sirodoht blog

Feasible setup for passwords and backups

People on the internet say it's a good idea to backup your data. Obviously, normal people ignore them. No one likes complicated processes with unclear long-term benefits1.

However, there is a neat way to do it.

borg for backups

It is well known borg is the Holy Grail of backups. Along with rsync.net it’s a battle-tested combination that has worked great for many.

However, there is a (not so much anymore) new player in town, restic. Does everything better except one important thing. Specifically:

  • restic is one binary in contrast to borg (Go vs Python/C)
  • restic does not need a server-side component
  • restic can work with multiple protocols vs borg's SSH
  • restic supports multiple machines backing up to the same repository
  • restic supports multiple unlock keys
  • borg has better performance? — claimed here
  • borg is a more mature project
  • borg supports multiple compression algorithms while restic doesn’t support compression (yet?)

The last one is quite important if one is paying for the extra space. But, your data might already be compressed, in which case, borg’s compression won't mean much to you.

gopass for passwords

It's sad that in 2020 every website implements authentication and authorization in their own nonideal and potentially insecure way. And it still eludes me why WebAuthn wasn't invented and implemented in 2000. In any case, we still need to manually2 create, save, input, change passwords.

gopass — faster implementation of the original renowned standard unix password manager pass — is an ultra-portable thin porcelain over GPG, which acts as a password manager. The command line interface, along with the bash completion is lovable. The way it works is, it creates a specific GPG key and then encrypts each password as a file, inside a directory, ~/.password-store. The passphrase of that GPG key is one’s master password.

There is also a sweet variety of extensions and clients on top of the original pass (they are interoperable).

frank for 2FA

It was a happy simple life in the past, a password manager would solve all your problems. Now we need to solve 2FA/MFA too. The most famous solution, Google Authenticator, has a couple of problems. Namely, it’s Google’s, so one day it might not even be in the app store. To make matters worse, it doesn’t allow exporting. Once you import the secret, it’s locked in, forevermore. Finally, it isn’t synced to your Google account, so if one loses their phone, they are done for.

Google: Don't lose your phone!
Normal person: Oh noes! I thought there would be no consequences :(

Some password managers like 1Password offer cloud 2FA solutions, but we would have to trust them to enjoy that. I couldn’t find any solid standalone CLI solutions, so I made a thing of my own. Bad idea—I know! But I used a pretty good OTP library (I think) and just wrote the terminal input part.

Combining with gopass + sed we get this magnificent, ^R-able, one-liner for retrieving our AWS MFA key:

$ frank $(gopass aws.amazon.com | sed -n '2p') | pbcopy

The sed part exists because the MFA secret is in the second line of the gopass output. pbcopy auto-copies it.

Limitations

As you might have guessed by now, there are several limitations in this way of managing one's cybernetic life. For starters, borg is complicated even for programmers.

Programmer: Is this the passphrase? But then which one is the secret key? Do I have to remember both my secret key and my passphrase? That's mental.

gopass is not UX friendly unless you are weird; and frank is the same. Not to mention that nothing works from your own phone as nothing is synced, which is a major deal-breaker for many.

Weird person: gopass is nice.

Yet, the article's title is unambiguous: a feasible option.


  1. Incidentally, that's also the reason people don't like taxes. 

  2. Not that we have, ourselves, to XOR OrpheanBeholderScryDoubt 64 times. But still, a chore done more than 887 times according to gopass ls|wc -l

← Previous
Tech makers webring
Next →