Hello! I got my L5 last week and have been getting it set up. I’ve had a pretty good experience with it. However, one sticking point is password management. I used to have LastPass but moved to NordPass following their breach. While NordPass has been terrific for me, I was bummed that they don’t offer an arm64 version that I could use on th L5. I looked at the currently available password managers in the PureOS Store, but I didn’t see anything that syncs across devices (e.g. my L13).
I am using Password Safe from the Software Store on my phone and KeePassXC on my Ubuntu Laptop. Both use the same format .kbdx and I use Syncthing to keep the password file synced between devices. KeePassXC is available through Flathub, but I have found it a bit clunky to use on the phone.
I use Secrets with Syncthing, that way it does sync between any device that can install apps that read .kbdx DBs and allow install and running of Syncthing and you don’t have to pay any cloud provider to do that service that can perform basically yourself.
Another 2cents, i used to use pwsafe safes when mostly on iOS, but with cross platform clients mostly having been abandoned, or no mobile phone linux version (usable) being available i had to convert the database from the pwsafe format to the kbdx format. Whatever manager you use it’s important that the whole database at the end can be exported as a text file so it is easily shareable between different clients.
I recently started using rsync, so I just back up the .kbdx database to my network storage, where I can access it on any of my devices. If I have to travel away from home, I can copy it to the device(s) I’m taking with me.
gotcha a nice solution indeed, i needed a semicloud solution since i edit passwords on mobile and on desktop and otherwise i would keep loosing passwords and access to websites etc. I still sometimes loose passwords if syncthing acts up (which happens at times, but its fairly solid)
It’s got a larger footprint and serves a different purpose than Syncthing, but it’s worth mentioning that Nextcloud is also very handy at keeping the database file synced over an assortment of devices. I use keepassx on most of my computers and KeePassDX on Android. It takes a little more setup but I’ve never looked back at paying a cloud service provider to handle my sensitive data.
I like the idea of Nextcloud, but how do you protect yourself from attacks, with folks trying to get into your server? Is it necessary to pay domain registration fees for Nextcloud, so isn’t there a cloud pricetag attached say 100$ a year?
I have a website and could use that as my nextcloud instance but have been hesitant, so i am already paying those fees.
It’s not necessary but it’s a quality-of-life improvement. I pay $50/yr for a domain hosting provider but you can find dynamic DNS services for cheaper, or even free. I used to use no-ip.com for a free domain, but you have to verify registration every month which becomes annoying by design.
As far as security goes, I just use the best practices I can, configure a firewall, install fail2ban, have full on- and off-site backups, and employ various other network hardening strategies on my router.
What does cross-platform mean? Multiple Linux computers or also Windows? If Linux-only then maybe you can do the same as @amarok but do it with “Passwords & Keys” (aka seahorse) and a .keyring file.
That of course does not provide proper synchronisation (by which I mean that any client device can add a new secret and then synch that secret to all other devices). This approach works best if one device is more obviously the “master” and all other devices can be treated as “slaves”.
So it all comes down to your requirements: the number and type of devices, whether a central server solution is OK, whether a truly distributed solution is required, what your security (trust) restrictions are, …
I never paid for a domain more than 20USD per year.
Security: firewall, frequent updates to run away from known exploits, access critical services only using a VPN, no passwords and public key authentication only, and an isolated VM for each service so that the attacker can’t do more damage even if they get in. Granted, if the attacker manages to access the service with your critical data, then keeping them unable to move elsewhere might not matter a lot
Before I got organized, whenever I edited the database (which is not very often, actually), I did it on my main laptop, then backed it up to my RPi (always on), from where I propagated it to my other devices.
Now that I’ve attached external storage to the RPi, and am using it for (manually applied/rsync) file storage and backup, I first edit the password database there, then every device can grab it over my network.
I’ve done IT support type work and the rule is that the password is written down somewhere within a 1 meter radius of the computer. Check under the keyboard first.
And a copy in an envelop taped to the inside door (or drawer) of the fireproof tape safe (if they still use tapes). Still, every IT dept should have a fire safe.
.
