I’ve been using anOpenBSDlaptopas my workstation a lot more lately, probably because most of my hardware justworks now and I don’t have to think too much about it.The touchpadworkswhen I touch it, I can be confident that when I close the lid, the laptopwill fully suspend and then fully resume again when I open it,WiFi works all throughout my house (although it’s not terribly fast), and myweb browseris fast and stable.What amazing times we live in.
Password managers aren’t safe or trustworthy. With website vulnerabilities and security incidents. Secure by design. All encryption and decryption happen on your device — our password manager for Firefox only helps you navigate the process. This way, you’re getting the maximum security for your passwords and sensitive data. The FF version is in the settings info for the Firefox app, but you have to scroll all the way down to the botttom of the Settings screen to see it. (See attached screenshot.) This 1Password problem does not exist in FF 10.0 or later, 1Password works fine with FF 10.0 and above. Get Firefox, a free web browser backed by Mozilla, a non-profit dedicated to internet health and privacy. Available now on Windows, Mac, Linux, Android and iOS. To protect you, 1Password will only fill when you tell it to. If you’re on the sign-in page for a website, click the 1Password icon in your browser’s toolbar, and select the.
In the past, one thing that frequently kept me going back to myMac,aside fromiOS and Androiddevelopment, was1Password.I have a ton of logins for websites and servers, and because mybrowsersare all configured toclear cookiesfor most websites after I close their tabs,I need frequent access to passwords synced across my laptops and phones, and1Password has great apps for all of those except OpenBSD.
All of 1Password’s syncing currently works through my Dropbox account.My Mac has 1Password configured to store its encrypted database in my localDropbox directory, Dropbox does its automatic syncing of that directory to theirservers, and 1Password on my phone uses Dropbox’s API to pick up any changedfiles.It’s been reliable for years, I have local versioned backups of my database, itworks when my devices are offline, and I know I can access that data years in thefuture.
Using 1Password on OpenBSD
To bring OpenBSD into the mix, there are 3rd-party command-line apps which canread local 1Password files such as1passwritten in Go.Getting the 1Password files onto OpenBSD was left as an exercise to the reader, sending me down the rabbit hole of trying to add OpenBSD support tovariousFUSE-basedpackages that could provide a local filesystem view of my Dropbox directory.I managed tohackone of them into semi-working shape, but eventually I gave up and usedrcloneto do one-way fetching of my Dropbox directory on demand.
While this allowed me to at least view and copy passwords, the process was lessthan ideal.Browsing in Firefox, I’d have to open a terminal, type1pass copy <some website>,choose the right one,and then go back to Firefox and paste it in the proper field.Tedious, error-prone, vulnerable to phishing, and now my password is hanging outin clear-text on the clipboard.
A Firefox add-on calledPasscardsfrom the developer of 1pass seemed encouraging, as it did Dropbox syncing on itsown and supported auto-filling passwords in the browser, but I could never get it to work.The hard-coded Dropbox API token in the add-on doesn’t work and the mess ofNode dependencies to build a local version failed miserably on OpenBSD.
1Password Lock-In
Meanwhile, AgileBits, the80-personcompany developing 1Password, has been pushing their new hosted,subscription-based model for 1Password going forward.Instead of users being in control of their data files, 1Password will store themon AgileBits’ servers and users pay a monthly subscription fee for the privilege,forever.
Firefox Password Recovery
I’m anapp developer,I get it.A big company can’t sustain development of a product that users only pay for once.However, I’ve paid for 1Password and all of its major version upgrades, and the$10 or whatever it was to unlock the “pro” features of the iOS app.I’m not opposed to paying money for apps, or for upgrades, or even for asubscription, but I don’t want to pay to host my passwords on AgileBits’ servers.Security concernsaside, there is an issue of lock-in and now having to make my OpenBSD hacks workwith AgileBits’ new API (is there even one?) instead of just accessing and backing up files from Dropbox.
Since I wasn’t sure how long 1Password would keep working with itsnon-subscription-based syncing and I was still missing first-class OpenBSDsupport, I started looked into migrating to something else.
Finding Bitwarden
The main competitor to 1Password isLastPass,which looks nice and works well as a standaloneFirefox add-onon OpenBSD, but it has the same lock-in problem and server-sidesecurity concernsas 1Password.
Firefox Password Manager
KeePassis a popular open-source alternative but its use case seems focused on a singlemachine.I don’t need a stand-alone GUI and I do need browser extensions and mobile appsthat can all sync reliably.And honestly, looking at theirpluginspage left me with a bit of decision fatigue: which ones are good, which ones aresecure, which ones are still maintained?Does the browser extension have to read files from my home directory or talk toa daemon that my unprivileged Firefox won’t be able to do?
There are various command-line concoctions such aspasswhich stores PGP-encrypted files in a Git repo, but that doesn’t improve mysituation over 1Password.I would still have to manually look up passwords and copy them to the clipboard.These command-line packages also lack mobile apps and syncing.
Eventually I stumbled uponBitwardenwhich is similar to LastPass but is entirelyopen-sourceand its primary developer is funded by users paying for subscriptions to storetheir data on Bitwarden’s servers.However, all of their browser extensions and phone apps supportsetting a custom API URLbefore logging in, to allow for private installations.The iOS app and Firefox extension that I tried out looked fairly well polished,but I was more concerned with it being an open platform so I could fix bugs,add features, and host my own data.
Firefox 1password Beta
Unfortunately, the open-sourcebackendfor these apps is written in .NET and expects to talk to a Microsoft SQL Server,requiring a big Docker image to deploy a private installation on Linux.
Since I was expecting to run my own API server on OpenBSD without all of thatoverhead, I decided to write my own compatible server.Sadly, there is no documentation on Bitwarden’s API (outside of its .NET code) soI was not even able to figure out what my server would need to provide.
Rubywarden
Rather than wade through lots of .NET code, I decided to go for a black-boxapproach.I wrote asimple proxyin Sinatra that I could point the Bitwarden Firefox add-on to as its private APIURL.The proxy would intercept each request, print it out to the console, then send itto Bitwarden’s actual API, print out the response, and send it back to the Firefoxadd-on.
With that tool I was able todocument all of the API calls that the Firefox extension and iOS app made and the responseeach was expecting.The encryption key derivation scheme used to actually encrypt and decrypt allof the data took a bit longer to figure out, but because everything is opensource, I was able to read theJavascript codeof the Firefox add-on to understand what it was doing to encrypt a string with agiven password.
With my documentation in-hand, I wrote anew Sinatra serverthat implements all of the API calls needed by the Firefox extension and iOS app.I deployed it to a server with Unicorn behind nginx, and used Let’s Encrypt to geta TLS certificate for it.
My API server is now small and easy to understand, it has a much smaller attacksurface than the .NET version, and all of my data is stored in a SQLite databasethat I can backup and version with cp.No lock-in, a first-class experience on OpenBSD and Firefox, and I feel betterunderstanding the details of how my data is encrypted.
Migrating from 1Password
The Bitwarden web client (not the Firefox add-on) supports directly importing1Password data files for users subcribed to Bitwarden’s hosted service.Since I’m not using Bitwarden’s web client, I wrote a command-line1Password conversion toolthat can read a 1Password Interchange Format file, encrypt the passwords usingBitwarden’s format, and insert them into the database that bitwarden-ruby uses.
After importing more than 700 logins from my 1Password file, I noticed that theBitwarden Firefox add-on was quite sluggish on OpenBSD.Unlocking it with my master password would take four or five seconds to parseeverything before showing the large list of logins.
Since this data was years of migrated 1Password installations and otherpassword stores, I decided to spend a few hours cleaning it up.After deleting some 300 logins and moving others into various folders, the add-on seems a bit snappier though still leaves something to be desired.I’d also like to change its keyboard shortcut to Alt+ like Cmd+ is for1Password, but Firefox’s new WebExtension system doesn’t support changing thesehard-coded keyboard shortcuts yet like Chrome does.
At this point I’ve been using Bitwarden’s iOS app and Firefox extensionexclusively.
My server now hasTOTP support,and everythingseems to be working well.
Fetch the Rubywarden code from GitHubif you want to check it out.