How I securely sync my passwords (and why you should, too)

With a uber-geeky bonus: How I synced my Enpass passwords over my Synology NAS using WebDAV

You need a password manager that syncs

Let’s begin with what I hope will be a useful review.

You should be using a password manager. What’s that, and why? A password manager simply holds all your passwords and makes them easily available to you. You need one because (a) you need to have strong passwords, or else your web accounts (which can contain really sensitive info) can be easily cracked; (b) passwords, to be strong, must be different on every site and very complex (and so hard to memorize); (c) you can’t possibly memorize that many strong passwords; (d) copying and pasting passwords from some plain-text repository, let alone typing them in, is a pain nobody needs.

Password managers solve all these problems for you. They (a) check that your passwords are strong; (b) make it super-easy to generate strong new ones; (c) make them all available if you simply memorize one strong password; (d) auto-fill your passwords in forms on all your devices.

But in our multi-device lives, there’s yet another problem: you need to sync your passwords across your desktop, laptop, and mobile devices. It’s a royal pain, isn’t it? Of course it is. How do you do it? Well, let’s talk about some suboptimal solutions, to help explain why I went to some rather great lengths.

You could shuffle a document back and forth between devices, e.g., by email or a messenging app. But that’s a royal pain.

If you’re more clever, then you’ll have a single document that is accessible using all devices. For example, maybe you keep yours in a Google Doc. That would be a bad idea, because Google employees could easily see your passwords, and if anybody else got a hold of the document, they can just make a copy and you’d be none the wiser. You really need an app, not a document.

This is why password managers apps work on computers as well as handheld devices, on multiple platforms. The one I use, Enpass, is open source software (UPDATE: oops, no it’s not: https://discussion.enpass.io/index.php?/topic/210-open-source/) that works on pretty much every consumer platform. But how do the passwords get synced? Each instance of the app, on your different devices, has its own copy of your password data. Well, the even cleverer solution then is to sync your passwords “in the cloud.” The password manager software company will hold your passwords for you, as a service, on their servers. That’s “the cloud” in action. Then, if you’re on your desktop PC and you update your password manager with a new password, the change is quickly reflected on your phone, where you can use it quite easily. Neat!

Your password manager should use zero-knowledge encryption for syncing, at least

Here’s the thing. The cloud is kinda evil. I know that’s a cranky sort of thing to say, but I’m getting old and therefore I’m permitted to say cranky things.

I am only slightly joking. The evilness of the cloud is actually rather well demonstrated by the situation with password managers.

Suppose your passwords are sent, via an encrypted connection, to the company’s servers. Suppose they’re even encrypted there, making it especially difficult for anyone to hack your password collection. But you still have to trust two things: the honesty of the password management software company, and their own security practices, which ensure that external forces cannot hack into their (encrypted) database.

There’s a very cool bit of tech you can look for in password managers that solves the latter problem very handily: zero-knowledge encryption. Basically, the company stores a completely encrypted copy of your passwords on their servers. They couldn’t read it even if they wanted to, because they don’t have the key to unlock it. Only you can unlock the data file, because only you have the key. Neat, huh?

(It’s called “zero-knowledge,” obviously, because the company doesn’t know anything about the information stored on their servers. They know it belongs to your account, but that’s it. All cloud services should use zero-knowledge encryption, but very few do. Ask yourself why they don’t.)

Now, this is probably adequate security for most people. But it’s not good enough for me. I don’t want the password manager company to touch my passwords. They’re very valuable, right? You still have to trust the company; there’s all sorts of things that could go awry, or they could intentionally update the software in a way that would undo the encryption. (Or maybe just for select users that the government asks to spy on. If I lived in China or Saudi Arabia or were a spy or government whistleblower, I’d worry a lot about this.)

Use FOSS and self-host, if you want to be an uber-geek

One of the great things about FOSS (that’s geek-speak for “free, open source software”) is that nobody has ultimate control over it, because anybody can fork it, i.e., make their own copy and take development in a different direction. That’s because the license specifically permits that, and the development happens all out in the open. If the project is big enough, then there are at least several (sometimes, hundreds of) developers looking at new code being checked in. If somebody checks in something that’s dangerous or privacy-violating, the FOSS developers (a notoriously privacy-jealous bunch) will put a stop to that noise in short order.

So if you want to use zero-knowledge encryption in your password manager, great, but make sure the software is FOSS, because then it becomes even harder for people to play tricks with the software.

You know what would be even better, though? If you never have to transfer your encrypted password file to somebody else’s server in the first place. In other words, host it your own damn self.

But how, you ask? Well, there aren’t very many solutions that are available to the non-geeky. In fact, I’m fairly sure all of the self-hosting solutions push the needle fairly high on the geekometer.

If you want to self-host and you want your password database to be accessible to all your devices, regardless of where you are, what does that mean you have? A server. There are a couple ways to set up your own server.

One is to use your desktop computer (or even an old laptop) and plan on leaving it on all the time. You could install NextCloud on the machine, which transforms it into a server. Like, wow, that’s cool. If you’re a geek. But because geeky things are now cool, that’s just cool, period.

Another is to use a NAS, or some other dedicated server, i.e., a computer that is specifically set up to talk to other computers over your LAN (local-area network; your home or office network) and over a WAN (wide-area network; here, the Internet).

Bonus: How I set up my Enpass passwords to sync over my Synology NAS using WebDAV

I ended up choosing a NAS over installing NextCloud on my desktop. I further chose a Synology NAS. This evening I finally decided to sit down and start hosting my passwords on my NAS. How?

I’m not going to give you all the steps in detail.

(1) You need to get an SSL certificate for your server, i.e., the thing that allows you to use https: and not just http:. Why? Because you’ll be using WebDAV to update information on your NAS, and WebDAV (being an Internet protocol) needs to be made more secure by encryption. While your data should be encrypted by your password manager, another layer of encryption is important. So get this done. By the way, Synology comes with a self-signed certificate, which will make Enpass complain. You’ll have to check a box saying that you want to ignore this complaint. But you shouldn’t do that.

By the way, if you don’t have a permanent URL for your NAS (for this, you’ll have to use DDNS), you’ll have to solve that problem first. You can’t use an IP address.

2. Set up a WebDAV server on your NAS. In other words, a server process on your server device. WebDAV, as Everipedia puts it, “is an extension of…HTTP that allows clients to perform remote Web content authoring operations.” In other words, it allows software to update data files remotely, if the software is given permission and the data files are set up to be updated using the protocol.

On my Synology device, the steps I followed are these (great tutorial here):

  • Install the WebDAV Server package, located in the Package Center.
  • Open the WebDAV Server interface, enable both HTTP and HTTPS, and assign them the ports 5005 and 5006, respectively.
  • Create a ‘webdav’ user (see the above-linked tutorial for important details; make sure you get the permissions stuff right).
  • Create a ‘webdav’ group as well (ditto).
  • Create a ‘webdav’ or ‘upload’ (or whatever) folder. You’ll specifically need to grant read/write permissions to the ‘webdav’ user for that folder.
  • To confirm that your new webdav user can use the folder, drop a picture, say kitten.jpg, into the webdav folder. Then go to https://your.nas.address:5006/webdav/kitten.jpg. Note: use https, not http, use the ‘5006’ port number, and use the name for the directory you created before. If, when you try to pull that address up in a browser and you’re prompted to log in, groovy, you’re halfway there. Then put in your webdav user credentials (not your admin credentials), and you should be able to see the picture. If you can, coooooool. Again, the above-linked tutorial has other things you can try to confirm your connection.
  • Next, open Enpass (or another password manager that supports WebDAV). In Enpass, go under the gear menu > Vaults > Primary (or whatever you want to sync via the NAS). Then you’ll be able to choose from a number of sync options. Choose “WebDAV”. You’ll next have to put in your ‘webdav’ user authentication info, and for the address, you’ll want to use the address given above. I further made an Enpass directory inside that, and tacked that onto the end of the URL, so I got something like this: https://your.nas.address:5006/webdav/Enpass/. This is important to get right. Then press “Connect” try it out. With luck, you’ll be connected.
  • To test that things are syncing, open a copy of the password manager on a different device and repeat the previous step. Make a small change in one copy, press the sync button/icon in the upper left (which has changed to a “server” icon, which I thought was a nice touch), go to the other copy, press the sync button there too (because you’re impatient), and then see if the change is reflected in the second copy. If it is, you’re done.

That’s how I got it to work. And now…all my password info (and a lot of other data) is out of the public cloud, in a private cloud consisting just of my family’s devices. Pretty freaking awesome.


by

Posted

in

,

Comments

Please do dive in (politely). I want your reactions!

7 responses to “How I securely sync my passwords (and why you should, too)”

  1. Sounds very cool but how do you backup & physically protect your NAS from theft & fire hazards?

    1. Theft: My device passwords are all strong. I’m also going to get around to encrypting my drives (well, too late for that—I mean my data files).

      Fire: Backup the NAS to the cloud with FOSS-based zero-knowledge encryption. This is necessary; I don’t know what alternative I might have.

  2. Clairvaux

    Hi Larry,

    Nice series of articles. I have a few questions :

    – Do you need to keep your NAS on 24/24 ?
    – Does your system allow sync away from home ?
    – Suppose you didn’t need sync away from home, would the setup be different ?
    – Enpass says : “Enpass ensures maximum security for your data by using open source and peer reviewed cryptography libraries of SQLCipher engine.” Doesn’t that mean it’s not open source, being only partially so ?

    1. You don’t have to keep your NAS on all the time, but I don’t know why you wouldn’t. That’s kind of the whole point.

      If you are connected to the Internet, and your NAS is too, then sure syncing while away from home is one of the main points again. That’s precisely what allows your server to act like a cloud server.

      Yes, people do use NASes just for LANs. They are much more secure if there is no connection to the Internet. Then it simply becomes an old-fashioned network server that isn’t an Internet server.

      I don’t think that quote implies that it’s not 100% open source. I would be surprised to learn that it weren’t.

      UPDATE: Color me surprised then. I just looked into it and you are absolutely right. I don’t know where I got the impression that they are 100% open source. I might just have to move to Bitwarden now. We’ll see.

      1. Clairvaux

        Thank you, Larry.

        Glad you did the research for me on Enpass.

        Leaving an electrical contraption always on, night and day, even when you’re away from home, makes me nervous. Electricity costs, and fire hazard. Yes, I know, your fridge is always on… but not running all the time. But that’s just me. Others will react differently.

        Keep up the good work. The hands-on approach is especially interesting.

        1. My understanding is that NASes in general don’t actually use that much energy. The drives don’t get accessed nearly as much as with a desktop. Don’t you leave your desktop computer on all the time? I do mine. I don’t see how it’s any more of a danger than that. I have never heard of a desktop computer catching fire and burning… Is that a thing?

  3. kc

    Thanks, Larry! I have recently been looking to replace my well-worn SplashID Safe with an application that would sync using my NAS. SplashID started as a wifi, on demand syncing password manger and eventually evolved into a product that included cloud syncing. Fortunately for me, they kept the local wifi sync as a well-supported an option until now.

    I tried both Bitwarden and Keepass and neither of them suited me. Keepass has a built-in capability to sync with my NAS but it required tedious customization to even get close to meeting my needs. (Is it a requirement that Open Source developers only create for other developers? When will developers be evaluated by the end product’s appearance, usability, and stability for an end-user? Of course it’s free – who would pay for this??) I really wanted to like Bitwarden, but alas, it was lacking in the NAS sync functionality. Maybe, I’ll migrate to Bitwarden sometime in the future when NAS sync can be easily implemented.

    I have Enpass up and running and syncing across multiple devices. It will take some time to clean up my many, many records (my database is many years old and holds such things as sisters’ garage door codes, brother-in-law’s wifi password). This product suits my needs and requirements.

Leave a Reply

Your email address will not be published. Required fields are marked *