Skip to content

Secure Setup

Overview

There are many ways to install and configure Passwords, and the methods you choose will largely depend on your environment and specific needs. This page outlines several high‑level security considerations to keep in mind when deploying Passwords in a multi-user environment. The guidance is primarily Linux‑focused, and some concepts may not apply to Windows systems.

File permissions

To strengthen local security, consider restricting access to the password database file and the application binary so that only authorized users can interact with them.

  • For the database file, create a dedicated group and grant read/write access only to its members.
  • For the application binary, limit execute permissions to the same restricted group.

These two measures alone significantly reduce the risk of unauthorized access to your local data. Remember, access in this context does not equate to a data breach. It simply means the ability to reach the encrypted database file. The data itself remains protected and must still be decrypted before it can be used.

# Create a dedicated group
sudo groupadd passwordusers

# Add a user to the group
sudo usermod -aG passwordusers <username>

# Restrict database file access
sudo chown :passwordusers <config file>
# Only group members can read; owner can read/write
sudo chmod 0640 <config file>

# Restrict application binary execution
sudo chown :passwordusers <application>
# Only group members can execute; owner has no rights
sudo chmod 070 <application>

To locate the configuration file, binary, and other related paths, open Help → System Information and scroll to the Standard Paths section.

GPG Key Passphrase

GPG keys are effectively the keys to the kingdom. They act as your master password and are the critical barrier between security and a potential data breach. When creating GPG keys, ensure the passphrase is as strong as possible. A recommended minimum complexity is 16 characters, including upper‑ and lower‑case letters, numbers, and at least one special character.

If you ever need to change your GPG Key passphrase this can be done with:

gpg --edit-key <KEY>
gpg> passwd
gpg> save

Operating System Hardening

  • Enable Multi‑Factor Authentication (MFA): Consider using PAM modules such as pam_google_authenticator, pam_oath, pam_yubico, or pam_radius to add an extra layer of security to system logins.
  • Encrypt Storage: Use LUKS to create encrypted volumes, ensuring sensitive data remains protected even if the physical device is compromised.
  • Restrict Access: Always password‑protect access to critical files, directories, and services. Apply the principle of least privilege so only authorized users can interact with sensitive resources.
  • Consider the use of outbound firewalls for very secure environments.
  • Patch your system regularly.