Written by Alex de Sousa
Recently, I needed to reset my phone. I spent some time backing up my pictures and documents. Everything was going great. But then, I hit a roadblock.
One-time passwords have become very handy for logging into several sites from Twitter to Coinbase. This passwords are 6 digit tokens generated using the current time and a private key. I was using Google Authenticator for getting my one-time passwords. Sadly, this app does not provide a way to backup the private keys.
The damage was done. I couldn't retrieve the private keys, so I needed to regenerate all of them in every site individually. I thought about my future self dealing with the same issue and I knew I needed a sustainable solution.
I wanted a one-time password solution that:
That's when I discovered oathtool
: a command line tool for generating 6 digit tokens given a private key.
I installed it using
sudo apt install oathtool
Generating a 6 digit token with oathtool
is as easy as doing the following:
$ oathtool -b --totp 'MyPrivateKey'
798946
Discovering this tool was a good start, but I needed a good way of dealing with the private keys. Then I stumbled upon this article. The author created two scripts:
gpg2
.oathtool
.Additionally, the 6 digit token was automatically copied to the clipboard using xclip
.
I installed both tools by running
sudo apt install gnupg2 xclip
I loved the solution! Though it had some flaws like storing temporarily an unencrypted file with the private key, it was a great idea :)
I wrote Oath ZSH plugin by gathering the best ideas from that article. I ended up with the following commands:
$ oath add twitter.com
Private key:
[SUCCESS] Key created for twitter.com
$ oath twitter.com
123456
[SUCCESS] Code copied to clipboard
$ oath delete twitter.com
[WARN] Deleting /home/user/.oath/twitter.com/B743BC73B5F90E2305142D226BBCD02E89ABBC79.gpg.gpg
[WARN] Deleting /home/user/.oath/twitter.com
[SUCCESS] Key deleted for twitter.com
The same private keys I added to oath
, I also added them to my phone's Google Authenticator app. That way both, my computer and phone, generate the same 6 digit token at a given time.
The only difference is that now I can backup everything. I just need to copy the following folders:
$HOME/.gnupg/
: GPG folder with all the gpg keys.$HOME/.oath/
: Oath folder where all the private keys are stored.For more info, visit Oath Github repository.
Though this solution might not be for everyone, it solves the problem I had. Now I can reset my phone at any time and not worrying about my private keys, because they're safely backed up.
Happy hacking!
Alex de Sousa
Elixir alchemist. Tech enthusiast.