I don't really want to replace it. It works fine. But the toolchain for other platforms is becoming difficult to manage. I use pass with PGP Yubikeys as backing for each encrypted password. But the developer of the Android version has stopped supporting it and the person who took it over has removed yubikey support because he doesn't use it himself and doesn't care about it.
Of course I need to access my passwords on Linux, Windows, Mac, Android. Only iOS is not possible because Apple doesn't allow raw APDU access to NFC tags so you can't do OpenPGP functions.
I also don't want to use a password manager with a single master password like bitwarden. I want each password to be encrypted individually with the public key from a number of hardware tags (multiple, that's also a hard requirement). This way not my whole password database is instantly leaked when my master password gets compromised. Even when my endpoint gets completely compromised, the only passwords they will have are the ones I decrypted on it since it was compromised. Yubikeys require a physical touch for every decryption so you also can't 'milk' them for credentials when they're inserted and unlocked. Also, any password manager I use must be self-hosted, I hate and don't trust the big tech companies.
I wonder if this could be a new backend. And have support on all platforms (though iOS I don't care about personally, but it would be a nice to have).
Checkout passage: https://github.com/FiloSottile/passage which has done part of this by using age instead of pgp. I used it for a while, and last I checked there was sadly no android app (the pass android app hardcoded too much PGP to be a useful base, so I was told), but the work is def there.
Nice! But I can't really use it until it works on Android too (with hardware keys). I'll definitely try it out though.
> the pass android app hardcoded too much PGP to be a useful base
The original one did not. It leveraged the OpenKeyChain external app which basically handles all the PGP stuff. So there was no PGP code in the app. Similar to how it's done on a PC with the gpg suite
But someone rewrote it with an internal library which also removed Yubikey support.
I think my dream password manager currently is a Pinephone with a special custom UI that allows for managing and securing a list of accounts/passwords that can type them out via USB HID keyboard gadget when prompted.
No way to prompt it for data, or compromise it remotely.
No other features, no OS userspace, no wifi, no adb, no nothing. Just a Linux kernel + a tiny single userspace static binary based on lvgl for UI and libsodium for encryption/storage. Normally powered off, boots in 2 seconds. :)
I made one of these a while ago in school, it was fun! I think it's a great idea. Mine really had nothing: an overly complicated MCU, since it was provided by the class, but otherwise no need for an OS or anything: https://benkettle.xyz/projects/password-keeper/
Nice. My wishlist also includes something similar looking with Luckfox Pico Mini + small OLED for displaying info about requests (via USB), to authorize various crypto operations with secret material stored on the device. :)
Tons of ways to compromise it between your computer's USB port and the server's database, though. If you already have dedicated hardware, FIDO authenticators make much more sense.
> Just a Linux kernel [...]
That's several orders of magnitude more lines of code than any FIDO authenticator implementation.
> Tons of ways to compromise it between your computer's USB port and the server's database, though. If you already have dedicated hardware, FIDO authenticators make much more sense.
I mean, if you have the amount of access needed to compromise a USB connection, you have way more than enough access than needed to just yoink the authentication token or encryption key from browser storage.
Cheaper, with integrated display, battery, touchscreen, working software, and nice form factor for the use case, sane fully open bootloader and firmware, full documentation for everything, much more power efficient.
I do think though that just using a pinephone as just a password manager might make sense for some people (I think) but at the price of pinephone and the features you can get with it, this is really underselling it (I think)
Maybe I don't have enough money to buy a pinephone just for this purpose but even if I would have, I would personally look more into soldering (esp32?) or some single board chip (SOC?) with a touch screen sounds nice too.
Now I am not kidding, there was this dumb phone which I was using and its cost was like 12.5$ and it had the features of camera, mic , text , messaging, audio, file manager and so much more... Basically it just didn't had a browser or ability to add apps ofc since it wasn't android. But yeah I do believe that something niche could be developed for people like you at maybe 1/10th the price
I don't really want to replace it. It works fine. But the toolchain for other platforms is becoming difficult to manage. I use pass with PGP Yubikeys as backing for each encrypted password. But the developer of the Android version has stopped supporting it and the person who took it over has removed yubikey support because he doesn't use it himself and doesn't care about it.
Of course I need to access my passwords on Linux, Windows, Mac, Android. Only iOS is not possible because Apple doesn't allow raw APDU access to NFC tags so you can't do OpenPGP functions.
I also don't want to use a password manager with a single master password like bitwarden. I want each password to be encrypted individually with the public key from a number of hardware tags (multiple, that's also a hard requirement). This way not my whole password database is instantly leaked when my master password gets compromised. Even when my endpoint gets completely compromised, the only passwords they will have are the ones I decrypted on it since it was compromised. Yubikeys require a physical touch for every decryption so you also can't 'milk' them for credentials when they're inserted and unlocked. Also, any password manager I use must be self-hosted, I hate and don't trust the big tech companies.
I wonder if this could be a new backend. And have support on all platforms (though iOS I don't care about personally, but it would be a nice to have).