Mail server

How to Safely Store Passwords on a Linux Server

Image: Daniel Chetroni/Shutterstock

How many times have you worked on a Linux server (without a GUI) and wished you had a way to store passwords securely? Having such a feature available for your headless servers would be such a time saver.

TO SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

If you’ve worked with Linux long enough, you probably already know that it’s actually quite simple. Using the GnuPG application, you can create password stores protected by a GPG key for security purposes (so that only those who have the key can access them).

I will show you how to use GnuPG and the pass order specifically for this purpose.

What you will need

To use GnuPG for this you will need a running instance of Linux and a user with sudo privileges. With these things at hand, let’s get creative.

How to install GnuPG and pass

The first thing we are going to do is install the GnuPG application. If you are on an Ubuntu server, the install command would be:

sudo apt-get install gnupg2 pass -y

On an RHEL-based machine, this would be:

sudo dnf install gnupg2  pass -y

If SUSE is your distribution of choice:

sudo zypper install gpg2 pass -y

Arch Linux your jam? Then:

sudo pacman -S pass gnupg pass

How to create a GPG key for your store

We will create a specific GPG key to use with our store. To create the GPG key, run the command:

gpg2 --full-generate-key

Select the default key type (RSA), the default key size (3072), an expiration of 0 (meaning it never expires) and answer Y that everything is correct. You will then add your name to the key, an email address, a comment (whatever you want), and finally, give the key a passphrase (Figure A).

Figure A

Give our GPG key a passphrase to make it strong and unique.
Give our GPG key a passphrase to make it strong and unique.

Now is the time to launch the new GPG store. Access your home directory with:

cd ~/

Start the store with:

pass init EMAIL

Where EMAIL is the email address associated with the GPG you generated. You should see the following two lines of output:

mkdir: created directory '/home/USER/.password-store/'

Password store initialized for EMAIL

Where USER is your username and EMAIL is the email address associated with your GPG key.

How to add a password to your store

With our store ready, we can add a password. By using the pass command, we can create directories to house the associated passwords. Let’s say you first want to create a directory to house website passwords and the first entry will be for TechRepublic. This command might look like this:

pass generate websites/techrepublic.com 12

The above command will generate a random (12 character) password and associate it with the TechRepublic entry in the directory website. You should see output similar to:

mkdir: created directory '/home/jack/.password-store/websites'

The generated password for websites/techrepublic.com is:

@Kh^B##

If you already know the password you want to store, the command would be:

pass insert websites/techrepublic.com

You can change a password with the command:

pass edit websites/techrepublic.com

Once registered, you can then view the password by entering the command:

pass websites/techrepublic.com

The caveat to using pass to store passwords

This is where one of the biggest usability issues pass as storage for your password. If you’re using a distro with a GUI, you’re fine. when you run pass websites/techrepublic.com, you will be prompted to enter the password you created for your key. However, on a server without a GUI, it will just print the password, since the GTK input dialog cannot be displayed in an SSH session.

To work around this, install another application with the command:

sudo apt install pinentry-tty -y

Once installed, set it with:

sudo update-alternatives --config pinentry

Be sure to select pinentry-tty.

After taking care of this, when running the pass command, you will be prompted to enter the password associated with your GPG key. After successful authentication, you will see the password displayed.

One thing to keep in mind is that pass will cache the GPG key password for a period of time. So the next time you issue the pass command, it will not ask you for your password. To work around this, you can immediately clear the stored password with the command:

gpg-connect-agent reloadagent /bye

The caveat is that you always have to remember to run the gpg-connect-agent command before logging out of your SSH session, otherwise the password will be cached for a while, and then someone could log into your server with your credentials and steal your password. Prevention is better than cure.

And that’s all there is to securely storing passwords on a headless Linux server with GnuPG and the pass ordered.

Subscribe to TechRepublic How to make technology work on YouTube for all the latest tech tips for professionals from Jack Wallen.