IJHack / QtPass

QtPass is a multi-platform GUI for pass, the standard unix password manager.
https://qtpass.org/
GNU General Public License v3.0
1.03k stars 162 forks source link
c-plus-plus git gpg password-generator password-manager password-vault qt5

QtPass

latest packaged version(s) Build status Coverity scan Coverage Status codecov CodeFactor Packaging status FOSSA Status Translation status QMake Github Action

QtPass is a GUI for pass, the standard unix password manager.

Features

Logo based on Heart-padlock by AnonMoos.

Installation

From package

OpenSUSE & Fedora yum install qtpass dnf install qtpass

Debian, Ubuntu and derivates like Mint, Kali & Raspbian apt-get install qtpass

Arch Linux pacman -S qtpass

Gentoo emerge -atv qtpass

Sabayon equo install qtpass

FreeBSD pkg install qtpass

macOS brew install --cask qtpass

Windows choco install qtpass

Packaging status Translation status

From Source

Dependencies

At runtime the only real dependency is gpg2 but to make the most of it, you'll need git and pass too.

Your GPG has to be set-up with a graphical pinentry when applicable, same goes for git authentication. On Mac macOS this currently seems to only work best with pinentry-mac from homebrew, although gpgtools works too.

On most unix systems all you need is:

qmake && make && make install

Using profiles

Profiles allow to group passwords. Each profile might use a different git repository and/or different gpg key. Each profile also can be associated with a pass store singing key to verify the detached .gpg-id signature. A typical use case is to separate personal and work passwords.

Hint
Instead of using different git repositories for the various profiles passwords could be synchronized with different branches from the same repository. Just clone the repository into the profile folders and checkout the related branch.

Example

The following commands set up two profile folders:

cd ~/.password-store/
git clone https://github.com/vendor/personal-passwords personal && echo "personal/" >> .gitignore
git clone https://github.com/company/group-passwords work && echo "work/" >> .gitignore
pass init -p personal [personal GnuPG-ID] && git -C personal push
pass init -p work [work GnuPG-ID] && git -C work push

Note:

Once the repositories and GnuPG-ID's have been defined the profiles can be set up in QtPass.

Links of interest

Testing

This is done with make check

Codecoverage can be done with make lcov, make gcov, make coveralls and/or make codecov.

Be sure to first run: make distclean && qmake CONFIG+=coverage qtpass.pro

Security considerations

Using this program will not magically keep your passwords secure against compromised computers even if you use it in combination with a smartcard.

It does protect future and changed passwords though against anyone with access to your password store only but not your keys. Used with a smartcard it also protects against anyone just monitoring/copying all files/keystrokes on that machine and such an attacker would only gain access to the passwords you actually use. Once you plug in your smartcard and enter your PIN (or due to CVE-2015-3298 even without your PIN) all your passwords available to the machine can be decrypted by it, if there is malicious software targeted specifically against it installed (or at least one that knows how to use a smartcard).

To get better protection out of use with a smartcard even against a targeted attack I can think of at least two options:

Known issues

Planned features

Further reading

FAQ and CONTRIBUTING documentation. CHANGELOG

Site Source code Issue queue Chat

License

GNU GPL v3.0

GNU GPL v3.0

View official GNU site

OSI-approved license

View the Open Source Initiative site