Announcing gopass – A 'pass' compatible password manager for teams (justwatch.com)
67 points by MetalMatze 4 hours ago | 45 comments





> Second, with all due respect to the original author zx2c4 (who is currently working on the very promising WireGuard project)

Indeed I am working on WireGuard. But I haven't forgotten pass. We're currently working on a new release.

> the project proved to be a wild bunch of hotwired bash scripts that mostly looked like they were written as a one-off job

I very much disagree with this silliness.

Comment about pass... (looks like a great tool btw) you mention in the man page that

> Multiple gpg-ids may be specified, in order to encrypt each password with multiple ids.

That should technically reduce security, when encrypting the same secret with multiple IDs, as it gives a potential attacker more data to work with.

I suggest adding some randomness when encrypting with each key and having pass hide it from the end user when decrypting.

First of all: Thank you for pass! We've been using it a lot internally and just because pass is so awesome, we decided to start gopass.

We use Go for almost everything at JustWatch and that's why we decided to rewrite it in Go as this would allow us to add even more features with better abstraction in the future. Bash just didn't feel like the right fit for that.

I looked at the code for pass recently, and thought it was a nice example of something where bash is absolutely adequate.

Reading the description for gopass, you point out:

> There is one slight drawback to all the simplicity, and that is an information disclosure inherent to the design: pass stores all folder and file names in clear text, so even if you fully trust GPG, you should probably not put this repo into a public place like Github, because this may expose your account names and other metadata."

What's not completely obvious from a cursory read is whether gopass improves upon that. Also, the multiple stores feature looks like it might be quite nice, but a lengthier example would be very helpful!

That's exciting, because now we get to find out how big a problem is a tool you use being in a language you don't. It might actually be a good idea if the original one is waning cause you only need to make a competitive version of any one of those tools or businesses.

Jason, my apologies - that passage was me and at second look, written much more confrontatively than neccessary or sensible (I'll probably edit it as soon as I'm on a workstation). As they say, you can't argue about taste. Thanks for all your hard work, especially on pass.

Everyone should be free to choose how he handles his personal matters. This is one of the reasons why we wanted to keep full pass compatibility. So anyone using either pass implementation can switch at any time.

But I don't want to spend my time writing bash and sending patches by mail.

Really weird that there's no mention of 1Password and its flexibility through both 1Password for Teams and 1Password Shared Vaults. I work with 2 different teams that share passwords like this and one of them has a shared vault that syncs through Dropbox for everyone while the other one is managed through 1Password for Teams so that we can update passwords and access at our discretion.

I'm very curious to see how this will stack up against those solutions because, to be honest, there is very little room for improvement from 1Password, in my eyes. They have a very, very solid and secure product and the UI is fantastic.

I'm pretty excited about this actually. Thank-you so much for your efforts. I've been using pass for awhile now, and I really love what it does, but it's a case where it feels 90% finished.

I have one desperate request; colour output as an option. Every time there is an update to pass (or I need to reinstall) I need to edit the file and change the options from " tree -C " to " tree -n "

This is a pain in the ass. I am visually impaired. The 'default' dark-blue that tree uses for directories is unreadable to me.

My two choices for dealing with this are to use DIRCOLORS or edit the pass executable. I'd prefer to not muck about with my environment settings. (as I do not normally see any colour output)

Anyway; awesome project!

https://github.com/justwatchcom/gopass/issues/4

I just created an issue for that. Shouldn't be that hard to support it. Feel free to subscribe to the issue on github or comment any thing that's missing. Thanks!

I have a similar project that uses smartcards/HSMs/anything with a PKCS#11 interface called "hunter2":

https://chiselapp.com/user/rkeene/repository/hunter2/

We're the team behind gopass and worked hard over the last weeks to bring you this - happy to hear any feedback!

I've used QTPass. It provides support to encrypt password directories to multiple keys. It allows for multiple profiles as well, so one can have a team password store as well as a private one. It can also auto push/pull. Plus it has a nice cross platform gui.

Can you elaborate on the differences between how gopass and QTPass accomplish these things and why one might want to choose gopass instead?

Actually, QTPass uses `pass` under the hood (which means you can use it with gopass as well!) and seems to have taken a different abstraction on it than we did, I didn't know about that project. That being said, with the next versions we're supporting much nicer features as well, such as binary secrets, grant/request workflows and other stuff. We cater to a command-line first audience, but there's nothing preventing you from using QTPass with gopass.

Roadmap

    Be 100% pass compatible
    Storing binary files in gopass (almost done)
    Storing structured files and templates (credit cards, DBs, websites...)
    UX improvements and more wizards
    Tackle the information disclosure issue
    Build a great workflow for requesting and granting access
    Better and more fine grained ACL
    Be nicely usable by semi- and non-technical users

Looks great! Will be using this instead of pass from now on :) Any plans for adding fish shell autocompletions?

This looks great, I've been toying with something similar built on top of Keybase that I just use for personal passwords, but using KBFS means it should be simple to extend it to shared passwords, since you just store it in the `private/me,you` directory instead of `private/me`.

My concern with using something like this or pass is that I have to manage the distribution/backup of the store/vault/db myself - whereas I can throw my laptop off a cliff, buy a new one, login to Keybase, and my passwords are still there.

Shameless self plug, I actually build a project called passgo, modeled after Jason's pass project as well. I'm a huge fan of pass' simplicity, but I really dislike managing keys:

https://github.com/ejcx/passgo

The difference is mine does not use PGP and is instead password based, but the command line interface is almost identical. I now use passgo to encrypt and manage my ssh keys, etc.

There's a Chrome+Firefox browser plug-in which also uses a native binary written in Go: https://github.com/dannyvankooten/browserpass/blob/master/br...

I just spent a few hours to migrate our keepassx database to pass and make the team switch to pass.

Gopass seems great, especially the multistore support (which you can do w/ pass by setting an env variable), thank you for your work!

Any example of a company where few people badly need to share password and there is no "team" where you can add new users?

Should tab completion work with gopass? Seems pretty unusable to me as a general purpose password manager without it, but it doesn't work for me out of the box with a `go get` source install.

Edit: found it on the github readme https://github.com/justwatchcom/gopass#autocompletion

Pretty neat, and addresses a space where no tools seem to exist.

Would be cool if it could leverage a GitHub public repo for password updates. Something like using the list of collaborators on a repo, iterate over their GH public keys, and push new encrypted files for each collaborator on the repo.

I suppose though, this would leak a lot of metadata on how the tool is being used, and would tie it too closely to GitHub vs just git.

> Pretty neat, and addresses a space where no tools seem to exist.

It's literally a port of an existing tool, so a tool DID exist.

You can use a public repo - we just wouldn't recommend it at this point in time, for the obvious reason of metadata leakage. We're currently thinking hard about how to enable this while still leaving the nice properties of git merges alone - might be some kind of shadow mode with hashed identifiers in the end.

so this intended to be unix focused, not something that could replace lastpass for example? been looking for something better than lp.

It really boggles the mind why there is no Open Source Lastpass/1 Password Teams/etc. Clone/Rewrite.

There was TeamPass, which was buggy as hell and shouldn't be touched with a long pole... ...but why is there nothing else?

Where can i donate twice my yearly LastPass fee to get something self-hostable opensource and fund their Audits?

And no, Keepass in Dropbox/NextCloud/WhateverStorage doesn't work for a company that has Non-IT People needing access to passwords.

Well there is rattic, but it is unmaintained.

http://rattic.org/

Another unmaintained one is mitro

https://github.com/mitro-co/mitro

Because tools like this are expensive to do, especially when you want things like mobile clients.

I'd love to open source my self-hosted team password manager, but I just don't know how to afford it.

I'm a fan of 1Password.

Same. Really surprised that this and my comment are the only mentions of it. 1Password for Teams is great!

Just moved our company to 1Password Teams and it's great.

We're happy to include Windows as well (shouldn't be that hard to integrate thanks to Go), but there's simply nobody using Windows in the team at this point. Feel free to contribute - this project is meant to be the rock solid base of a very versatile password manager ecosystem.

If I may shamelessly self-advertise, our (commercial) team password manager is intended to be fully cross-platform: https://pave.software/

(Mobile OS clients are on the roadmap.)

dashlane?

this is the first i've heard of dashlane -- looks more or less like a lp clone, can someone give me a comparison rundown/why one would prefer it?

They are both password managers and will have similar features. Google "lastpass vs dashlane" and you will find several comparisons

A comparison between this and Vault would be super useful.

Vault is pretty cool as well, but hard to set up correctly (you need your own PKI for serious use, etc.) - it's sweet spot are server sided and app secrets used in production, while gopass is meant to cater for all kinds of shared secrets in distributed teams.

I don't understand the distinction.

Vault's sweet spot is automated generation and revocation of credentials which are given to authenticated clients (like creating a one-off keypair for an SSH session & giving the private part to the user and allowing the server to read the public part).

We're currently testing the waters of migrating our pass-like shared password store to vault (so we can grant authorization to automated scripts to read certain shared rotated creds).

I would very much encourage anyone to use Vault to manage secrets consumed by machines, but for personal credentials it's maybe not the best fit.

One of my ideas was using Vault as an alternative backing store for a gopass mount actually. And then it's Vault for company secrets (and no hassle with keys due to central PKI) and gpg for private stores (fast & simple to set up on your own).

A "PKI" is just a root signing key. I don't have strong opinions about Vault or the Vault approach in general, but I worry when I see people dispensing advice about secret storage who adopt the position that a PKI is a difficult thing to reason about.

> There is one slight drawback to all the simplicity, and that is an information disclosure inherent to the design: pass stores all folder and file names in clear text, so even if you fully trust GPG, you should probably not put this repo into a public place like Github, because this may expose your account names and other metadata.

This is my concern with pass. It's an awesome tool, but it really needs to figure out a way to hide the filenames. I think this is doable (after all, encfs has the same need, and does it well), but I don't know if the pass team have the will to do it.

> First, the project is curated in a traditional mailing-list based approach that was pretty unapproachable compared to a modern Github based workflow.

Sigh, not this again. I think that I prefer email vice a proprietary, centralised single point of failure like GitHub, and I know that I'd rather not work with someone who considers email unapproachable.

If your email account is unmanageable, fix it. Email's a really, really valuable tool; don't let go of it.

I don't see how GitHub is a single point of failure, the tool was developed on an internal Gitlab instance and then just pushed to GitHub. In case anything happens to GitHub you'd just have to push it to some new service and update the website. Nothing will be lost.

It's just more exposure to put it on GitHub right now because most people bookmark/star there repositories there and don't want to bookmark different cgit/Gitlab/gogs/gitea links. I don't think anyone is abandoning emails just because they don't want to email patches around and manually apply them.

