My list of possible replacements for Trezor’s Password Manager (EOL)

With Trezor-R in development, I don't expect any work on Password Manager in the near future. In the meantime I've been looking at hardware based alternatives to securing passwords.

DISCLAIMER: I haven't audited all of these, so don't take any of my remarks as recommendations


Keepass2 with Keepass2Trezor

This is a plugin to the popular KeePass password manager. This plugin registers your Trezor as a challenge / response device for use in opening and unlocking your Keepass database. The challenge / response uses Trezor's builtin CipherKeyValue API.

Keepass is an awesome password manager, with pretty much any feature you could ask for. One thing to watch out for though would be related to maintaining dependencies on Trezor. If you move the database to your iPhone, which is supported by Keepass, you wouldn't be able to unlock the database since iOS has no way to talk to Trezor. But, if you speak a bit of python, you can recreate the secret using the trezorctl cli.

  • Keepass2 Homepage
  • Keepass2 Plugin Directory where Keepass2Trezor Plugin lives.

KeepassXC with Yubikey hmac-sha1

Though this requires a NEW piece of hardware, it still provides hardware backed security for your passwords. Not all Yubikeys work, only the ones that support Yubikey's HMAC-SHA1 API. I believe the cheapest one on that list, as of this post, is the the $50 Yubikey 5 NFC. Technically you can use your Yubikey on either KeepassXC or Keepass2 (with plugin), but they way they encode the challenge is different so you can't use the same slot for both. I haven't tried running both off one key but it seems like it would be possible, IDK.

  • Keepass2 Homepage
  • Keepass2 Plugin Directory where KeeChallenge Plugin lives.
  • KeepassXC Homepage with YK-hmac-sha1 support builtin.

GPG Password Manager with Trezor

The default Linux password manager pass is all based on GPG. If you install trezor_agent you can secure your GPG keys with your Trezor. This will allow you to store passwords in pass which will use Trezor to unlock the entries. There are actually a dozen or so password managers that use pass (and gpg) as the backend. This is a convenient way secure your passwords with hardware for Linux or Mac users. For Windows users the WSL2 service will allow you to run trezor_agent and pass from Windows. An example would look something like this:

wsl -d Ubuntu GNUPGHOME=~/.gnupg/trezor pass show brianddk@reddit

This assumes you have Trezor attached through usbipd to your Ubuntu installation, and that you've already installed and initialized trezor_agent in Ubuntu.

  • Pass homepage
  • Pass wrappers / GUIs / skins
  • Windows WSL2 Service which can access USB through usbipd
  • trezor_agent integration for GPG on Trezor

Trezor native CipherKeyValue API

The Trezor firmware has an API called CipherKeyValue that can take a plaintext label and produce a ciphertext (secret). This is different than a simple hash function because the ciphertext requires your Trezor private keys to generate. This allows you to feed it a string like “Site UserID” and get “P@55w0rd” out. To access this API from the commandline you will need the trezorctl utility installed. Once configured you can create a Reddit password with a command like this:

trezorctl crypto encrypt-keyvalue -n m/10016h/0 
  "reddit.com  brianddk" "0123456789abcdef"
79fbb9d92413506b8b3825a161c9a183

So now, I can use 79fb...a183 as my password, and I no longer need to remember it. Whenever I feed my Trezor the same arguments to encrypt-keyvalue I will always get the same ciphertext back. This method is actually what the original Trezor Password Manager uses, as well as the Keepass2Trezor plugin. After toying with this a while I wanted a bit more flexability so I made a mk_secret.py script to do most of the work for me. Now my command is simplified to:

mk_secret.py -k "reddit.com  brianddk" | clip

Now my password is on the clipboard and I can paste it into the login password box. You can also build on this with command redirection and use it as a launcher for KeepassXC. Obviously, I didn't find Keepass2Trezor until after I was dabbling with this for a while.

  • TrezorCTL install Howto
  • My mk_secret reddit thread

Keepass2 with GPG integration: WORK IN PROGRESS

Similar to other GPG Password Managers, Keepass2 with the GpgKee plugin, will use GPG as a key source for the decryption of keyfiles. This is a VERY old extension and doesn't look to be maintained anymore, but if someone wants to bring it up to standards, it's open source and looks pretty simple. Since Keepass2 assumes it will use the WinGPG install, getting it to use trezor_agent under WSL may be tricky. I think other hardware backed GPG solutions with windows support, like Yubikey, will still be a good option for hardware backed passwords.

  • GpgKee Homepage / Source
  • Keepass2 Plugin Howto

KeepassXC with FIDO2 integration: WORK IN PROGRESS

With FIDO2 support in Trezor-T and likely in Trezor-R, the ability to use a better hardware based challenge / response is available in the FIDO 2.1 HMAC extension known as hmac-secret. It is natively supported by Trezor-T and some Yubikeys, as well as dozens of other devices listed at the fido alliance. There is no bounty or commitment to this feature request, but the maintainers of KeepassXC are usually pretty quick to close features they won't work.

  • KeepassXC Feature Request

Other Security / Password Tools

This covers all the direct password manager replacements I could think of, but there are some other tools related to data security that may still be of use.

Trezor Password Manager Reader

If anyone is concerned about accessing your passwords already in TPM, I don't think we have to worry too much. I suspect that TPM will still function after EOL for many years. But even if it doesn't there is an offline TPM reader available in the trezorctl support files. The password reader requires the user to download the TREZOR folder from Dropbox and point the utility at it. Obviously it requires trezorctl to be installed

  • TrezorCTL install Howto
  • Trezor's pwd_reader utility

Trezor OTP utility

Many sites offer some form of multi-form-identification (2FA/MFA). From most secure to least secure, these 2FA options would include FIDO2.1, U2F, OTP, and SMS. Though I would argue SMS is less secure than no 2FA. In either case, having hardware backed 2FA is extreamly important where available. So even if your site doesn't support “Security Key” based 2FA, you can still use Trezor to secure your OTP secret codes. Use the Trezor OTP utility to generate Authenticator (OTP) codes securely. As before, this requires trezorctl to work.

  • TrezorCTL install Howto
  • Trezor's trezor-otp utility

Trezor EncFS utility

The old EncFS Linux utility used to be pretty popular, particularly for any data that needed to be secured on FAT filesystems. But a rash of security issues around 2014 had the utility fall out of favor. Most have been addressed in subsequent releases, but as of a few years ago, all activity on the repository seems to have dried up. That being said, it still works fine in Windows, Linux and Mac, and there is a utility to secure EncFS encryption with Trezor.

  • TrezorCTL install Howto
  • EncFS Homepage
  • Trezor's encfs_aes_getpass utility

A Note on Security

Unlike ECDSA signing, all password managers will store the database, decrypted in memory. We hope they only decrypt pieces at a time, but if your system is seething with viruses, having hardware backed password managers won't help you. All the hardware devices mentioned here do is serve as a KEY to open a lock. They are NOT the lock itself. If you really want to take password security to the n-th level, you should be running your password manager off of a Tails instance. In that case one of the many solutions built on pass backed with trezor_agent would be the ideal solution.

  • Tails Homepage
  • my old Trezor on Tails Wiki

3 thoughts on “My list of possible replacements for Trezor’s Password Manager (EOL)”

  1. Brilliant. Thanks for writing this up.

    I quite a fan of pass, though yet to try with trezor agent.

  2. I had no idea the keepass plugin existed, this rules fantastic post – I’ve got another mini project to tackle now

  3. Hi

    I am making a PWA app that will be a replacement for the trezor password manager. This is a side project for me and it will be open source when its complete.

    I am not planning on rushing to meet the June 2023 deadline so people will need to re-enter their passwords into this new manager – if they want to use.

    The extension will still keep running after June 2023 ( if you have it installed ).

Comments are closed.