DEVOPS · 2 MIN READ · Mar 12, 2020

Oath: Don't Loose Your Keys!

Alex de Sousa

Alex de Sousa

BEAM engineer since 2012, Elixir alchemist since 2015, and open source author. Writing about Elixir, OTP, and software engineering.

Recently, I needed to reset my phone. I spent some time backing up my pictures and documents. Everything was going great. But then, I hit a roadblock.

The problem

One-time passwords have become very handy for logging into several sites from Twitter to Coinbase. This passwords are 6 digit tokens generated using the current time and a private key. I was using Google Authenticator for getting my one-time passwords. Sadly, this app does not provide a way to backup the private keys.

The damage was done. I couldn’t retrieve the private keys, so I needed to regenerate all of them in every site individually. I thought about my future self dealing with the same issue and I knew I needed a sustainable solution.

Let's change the lightbulb

The research

I wanted a one-time password solution that:

That’s when I discovered oathtool: a command line tool for generating 6 digit tokens given a private key.

I installed it using sudo apt install oathtool

Generating a 6 digit token with oathtool is as easy as doing the following:

$ oathtool -b --totp 'MyPrivateKey'
798946

Discovering this tool was a good start, but I needed a good way of dealing with the private keys. Then I stumbled upon this article. The author created two scripts:

Additionally, the 6 digit token was automatically copied to the clipboard using xclip.

I installed both tools by running sudo apt install gnupg2 xclip

I loved the solution! Though it had some flaws like storing temporarily an unencrypted file with the private key, it was a great idea :)

Great idea

The plugin

I wrote Oath ZSH plugin by gathering the best ideas from that article. I ended up with the following commands:

The same private keys I added to oath, I also added them to my phone’s Google Authenticator app. That way both, my computer and phone, generate the same 6 digit token at a given time.

The only difference is that now I can backup everything. I just need to copy the following folders:

For more info, visit Oath Github repository.

Safety

Conclusion

Though this solution might not be for everyone, it solves the problem I had. Now I can reset my phone at any time and not worrying about my private keys, because they’re safely backed up.

The keys

Happy hacking!

ABOUT THE AUTHOR
Alex de Sousa

Alex de Sousa

BEAM engineer since 2012, Elixir alchemist since 2015, and open source author. Writing about Elixir, OTP, and software engineering.

MORE POSTS