1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
|
# QtPass
[](https://repology.org/metapackage/qtpass)
[](https://ci.appveyor.com/project/annejan/qtpass/branch/master)
[](https://scan.coverity.com/projects/ijhack-qtpass)
[](https://coveralls.io/github/IJHack/QtPass)
[](https://codecov.io/gh/IJhack/QtPass)
[](https://www.codefactor.io/repository/github/ijhack/qtpass)
[](https://repology.org/metapackage/qtpass)
[](https://app.fossa.io/projects/git%2Bgithub.com%2FIJHack%2FQtPass?ref=badge_shield)
[](https://hosted.weblate.org/engage/qtpass/?utm_source=widget)
[](https://github.com/IJHack/QtPass/actions)
QtPass is a GUI for [pass](https://www.passwordstore.org/),
the standard unix password manager.
## Features
* Using `pass` or `git` and `gpg2` directly
* Configurable shoulder surfing protection options
* Cross platform: Linux, BSD, macOS and Windows
* Per-folder user selection for multi recipient encryption
* Multiple profiles
* Easy onboarding
Logo based on [Heart-padlock by AnonMoos](https://commons.wikimedia.org/wiki/File:Heart-padlock.svg).
## Installation
### From package
OpenSUSE & Fedora
`yum install qtpass`
`dnf install qtpass`
Debian, Ubuntu and derivates like Mint, Kali & Raspbian
`apt-get install qtpass`
Arch Linux
`pacman -S qtpass`
Gentoo
`emerge -atv qtpass`
Sabayon
`equo install qtpass`
FreeBSD
`pkg install qtpass`
macOS
`brew install --cask qtpass`
Windows
`choco install qtpass`
[](https://repology.org/metapackage/qtpass)
[](https://hosted.weblate.org/engage/qtpass/?utm_source=widget)
### From Source
#### Dependencies
* QtPass requires Qt 5.10 or later (Qt 6 works too)
* The Linguist package is required to compile the translations.
* For use of the fallback icons the SVG library is required.
At runtime the only real dependency is `gpg2` but to make the most of it, you'll need `git` and `pass` too.
Your GPG has to be set-up with a graphical pinentry when applicable, same goes for git authentication.
On Mac macOS this currently seems to only work best with `pinentry-mac` from homebrew, although gpgtools works too.
On most unix systems all you need is:
```sh
qmake && make && make install
```
## Using profiles
Profiles allow to group passwords. Each profile might use a different git repository and/or different gpg key.
Each profile also can be associated with a pass store singing key to verify the detached .gpg-id signature.
A typical use case is to separate personal and work passwords.
> **Hint**<br>
> Instead of using different git repositories for the various profiles passwords could be synchronized with different
> branches from the same repository. Just clone the repository into the profile folders and checkout the related
> branch.
### Example
The following commands set up two profile folders:
```sh
cd ~/.password-store/
git clone https://github.com/vendor/personal-passwords personal && echo "personal/" >> .gitignore
git clone https://github.com/company/group-passwords work && echo "work/" >> .gitignore
pass init -p personal [personal GnuPG-ID] && git -C personal push
pass init -p work [work GnuPG-ID] && git -C work push
```
**Note:**
* Replace `[personal GnuPG-ID]` and `[work GnuPG-ID]` with the ID from the related GnuPG key.
* The parts `echo ... >> .gitignore` are just needed in case there is a git repository present in the base directory.
Once the repositories and GnuPG-ID's have been defined the profiles can be set up in QtPass.
### Links of interest
* [Git Tools - Credential Storage](https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage)
* [Dealing with secrets](https://gist.github.com/maelvls/79d49740ce9208c26d6a1b10b0d95b5e)
* [Git Credential Manager](https://github.com/GitCredentialManager/git-credential-manager)
* [password-store](https://git.zx2c4.com/password-store/about/)
## Testing
This is done with `make check`
Codecoverage can be done with `make lcov`, `make gcov`, `make coveralls` and/or `make codecov`.
Be sure to first run: `make distclean && qmake CONFIG+=coverage qtpass.pro`
## Security considerations
Using this program will not magically keep your passwords secure against
compromised computers even if you use it in combination with a smartcard.
It does protect future and changed passwords though against anyone with access to
your password store only but not your keys.
Used with a smartcard it also protects against anyone just monitoring/copying
all files/keystrokes on that machine and such an attacker would only gain access
to the passwords you actually use.
Once you plug in your smartcard and enter your PIN (or due to CVE-2015-3298
even without your PIN) all your passwords available to the machine can be
decrypted by it, if there is malicious software targeted specifically against
it installed (or at least one that knows how to use a smartcard).
To get better protection out of use with a smartcard even against a targeted
attack I can think of at least two options:
* The smartcard must require explicit confirmation for each decryption operation.
Or if it just provides a counter for decrypted data you could at least notice
an attack afterwards, though at quite some effort on your part.
* Use a different smartcard for each (group of) key.
* If using a YubiKey or U2F module or similar that requires a "button" press for
other authentication methods you can use one OTP/U2F enabled WebDAV account per
password (or groups of passwords) as a quite inconvenient workaround.
Unfortunately I do not know of any WebDAV service with OTP support except ownCloud
(so you would have to run your own server).
## Known issues
* Filtering (searching) breaks the tree/model sometimes
* Starting without a correctly set password-store folder
gives weird results in the tree view
## Planned features
* Plugins based on field name, plugins follow same format as password files
* Colour coding folders (possibly disabling folders you can't decrypt)
* Optional table view of decrypted folder contents
* Opening of (basic auth) URLs in default browser?
Possibly with helper plugin for filling out forms?
* WebDAV (configuration) support
* Some other form of remote storage that allows for
accountability / auditing (web API to retrieve the .gpg files?)
## Further reading
[FAQ](FAQ.md) and [CONTRIBUTING](CONTRIBUTING.md) documentation.
[CHANGELOG](CHANGELOG.md)
[Site](https://qtpass.org/)
[Source code](https://github.com/IJHack/qtpass)
[Issue queue](https://github.com/IJHack/qtpass/issues)
[Chat](https://gitter.im/IJHack/qtpass)
## License
### GNU GPL v3.0
[](http://www.gnu.org/licenses/gpl.html)
[View official GNU site](http://www.gnu.org/licenses/gpl.html)
[<img src="https://opensource.org/wp-content/uploads/2022/10/osi-badge-dark.svg" alt="OSI-approved license" width="127">](https://opensource.org/licenses/GPL-3.0)
[View the Open Source Initiative site](https://opensource.org/licenses/GPL-3.0)
|
