Password Management on Linux
Back when I used Windows, I was a big fan of KeePass. It's a graphical program that you can use to organize and generate passwords, and store them in an encrypted database that you can back up and synchronize. One of its killer features is auto-typing: no matter which program you're in, you can press
a and KeePass will look at the active window's title, guess the password you're looking for, and type it into the window automatically.
Now I've switched to Arch Linux and have been using pass for several months. It's available in Arch Linux' standard repositories, so you can grab it with
pacman. It's a simple command-line tool that manages encrypted files inside a git repository.
pass generate social_media/facebook,
pass ls and
pass show social_media/facebook are good examples of how it works. I've written some scripts and started using other programs to complement it and make it more intuitive.
keychain and gpg-agent
Simply enough, files are encrypted with your GPG key, which means you need to supply your key's passphrase to decrypt (but not encrypt) data. gpg-agent caches your passphrase temporarily, so you don't need to enter it over and over. keychain in turn manages gpg-agent (and ssh-agent if you use that as well) between shells and SSH sessions.
dmenu and xdotool
dmenu is a very simple tool that displays a graphical menu at the top of your screen. Pipe in a list of newline-separated options, and it will return the one the user chose. This isn't very useful on its own -- after all, pass is purely a command-line utility -- but it works very well with xdotool, a utility that lets you send emulated keypresses to X windows.
Keeping with the UNIX philosophy, dmenu-pass-autotype handles the user selection and pass-autotype handles the typing.
Bind the former to
a to match KeePass, but resist making a script to guess based on the window title. Trust me, explicit is better than implicit; and you don't want to accidentally send the wrong password to a window!
Backing it up
Since pass works on a git repository, backing it up is as simple as
pass git push, which is easy enough to automate with script wrappers or cron. However, note that, while files are encrypted, file names aren't. It would be unwise to store the repository on GitHub or another repository outside of your control, because they could see a list of websites you use (which is a little creepy, but also reduces your anonymity set on each.)
Instead, I push it to a bare repository on a recovery hard drive, which is itself encrypted and mirrored on Dropbox. Were my computer and on-site backups irreparably trashed, recovery would be logging into Dropbox and downloading and decrypting the container that holds my GPG keys and password store.