It’s hard to think about a more fundamental part of one’s digital identity than a password manager. In a sense, if you want to be sovereign over your digital presence, the password manager is what allows you to hold the keys to your kingdom. It’s pretty much that one security measure that everyone can agree on; managing all your passwords by yourself is bound to create problems of its own: either you are reusing the same password, or you are writing them down somewhere. This is not okay, and why password managers were born.

Now, the usage of password managers is not without its risks. In fact, it does centralize pretty much all the keys in just one place, which does pose a problem. Also, if the files that contain the passwords ever get lost, you are now in a pickle. There are, then, some considerations that need to be taken into account when choosing which password manager you’re going to trust - because, yes, there needs to trust in here.

Here, more so than in other situations, the importance of the implementation needing to be open source cannot be overstated. Not only does this lend credibility to the security of the implementation, but also guarantees that that the software you’re running isn’t “phoning home” - which, even with encrypted files, can be a problem if not now, but in the future if/when whatever encryption you’re using ends up being exploited.

Having a password manager turns out to be a situation where self-hosting is, in my opinion, absolutely essential. I could never understand how and why you’d willingly trust your password files, even if encrypted, to third parties, just to get some niceties that can be achieved with just a tiny bit of work after a one-time setup.

So, how do I do it? The solution ends up being a very simple software called pass. I first got in contact with it since the creator of pass is the same creator of wireguard. This should be reason enough, if you know what wireguard is. Of course, the license is FOSS and the code free to inspect on Jason’s own git forge. The other big plus, in my book, is that it leverages existing technologies to make this work: namely, GnuPG and git. This does make the problems mentioned earlier easier to manager.

With git, you can not only guarantee that your password files are versioned controlled (which is a very underrated feature, I’ve had situations where it saved me a lot of trouble being able to revert back to a known good state), but also the backing up and syncing across different devices becomes much simpler. But I can hear you: I don’t want to handle my passwords to GitHub, nor do I want to self-host my own git forge. My dear friend, you don’t need to: a git repository is literally just a bunch of files. If you have access to a remote file system, you can just put the repo wherever you damn please!

The other part is GnuPG. With it being a free implementation of OpenPGP, this does guarantee that your files are encrypted with a known standard and with an active security team that has a track record of quickly patching know vulnerabilities. Besides, the usage GnuPG has three main advantages that while orthogonal to the issue at hand here, do create extremely good synergies: the gpg agent can be used as your ssh agent, which is an extremely useful thing; hardware security keys become seamless to ingrate (I use both a Nitrokey and a Yubikey with this setup, and they work out-of-the-box); and finally, you can also start encrypting your own e-mail!

So, in the end, this allows me to use all my passwords across devices - with my desktop, my laptop, and my phone. All this without having to sacrifice any privacy, and using only FOSS technologies. Honestly, couldn’t really ask for anything better!