Written by Alex de Sousa

Oath: Don't Loose Your Keys!

Cover by Chunlea Ju

Recently, I needed to reset my phone. I spent some time backing up my pictures and documents. Everything was going great. But then, I hit a roadblock.

The problem

One-time passwords have become very handy for logging into several sites from Twitter to Coinbase. This passwords are 6 digit tokens generated using the current time and a private key. I was using Google Authenticator for getting my one-time passwords. Sadly, this app does not provide a way to backup the private keys.

The damage was done. I couldn't retrieve the private keys, so I needed to regenerate all of them in every site individually. I thought about my future self dealing with the same issue and I knew I needed a sustainable solution.

Let's change the lightbulb

The research

I wanted a one-time password solution that:

  • Didn't rely on my phone or any app.
  • Could also be used in my computer.
  • Was offline (no private keys stored in the cloud).

That's when I discovered oathtool: a command line tool for generating 6 digit tokens given a private key.

I installed it using sudo apt install oathtool

Generating a 6 digit token with oathtool is as easy as doing the following:

$ oathtool -b --totp 'MyPrivateKey'
798946

Discovering this tool was a good start, but I needed a good way of dealing with the private keys. Then I stumbled upon this article. The author created two scripts:

  • One for encrypting the private key into a file using gpg2.
  • One for decrypting the private key and retrieving the 6 digit token using oathtool.

Additionally, the 6 digit token was automatically copied to the clipboard using xclip.

I installed both tools by running sudo apt install gnupg2 xclip

I loved the solution! Though it had some flaws like storing temporarily an unencrypted file with the private key, it was a great idea :)

Great idea

The plugin

I wrote Oath ZSH plugin by gathering the best ideas from that article. I ended up with the following commands:

  • Adding a private key:
   $ oath add twitter.com
   Private key:
   [SUCCESS]  Key created for twitter.com
  • Showing a 6 digit token (it'll ask for the gpg password):
   $ oath twitter.com
   123456
   [SUCCESS]  Code copied to clipboard
  • Deleting a private key (it'll ask for the gpg password):
   $ oath delete twitter.com
   [WARN]     Deleting /home/user/.oath/twitter.com/B743BC73B5F90E2305142D226BBCD02E89ABBC79.gpg.gpg
   [WARN]     Deleting /home/user/.oath/twitter.com
   [SUCCESS]  Key deleted for twitter.com

The same private keys I added to oath, I also added them to my phone's Google Authenticator app. That way both, my computer and phone, generate the same 6 digit token at a given time.

The only difference is that now I can backup everything. I just need to copy the following folders:

  • $HOME/.gnupg/: GPG folder with all the gpg keys.
  • $HOME/.oath/: Oath folder where all the private keys are stored.

For more info, visit Oath Github repository.

Safety

Conclusion

Though this solution might not be for everyone, it solves the problem I had. Now I can reset my phone at any time and not worrying about my private keys, because they're safely backed up.

The keys

Happy hacking!

Avatar of Alex de Sousa

Alex de Sousa

Elixir alchemist. Tech enthusiast.