Repository files navigation

QtPass is a GUI forpass,the standard unix password manager.

• Usingpass orgit andgpg2 directly
• Configurable shoulder surfing protection options
• Cross platform: Linux, BSD, macOS and Windows
• Per-folder user selection for multi recipient encryption
• Multiple profiles
• Easy onboarding

Logo based onHeart-padlock by AnonMoos.

OpenSUSE & Fedorayum install qtpassdnf install qtpass

Debian, Ubuntu and derivates like Mint, Kali & Raspbianapt-get install qtpass

Arch Linuxpacman -S qtpass

Gentooemerge -atv qtpass

Sabayonequo install qtpass

FreeBSDpkg install qtpass

macOSbrew install --cask qtpass

Windowschoco install qtpass

• QtPass requires Qt 5.10 or later (Qt 6 works too)
• The Linguist package is required to compile the translations.
• For use of the fallback icons the SVG library is required.

At runtime the only real dependency isgpg2 but to make the most of it, you'll needgit andpass too.

Your GPG has to be set-up with a graphical pinentry when applicable, same goes for git authentication.On Mac macOS this currently seems to only work best withpinentry-mac from homebrew, although gpgtools works too.

On most unix systems all you need is:

qmake&& make&& make install

Profiles allow to group passwords. Each profile might use a different git repository and/or different gpg key.Each profile also can be associated with a pass store singing key to verify the detached .gpg-id signature.A typical use case is to separate personal and work passwords.

Hint
Instead of using different git repositories for the various profiles passwords could be synchronized with differentbranches from the same repository. Just clone the repository into the profile folders and checkout the relatedbranch.

The following commands set up two profile folders:

cd~/.password-store/git clone https://github.com/vendor/personal-passwords personal&&echo"personal/">> .gitignoregit clone https://github.com/company/group-passwords work&&echo"work/">> .gitignorepass init -p personal [personal GnuPG-ID]&& git -C personal pushpass init -p work [work GnuPG-ID]&& git -C work push

Note:

• Replace[personal GnuPG-ID] and[work GnuPG-ID] with the ID from the related GnuPG key.
• The partsecho ... >> .gitignore are just needed in case there is a git repository present in the base directory.

Once the repositories and GnuPG-ID's have been defined the profiles can be set up in QtPass.

• Git Tools - Credential Storage
• Dealing with secrets
• Git Credential Manager
• password-store

This is done withmake check

Codecoverage can be done withmake lcov,make gcov,make coveralls and/ormake codecov.

Be sure to first run:make distclean && qmake CONFIG+=coverage qtpass.pro

Using this program will not magically keep your passwords secure againstcompromised computers even if you use it in combination with a smartcard.

It does protect future and changed passwords though against anyone with access toyour password store only but not your keys.Used with a smartcard it also protects against anyone just monitoring/copyingall files/keystrokes on that machine and such an attacker would only gain accessto the passwords you actually use.Once you plug in your smartcard and enter your PIN (or due to CVE-2015-3298even without your PIN) all your passwords available to the machine can bedecrypted by it, if there is malicious software targeted specifically againstit installed (or at least one that knows how to use a smartcard).

To get better protection out of use with a smartcard even against a targetedattack I can think of at least two options:

• The smartcard must require explicit confirmation for each decryption operation.Or if it just provides a counter for decrypted data you could at least noticean attack afterwards, though at quite some effort on your part.
• Use a different smartcard for each (group of) key.
• If using a YubiKey or U2F module or similar that requires a "button" press forother authentication methods you can use one OTP/U2F enabled WebDAV account perpassword (or groups of passwords) as a quite inconvenient workaround.Unfortunately I do not know of any WebDAV service with OTP support except ownCloud(so you would have to run your own server).

• Filtering (searching) breaks the tree/model sometimes
• Starting without a correctly set password-store foldergives weird results in the tree view

• Plugins based on field name, plugins follow same format as password files
• Colour coding folders (possibly disabling folders you can't decrypt)
• Optional table view of decrypted folder contents
• Opening of (basic auth) URLs in default browser?Possibly with helper plugin for filling out forms?
• WebDAV (configuration) support
• Some other form of remote storage that allows foraccountability / auditing (web API to retrieve the .gpg files?)

FAQ andCONTRIBUTING documentation.CHANGELOG

SiteSource codeIssue queueChat

View official GNU site

View the Open Source Initiative site