Pass and Keepassx

The last two days I have spent with a meaningless task. I tried ( and succeeded ) to write a script that converts the XML output from KeepassX to CSV. My plan was to import it afterwards into Pass, a command line password manager.

If I had just scrolled down the project page of Pass to the end, I might have found the Python script for converting the XML file a bit earlier. Not, when I had just finished writing the script.

Damn. At least I got some Ruby practice out of it.

KeePassX

KeePassX was and is working nicely for me. At least to a certain degree. It keeps track of all Accounts and Meta-information and the password file can be synced back and forth. What makes it a bit of a hassle are just a couple of minor things

  • There is no real versioning. Inside the password file is a category “Backup” that seems to take care of some changed entries, but the whole file itself is not.

  • I need to fire up the program itself every time I want to use it. I just need the information of the password, not more.

  • In order to get data in and out of the password file I need to use the import and export functions. It gets really annoying if you have to figure out which version you have and what password is actually missing.

These are just some minor things I could live with. On the other side the search and speed is fantastic and it really takes just a couple of seconds to get the information I am looking for.

Pass

Introducing Pass. Pass is basically a small collection of script utilizing the tools already available. Passwords are stored in gpg encrypted text files and managed through a command line interface. You encrypt and decrypt with what ever GPG key you have available.

On top of that a bit creme: Supported GIT versioning. Per file/password. Now we are talking, right?

Installation/configuration

Pass is already part of the major distributions.

In addition you need to source the scripts in your shell. Something like this will do.

$ sudo aptitude install pass
$ echo "source /etc/bash_completion.d/password-store" >> ~/.bashrc
$ . ~/.bashrc

Just in case and because you never know I created another PGP key only for this encryption and assigned a password to it. That will make it necessary to enter a password every time I want to decrypt any PGP file. It basically sets a master password to access all other passwords.

$ gpg --gen-key
...

With that key at hand I can create a password store. The default location is ~/.password-store. A symbolic link pointing somewhere else works fine as well.

The String AABBCC is the Key-ID of my GPG key.

$ pass init "AABBCC Password Storage Key"
mkdir: created directory ‘/home/user/.password-store’
Password store initialized for AABBCC Password Storage Key.

To add GIT on top of it we can pass all known GIT commands to PASS. Those will be run right in the password store folder.

$ pass git init
$ pass git add remote origin server.examle.com:/password-storage.git

That is it.

Import

All my passwords were stored in the KeepassX database (hihi) file. The only export formats are XML and a simple text file. Hoping the text file would be in CSV format, was a waste of time. The text file will contain the basic entry information:

  • Title

  • Username

  • Password

  • URL

  • Comment

Besides that: nothing. And not very well structure. So I sat down to dig into Ruby and see what I could learn. I came up with this and that gets the entries at least into a CSV format.

At that moment I scrolled on the Pass Project Page all the way down and found an already made python script do to the job. sigh.

The script worked almost flawless. It has it problems with special characters of any other language than English. A simple search/replace in the keepassx.xml file fixed that within seconds.

All passwords have been imported into the groups according to the structure in KeePassX from before.

Now is the time the sometimes sloppy naming backfires on me. I will spent some time updating the passwords and get rid of the old ones that are no longer in use.