QtPass  1.2.3
Multi-platform GUI for pass, the standard unix password manager.
README.md
Go to the documentation of this file.
1 QtPass
2 ======
3 
4 [![latest packaged version(s)](https://repology.org/badge/latest-versions/qtpass.svg)](https://repology.org/metapackage/qtpass)
5 [![Build Status](https://travis-ci.org/IJHack/QtPass.svg?branch=master)](https://travis-ci.org/IJHack/QtPass)
6 [![Build status](https://ci.appveyor.com/api/projects/status/9rjnj72rdir7u9eg/branch/master?svg=true)](https://ci.appveyor.com/project/annejan/qtpass/branch/master)
7 [![Coverity scan](https://scan.coverity.com/projects/5266/badge.svg)](https://scan.coverity.com/projects/ijhack-qtpass)
8 [![Coverage Status](https://coveralls.io/repos/github/IJHack/QtPass/badge.svg)](https://coveralls.io/github/IJHack/QtPass)
9 [![codecov](https://codecov.io/gh/IJhack/QtPass/branch/master/graph/badge.svg)](https://codecov.io/gh/IJhack/QtPass)
10 [![CodeFactor](https://www.codefactor.io/repository/github/ijhack/qtpass/badge)](https://www.codefactor.io/repository/github/ijhack/qtpass)
11 [![Packaging status](https://repology.org/badge/tiny-repos/qtpass.svg)](https://repology.org/metapackage/qtpass)
12 
13 QtPass is a GUI for [pass](https://www.passwordstore.org/),
14 the standard unix password manager.
15 
16 Features
17 --------
18 
19 * Using `pass` or `git` and `gpg2` directly
20 * Configurable shoulder surfing protection options
21 * Cross platform: Linux, BSD, OS X and Windows
22 * Per-folder user selection for multi recipient encryption
23 * Multiple profiles
24 * Easy onboarding
25 
26 Logo based on [Heart-padlock by AnonMoos](https://commons.wikimedia.org/wiki/File:Heart-padlock.svg).
27 
28 Installation
29 ------------
30 
31 ### From package
32 
33 OpenSUSE & Fedora
34 `yum install qtpass`
35 `dnf install qtpass`
36 
37 Debian, Ubuntu and derivates like Mint, Kali & Raspbian
38 `apt-get install qtpass`
39 
40 Arch Linux
41 `pacman -S qtpass`
42 
43 Gentoo
44 `emerge -atv qtpass`
45 
46 Sabayon
47 `equo install qtpass`
48 
49 FreeBSD
50 `pkg install qtpass`
51 
52 macOS
53 `brew cask install qtpass`
54 
55 Windows
56 `choco install qtpass`
57 
58 [![Packaging status](https://repology.org/badge/vertical-allrepos/qtpass.svg)](https://repology.org/metapackage/qtpass)
59 
60 ### From Source
61 
62 **Dependencies**
63 
64 * QtPass requires Qt 5.2 or later
65 * The Linguist package is required to compile the translations.
66 * For use of the fallback icons the SVG library is required.
67 
68 At runtime the only real dependency is `gpg2` but to make the most of it, you'll need `git` and `pass` too.
69 
70 Your GPG has to be set-up with a graphical pinentry when applicable, same goes for git authentication.
71 On Mac OS X this currently seems to only work with MacGPG2 from gpgtools or pinentry-mac from homebrew.
72 
73 On most unix systems all you need is:
74 ```
75 qmake && make && make install
76 ```
77 
78 Testing
79 -------
80 
81 This is done with `make check`
82 
83 Codecoverage can be done with `make lcov`, `make gcov`, `make coveralls` and/or `make codecov`.
84 
85 Be sure to first run: `make distclean && qmake CONFIG+=coverage qtpass.pro`
86 
87 Security considerations
88 -----------------------
89 
90 Using this program will not magically keep your passwords secure against
91 compromised computers even if you use it in combination with a smartcard.
92 
93 It does protect future and changed passwords though against anyone with access to
94 your password store only but not your keys.
95 Used with a smartcard it also protects against anyone just monitoring/copying
96 all files/keystrokes on that machine and such an attacker would only gain access
97 to the passwords you actually use.
98 Once you plug in your smartcard and enter your PIN (or due to CVE-2015-3298
99 even without your PIN) all your passwords available to the machine can be
100 decrypted by it, if there is malicious software targeted specifically against
101 it installed (or at least one that knows how to use a smartcard).
102 
103 To get better protection out of use with a smartcard even against a targeted
104 attack I can think of at least two options:
105 
106 * The smartcard must require explicit confirmation for each decryption operation.
107  Or if it just provides a counter for decrypted data you could at least notice
108  an attack afterwards, though at quite some effort on your part.
109 * Use a different smartcard for each (group of) key.
110 * If using a YubiKey or U2F module or similar that requires a "button" press for
111  other authentication methods you can use one OTP/U2F enabled WebDAV account per
112  password (or groups of passwords) as a quite inconvenient workaround.
113  Unfortunately I do not know of any WebDAV service with OTP support except ownCloud
114  (so you would have to run your own server).
115 
116 Known issues
117 ------------
118 
119 * Filtering (searching) breaks the tree/model sometimes
120 * Starting without a correctly set password-store folder
121  gives weird results in the tree view
122 * On Mac OS X only the gpgtools MacGPG2 version works with passphrase or PIN
123 
124 Planned features
125 ----------------
126 
127 * Plugins based on field name, plugins follow same format as password files
128 * Colour coding folders (possibly disabling folders you can't decrypt)
129 * Optional table view of decrypted folder contents
130 * Opening of (basic auth) urls in default browser?
131  Possibly with helper plugin for filling out forms?
132 * WebDAV (configuration) support
133 * Some other form of remote storage that allows for
134  accountability / auditing (web API to retrieve the .gpg files?)
135 
136 Further reading
137 ---------------
138 
139 [FAQ](FAQ.md) and [CONTRIBUTING](CONTRIBUTING.md) documentation.
140 [CHANGELOG](CHANGELOG.md)
141 
142 [Website](https://qtpass.org/)
143 [Source code](https://github.com/IJHack/qtpass)
144 [Issue queue](https://github.com/IJHack/qtpass/issues)
145 [Chat](https://gitter.im/IJHack/qtpass)