In light of the recent revelations of the Meltdown and Spectra CPU flaws I though there would be more interest in using pass (password manager) along with the pass-qubes (Split-GPG extension ) since the Qubes Security Bulletin mentioned using Split-GPG as an extra layer of security with Qubes OS.
EDIT It should be noted that split-gpg will offer an extra layer of security in general bu it does not offer protection against these CPU bugs as noted in the next post by HulaHoop’
They were mentioned previously in this thread but for ease of locating here are the links.
One of the reasons for this post is there may be users like myself that installed pass and had it working properly but where unable to get pass-qubes extension functioning. I haven’t figured out what is wrong, but I’m guessing it has something to do with the way the package manager installs pass:
apt-get install pass
vs
Installing manually:
Downloading the tar file,decompressing, make install
or git clone, make install
Fortunately there is a easy workaround to get pass-qubes extension working and as I’m sure you have guessed it only involves installing pass manually. This can be accomplished as per the instructions on the pass home page.
Also if you’re getting this error message after configuring everything properly it may indicate a manual install is necessary:
Error: qubes is not in the password store
It may be helpful when troubleshooting to know that this issue/bug may not be isolated to the pass-qubes extensions. A Qubes user had a similar problem when trying to install two other pass extensions. Not only that but a Fedora based VM was used so its not isolated to Debian either.
If any Qubes users are interested in step by step install instructions let me know and I will post them for you.
That makes sense. The CPU would have access to the VM regardless if it was network isolated or not. I misinterpreted split-gpg, which in general is an extra layer of security (for your gpg keys) for an extra layer of protection against those bugs. Thanks for the info, my post has been corrected.
I have always frowned upon using some specific software (especially GUI software) for managing passwords, what exactly is escaping me? I always used a plain text file to store passwords, which I encrypt using gpg. I have seen pass mentioned a few times in the news (and in this thread), but there’s one feature of it that totally put me off and killed my desire to consider it. AFAIK pass advertises to store per-site passwords in GPG encrypted files, but names those files with site names. To me this is a giant flaw since it leaks the names of the sites one has accounts for.
KeePassXC has a plethora of features that make it much more useful than a text file.
In a kdbx database, I can store the password to my bitcoin wallet. I can store the seed. I can store the master public key, I can store the master private keys. (extended too). I can store a CVS file of all public keys for all addresses. Also a CVS file of payment addresses.
I can store URLs (encrypted), notes, and all kinds of other things. It has a password generator for secure random passwords.
It has YubiKey support. And KeyFile support.
I could not live without KeePassXC.
The only thing that I don’t like is that every time you save a new password, or change the database in any way, the entire database needs to be re-uploaded to the cloud.
So if I have a database that has a lot of large files attached, every time I edit anything in the database, the whole 400mb database has to be re-uploaded to my cloud storage provider. But this is a minor gripe.
How does pass leak site names? In Qube-Whonix an AppVM which has networking disabled can be used for a password vault. Regardless if Qubes is used or not. I don’t see how site names in cleartext matters. If an adversary can see those files he/she likely has access to your system. All that they would have to do is wait until you entered your vault password and log the password.
That is were they should stay. Security and Anonymity should be your number 1 priority when selecting a password manager. Features that could possibly degrade security and anonymity should not be used.
LessPass is an interesting password manager because it deterministically generates the same password for the same logins no matter what device you use it from without needing to sync the databases. This is possible because it generates these passphrases based on site, login and a master password.
Good find! Arcieri knows his stuff and it’s good to see a knowledgeable analysis about this family of pw managers. According to this new info we should actively discourage stateless managers on the wiki, citing the main argument headings. These ar core design flaws and can’t really be fixed.
It is possible to use the same vault for multiple AppVMs. I have that configured now for my SecBrowser. For example, i can add just my email password to my Thunderbird (only) AppVM. Then set environment QUBES_GPG_DOMAIN=my-vault.
Next I could add my whonix forum password in separate AppVM with environment QUBES_GPG_DOMAIN=my-vault set in that as well.
Also possible to add the password-store to an dvm template (AppVM with pref template_for_dispvms=true).
Having tried keepassxc (the current default in Whonix 15) I consider to avoid it and use keepassx instead.
Main reason is I dislike the AutoType feature that can’t really be fully disabled as far as I’ve seen. I prefer not to have an app (especially one that is used so frequently) that sends data (and in this case, very sensitive data) to other applications in this way. Too easy for mistakes to be made.
