Skip to main content

Hardware Password Manager

[Updates 2025-01-20]
The original blog post assumes that all passwords are stored in one password manager, and the password manager either unlocks everything or nothing (e.g. Keepass).
After discussing with friends, I realized that if I use something like pass, and I use a hardware GPG token, I can actually store and sync all encrypted passwords to all devices, because I will only decrypt the passwords on demand, and the computer will not see the GPG private key.
The compromise is that the computer will see the list of all password entries (e.g. accounts), as well as a few other issues.


I've been using Keepass for many years. I don't use online password services because I cannot fully trust them. Besides, I may not always have Internet connection, which is why I also don't use a self-hosted service.

Everything has been working fine, until I turn my paranoid knob to the max.
Here's the thought experiment.

The Imaginary Scenario

Let's say I have 100 PCs for different purposes. Among them:
  • I use Google and Steam on PC 1
  • I use Google and Bank on PC 2
  • I use Bitcoin and Bank on PC 3
As a thread model, I'd just assume that PC 1 is filled with malicious software, which will upload everything to somewhere. I might be fine with that for Steam, but I will never use it for Bitcoin.

Now here's a question: how do I manage the passwords?

Note that Google is used by multiple PCs, if I store the password on multiple PCs, it'll be tricky to maintain it whenever the password is updated. So I should store the password on a single PC.

Also note that the scenario is the same for the Bank, so I should also pick a single PC to store its password.

Now I have to remember "Password X is stored in PC Y". This is only practical if Y is the same for all passwords, and naturally PC Y is the one with the highest security level. 

Let's say I store my Google password in PC 3. How about the Steam password? I could store it on PC 1 since it's only used there, but later again, I have to remember some password is stored in PC 1 and some other password is stored in PC 3, which is not practical.

So the conclusion is: all password should be stored in the single PC with the highest security level. And we just call that PC the hardware password manager.  Note that in reality it can be any suitable device, not necessarily a PC. 

The Hardware Password Manager

Note that a hardware password manager has all the requirements of a software password manager, with an extra one: it can leak no information other than the requested password. This implies the device must be unlocked locally, because we cannot input the master password elsewhere.

As a bad counterexample, today, in reality I have a single database for all passwords, and I use it on all PCs, but as soon as I open it on PC 1, it will know all passwords in the database, including the master password.

Such hardware password managers are actually easy to find:
But I want more: 
  • Portable: I can carry the device on the go.
  • Auto-type: I don't need to type the password letter by letter.
And there are existing nice solutions:

How Can I DIY One?

If I need such a device today, I'll probably purchase one of the existing solutions.
But after reading about those interesting DIY projects, I'm also interested in thinking how I could make one myself.

Requirements

First I need to write down my reqiurements, which explain why most DIY projects are not good enough for me.
  • The data is encrypted at rest.
  • The device emulates a Bluetooth keyboard. Well, a USB one also works, but I guess it'll wear off too quickly.
  • The device leaks nothing but the requested password.
    • The device must be unlocked locally. We cannot unlock it through the PC that receives the password.
    • The device is air-gapped. It have no network access.
  • The device is secure from unauthorized access.
    • [OPTIONAL] The device will lock itself after a few falseful attempts.
    • [OPTIONAL] The device is somewhat resistant against tampering. E.g. someone steals my device, modifies the software then secretly puts it back.

Hardware

Mostly I'm thinking of Raspberry Pi, which may be the regular ones, or Pi Zero, because they have a nice ecosystem of accessories. Alternatively, phones, handhelds and Arduino etc can also work. 

The device will need its own display and input, which could be something like a Game HAT, or a touch display. And I will need more components:
  • Case
  • Battery
  • USB cable
  • NFC
I also want a Yubikey for unlocking the device and the database.

Software

  • Surely I'll install Linux, likely Debian. And I'll have to maintain/upgrade the system completely offline. There is apt-offline for this purpose.
  • I'll use LUKS, which can be unlocked by a hardware token using systemd-cryptenroll.
  • The passwords will be encrypted by GPG, because I want to unlock it using Yubikey.
    • I could just use pass
    • Or I can juse KeepassXC, while encrypting the master password with pass. 
  • It should be relevant easy to emulate a USB or Bluetooth keyboard, especially on a Pi.
  • I'll need some UI to display the status.
    • This probably requires some work.
  • I'll need to input some PINs, using the touch display or buttons.
    • This probably requires some work.


Conclusion

Maybe one day I'll be way more paranoid, I don't trust my devices and I don't trust commercial hardware password managers. In that case I'll likely start building something on my own.

But before that, I'd like to just keep it as a long-running fun thought experiment.

Comments

Popular posts from this blog

Determine Perspective Lines With Off-page Vanishing Point

In perspective drawing, a vanishing point represents a group of parallel lines, in other words, a direction. For any point on the paper, if we want a line towards the same direction (in the 3d space), we simply draw a line through it and the vanishing point. But sometimes the vanishing point is too far away, such that it is outside the paper/canvas. In this example, we have a point P and two perspective lines L1 and L2. The vanishing point VP is naturally the intersection of L1 and L2. The task is to draw a line through P and VP, without having VP on the paper. I am aware of a few traditional solutions: 1. Use extra pieces of paper such that we can extend L1 and L2 until we see VP. 2. Draw everything in a smaller scale, such that we can see both P and VP on the paper. Draw the line and scale everything back. 3. Draw a perspective grid using the Brewer Method. #1 and #2 might be quite practical. #3 may not guarantee a solution, unless we can measure distances/p...

Chasing an IO Phantom

My home server has been weird since months ago, it just becomes unresponsive occassionally. It is annoying but it happens only rarely, so normally I'd just wait or reboot it. But weeks ago I decided to get to the bottom of it. What's Wrong My system set up is: Root: SSD, LUKS + LVM + Ext4 Data: HDD, LUKS + ZFS 16GB RAM + 1GB swap Rootless dockerd The system may become unresponsive, when the IO on HDD  is persistantly high for a while. Also: Often kswapd0 has high CPU High IO on root fs (SSD) From dockerd and some containers RAM usage is high, swap usage is low It is very strange that IO on HDD can affect SSD. Note that when this happens, even stopping the IO on HDD does not always help. Usually restarting dockerd does not help, but rebooting helps. Investigation: Swap An obvious potential root cause is the swap. High CPU on kswapd0 usually means the free memory is low and the kernel is busy exchanging data between disk and swap. However, I tried the following steps, none of the...

Fix Google Security Code

Google Security Code (http://g.co/sc) is one type of 2-step verification. This is particularly useful when security keys and passkeys are not available. I have been using it in my LXC containers, until today I found out that it stopped working. It just kept saying "The code is invalid". It is easy to rule out some factors: The code works on other browsers on my laptop. The code works on other devices that are directly connected to the router. So it appears that Google also checks IP addresses besides the security code. Recently I have IPv6 enabled, so most devices that are directly connected to the router have both IPv4 and IPv6 addresses. But  I only enabled IPv4 for my LXC containers. So I guess when a code is generated by device A and used by device B, Google should be able to check that device A and device B are closely located. But in my case, IPv6 address appears on device A but not on device B, which may look suspicious. To fix the problem, I just needed to disable IPv...