. Rich, Micheal, Neil and
several others. I hope at least one person will read all this and find
it useful in some way and I get to give back a little. Having a way to
generate and remember passwords is a important thing if you encrypt your
drives. If you want to keep evil doers out, they need to be really good
passwords. That command I found generates some good passwords. The one
I went back and added characters to should be even better, especially
for longer passwords. Kpcli remembers them and protects itself as
well. All in all, unless there is something I don't know, this is a
good method to generate and remember passwords. I hope others will find
it useful. If you do, please reply and let me know if you can. I try
to let others know when they help me. I'd like to know if I help others
as well, if they subscribed to this list and can. Some may find this
with google or something.
Hope I didn't bore anyone to tears. ROFL
Dale
:-) :-)
