QtPass  1.2.1
Multi-platform GUI for pass, the standard unix password manager.
README.md
Go to the documentation of this file.
1 QtPass
2 ======
3 
4 [![Build Status](https://travis-ci.org/IJHack/QtPass.svg?branch=master)](https://travis-ci.org/IJHack/QtPass)
5 [![Build status](https://ci.appveyor.com/api/projects/status/9rjnj72rdir7u9eg/branch/master?svg=true)](https://ci.appveyor.com/project/annejan/qtpass/branch/master)
6 [![Coverity scan](https://scan.coverity.com/projects/5266/badge.svg)](https://scan.coverity.com/projects/ijhack-qtpass)
7 [![Coverage Status](https://coveralls.io/repos/github/IJHack/QtPass/badge.svg)](https://coveralls.io/github/IJHack/QtPass)
8 [![codecov](https://codecov.io/gh/IJhack/QtPass/branch/master/graph/badge.svg)](https://codecov.io/gh/IJhack/QtPass)
9 [![CodeFactor](https://www.codefactor.io/repository/github/ijhack/qtpass/badge)](https://www.codefactor.io/repository/github/ijhack/qtpass)
10 
11 QtPass is a GUI for [pass](https://www.passwordstore.org/),
12 the standard unix password manager.
13 
14 Features
15 --------
16 
17 * Using `pass` or `git` and `gpg2` directly
18 * Configurable shoulder surfing protection options
19 * Cross platform: Linux, BSD, OS X and Windows
20 * Per-folder user selection for multi recipient encryption
21 * Multiple profiles
22 * Easy onboarding
23 
24 Logo based on [Heart-padlock by AnonMoos](https://commons.wikimedia.org/wiki/File:Heart-padlock.svg).
25 
26 Installation
27 ------------
28 
29 ### From package
30 
31 OpenSUSE & Fedora
32 `yum install qtpass`
33 `dnf install qtpass`
34 
35 Debian, Ubuntu and derivates like Mint, Kali & Raspbian
36 `apt-get install qtpass`
37 
38 Arch Linux
39 `pacman -S qtpass`
40 
41 Gentoo
42 `emerge -atv qtpass`
43 
44 Sabayon
45 `equo install qtpass`
46 
47 FreeBSD
48 `pkg install qtpass`
49 
50 macOS
51 `brew cask install qtpass`
52 
53 Windows
54 `choco install qtpass`
55 
56 ### From Source
57 
58 **Dependencies**
59 
60 * QtPass requires Qt 5.
61 * The Linguist package is required to compile the translations.
62 * For use of the fallback icons the SVG library is required.
63 
64 At runtime the only real dependency is `gpg2` but to make the most of it, you'll need `git` and `pass` too.
65 
66 Your GPG has to be set-up with a graphical pinentry when applicable, same goes for git authentication.
67 On Mac OS X this currently seems to only work with MacGPG2 from gpgtools.
68 
69 On most unix systems all you need is:
70 ```
71 qmake && make && make install
72 ```
73 
74 Testing
75 -------
76 
77 This is done with `make check`
78 
79 Codecoverage can be done with `make lcov`, `make gcov`, `make coveralls` and/or `make codecov`.
80 
81 Be sure to first run: `make distclean && qmake CONFIG+=coverage qtpass.pro`
82 
83 Security considerations
84 -----------------------
85 
86 Using this program will not magically keep your passwords secure against
87 compromised computers even if you use it in combination with a smartcard.
88 
89 It does protect future and changed passwords though against anyone with access to
90 your password store only but not your keys.
91 Used with a smartcard it also protects against anyone just monitoring/copying
92 all files/keystrokes on that machine and such an attacker would only gain access
93 to the passwords you actually use.
94 Once you plug in your smartcard and enter your PIN (or due to CVE-2015-3298
95 even without your PIN) all your passwords available to the machine can be
96 decrypted by it, if there is malicious software targeted specifically against
97 it installed (or at least one that knows how to use a smartcard).
98 
99 To get better protection out of use with a smartcard even against a targeted
100 attack I can think of at least two options:
101 
102 * The smartcard must require explicit confirmation for each decryption operation.
103  Or if it just provides a counter for decrypted data you could at least notice
104  an attack afterwards, though at quite some effort on your part.
105 * Use a different smartcard for each (group of) key.
106 * If using a YubiKey or U2F module or similar that requires a "button" press for
107  other authentication methods you can use one OTP/U2F enabled WebDAV account per
108  password (or groups of passwords) as a quite inconvenient workaround.
109  Unfortunately I do not know of any WebDAV service with OTP support except ownCloud
110  (so you would have to run your own server).
111 
112 Known issues
113 ------------
114 
115 * Filtering (searching) breaks the tree/model sometimes
116 * Starting without a correctly set password-store folder
117  gives weird results in the tree view
118 * On Mac OS X only the gpgtools MacGPG2 version works with passphrase or PIN
119 
120 Planned features
121 ----------------
122 
123 * Plugins based on field name, plugins follow same format as password files
124 * Colour coding folders (possibly disabling folders you can't decrypt)
125 * Optional table view of decrypted folder contents
126 * Opening of (basic auth) urls in default browser?
127  Possibly with helper plugin for filling out forms?
128 * WebDAV (configuration) support
129 * Some other form of remote storage that allows for
130  accountability / auditing (web API to retrieve the .gpg files?)
131 
132 Further reading
133 ---------------
134 
135 [FAQ](FAQ.md) and [CONTRIBUTING](CONTRIBUTING.md) documentation.
136 [CHANGELOG](CHANGELOG.md)
137 
138 [Website](https://qtpass.org/)
139 [Source code](https://github.com/IJHack/qtpass)
140 [Issue queue](https://github.com/IJHack/qtpass/issues)
141 [Chat](https://gitter.im/IJHack/qtpass)