With Trezor-R in development, I don't expect any work on Password Manager in the near future. In the meantime I've been looking at hardware based alternatives to securing passwords.
DISCLAIMER: I haven't audited all of these, so don't take any of my remarks as recommendations
Keepass2 with Keepass2Trezor
This is a plugin to the popular KeePass password manager. This plugin registers your Trezor as a challenge / response device for use in opening and unlocking your Keepass database. The challenge / response uses Trezor's builtin CipherKeyValue API.
Keepass is an awesome password manager, with pretty much any feature you could ask for. One thing to watch out for though would be related to maintaining dependencies on Trezor. If you move the database to your iPhone, which is supported by Keepass, you wouldn't be able to unlock the database since iOS has no way to talk to Trezor. But, if you speak a bit of python, you can recreate the secret using the trezorctl cli.
- Keepass2 Homepage
- Keepass2 Plugin Directory where Keepass2Trezor Plugin lives.
KeepassXC with Yubikey hmac-sha1
Though this requires a NEW piece of hardware, it still provides hardware backed security for your passwords. Not all Yubikeys work, only the ones that support Yubikey's HMAC-SHA1 API. I believe the cheapest one on that list, as of this post, is the the $50 Yubikey 5 NFC. Technically you can use your Yubikey on either KeepassXC or Keepass2 (with plugin), but they way they encode the challenge is different so you can't use the same slot for both. I haven't tried running both off one key but it seems like it would be possible, IDK.
- Keepass2 Homepage
- Keepass2 Plugin Directory where KeeChallenge Plugin lives.
- KeepassXC Homepage with YK-hmac-sha1 support builtin.
GPG Password Manager with Trezor
The default Linux password manager pass
is all based on GPG. If you install trezor_agent you can secure your GPG keys with your Trezor. This will allow you to store passwords in pass
which will use Trezor to unlock the entries. There are actually a dozen or so password managers that use pass
(and gpg) as the backend. This is a convenient way secure your passwords with hardware for Linux or Mac users. For Windows users the WSL2 service will allow you to run trezor_agent
and pass
from Windows. An example would look something like this:
wsl -d Ubuntu GNUPGHOME=~/.gnupg/trezor pass show brianddk@reddit
This assumes you have Trezor attached through usbipd
to your Ubuntu installation, and that you've already installed and initialized trezor_agent
in Ubuntu.
- Pass homepage
- Pass wrappers / GUIs / skins
- Windows WSL2 Service which can access USB through usbipd
trezor_agent
integration for GPG on Trezor
Trezor native CipherKeyValue API
The Trezor firmware has an API called CipherKeyValue that can take a plaintext label and produce a ciphertext (secret). This is different than a simple hash function because the ciphertext requires your Trezor private keys to generate. This allows you to feed it a string like “Site UserID” and get “P@55w0rd” out. To access this API from the commandline you will need the trezorctl utility installed. Once configured you can create a Reddit password with a command like this:
trezorctl crypto encrypt-keyvalue -n m/10016h/0
"reddit.com brianddk" "0123456789abcdef"
79fbb9d92413506b8b3825a161c9a183
So now, I can use 79fb...a183
as my password, and I no longer need to remember it. Whenever I feed my Trezor the same arguments to encrypt-keyvalue
I will always get the same ciphertext back. This method is actually what the original Trezor Password Manager uses, as well as the Keepass2Trezor plugin. After toying with this a while I wanted a bit more flexability so I made a mk_secret.py script to do most of the work for me. Now my command is simplified to:
mk_secret.py -k "reddit.com brianddk" | clip
Now my password is on the clipboard and I can paste it into the login password box. You can also build on this with command redirection and use it as a launcher for KeepassXC. Obviously, I didn't find Keepass2Trezor until after I was dabbling with this for a while.
- TrezorCTL install Howto
- My
mk_secret
reddit thread
Keepass2 with GPG integration: WORK IN PROGRESS
Similar to other GPG Password Managers, Keepass2 with the GpgKee plugin, will use GPG as a key source for the decryption of keyfiles. This is a VERY old extension and doesn't look to be maintained anymore, but if someone wants to bring it up to standards, it's open source and looks pretty simple. Since Keepass2 assumes it will use the WinGPG install, getting it to use trezor_agent
under WSL may be tricky. I think other hardware backed GPG solutions with windows support, like Yubikey, will still be a good option for hardware backed passwords.
- GpgKee Homepage / Source
- Keepass2 Plugin Howto
KeepassXC with FIDO2 integration: WORK IN PROGRESS
With FIDO2 support in Trezor-T and likely in Trezor-R, the ability to use a better hardware based challenge / response is available in the FIDO 2.1 HMAC extension known as hmac-secret
. It is natively supported by Trezor-T and some Yubikeys, as well as dozens of other devices listed at the fido alliance. There is no bounty or commitment to this feature request, but the maintainers of KeepassXC are usually pretty quick to close features they won't work.
- KeepassXC Feature Request
Other Security / Password Tools
This covers all the direct password manager replacements I could think of, but there are some other tools related to data security that may still be of use.
Trezor Password Manager Reader
If anyone is concerned about accessing your passwords already in TPM, I don't think we have to worry too much. I suspect that TPM will still function after EOL for many years. But even if it doesn't there is an offline TPM reader available in the trezorctl
support files. The password reader requires the user to download the TREZOR folder from Dropbox and point the utility at it. Obviously it requires trezorctl
to be installed
- TrezorCTL install Howto
- Trezor's
pwd_reader
utility
Trezor OTP utility
Many sites offer some form of multi-form-identification (2FA/MFA). From most secure to least secure, these 2FA options would include FIDO2.1, U2F, OTP, and SMS. Though I would argue SMS is less secure than no 2FA. In either case, having hardware backed 2FA is extreamly important where available. So even if your site doesn't support “Security Key” based 2FA, you can still use Trezor to secure your OTP secret codes. Use the Trezor OTP utility to generate Authenticator (OTP) codes securely. As before, this requires trezorctl
to work.
- TrezorCTL install Howto
- Trezor's
trezor-otp
utility
Trezor EncFS utility
The old EncFS Linux utility used to be pretty popular, particularly for any data that needed to be secured on FAT filesystems. But a rash of security issues around 2014 had the utility fall out of favor. Most have been addressed in subsequent releases, but as of a few years ago, all activity on the repository seems to have dried up. That being said, it still works fine in Windows, Linux and Mac, and there is a utility to secure EncFS encryption with Trezor.
- TrezorCTL install Howto
- EncFS Homepage
- Trezor's
encfs_aes_getpass
utility
A Note on Security
Unlike ECDSA signing, all password managers will store the database, decrypted in memory. We hope they only decrypt pieces at a time, but if your system is seething with viruses, having hardware backed password managers won't help you. All the hardware devices mentioned here do is serve as a KEY to open a lock. They are NOT the lock itself. If you really want to take password security to the n-th level, you should be running your password manager off of a Tails instance. In that case one of the many solutions built on pass
backed with trezor_agent
would be the ideal solution.
- Tails Homepage
- my old Trezor on Tails Wiki
Brilliant. Thanks for writing this up.
I quite a fan of
pass
, though yet to try with trezor agent.I had no idea the keepass plugin existed, this rules fantastic post – I’ve got another mini project to tackle now
Hi
I am making a PWA app that will be a replacement for the trezor password manager. This is a side project for me and it will be open source when its complete.
I am not planning on rushing to meet the June 2023 deadline so people will need to re-enter their passwords into this new manager – if they want to use.
The extension will still keep running after June 2023 ( if you have it installed ).