Whenever I can update something I am delighted to see the new functionalities, bug fixes and goodies roll in. For phones this is true as well except for Apple. Their updates usually make your phone slower, your battery worse or they simply deactivate a feature of your phone. Google seems to have found some inspiration in Apples playbook as the latest update for Google Phone 4A hurt the battery in a such severe way they felt compelled to rush ahead and offer owners three option. I am an owner of a Google 4A pixel phone so now I needed to decide whether I want to have the battery swapped free of charge, 50$ on the hand or 100$ for the Google play store. It is important for me to live sustainable but I was also looking at the latest Google Pixel 9 and considering buying that. My good friend Daniel has usually the latest nicest tech so I asked him for advise and in that conversation we stumbled upon the question: "How do you backup your One time password secret (OTP) from the google authenticator, when there isn't a secret?". Well my answer was simple, I don't. Quite a long time ago I moved away from a authenticator approach to using a password safe with OTP features on every device. This allows me to access my OTP and passwords everywhere. Now Daniel wanted to know how I set everything up so I thought I share it with everyone.
Cloud vs. Local Password Management
Before we get into that though, let me make a case for cloud password safes because I believe it is valuable for everyone no matter how tech adept you are to use a password safe. My approach may be to technical for you, so I would recommend to use Lastpass or 1Password. Be warned though these type of cloud password safe have let to leaks like this and that. I hope both companies have learned their lesson and improved the safety of the passwords. For me though this was a killer argument. I would never let anyone manage my passwords who had a leak. Therefore I looked for a different solution and found it in Keepass. The open source password safe has undergone several transformations from Keepass to Keepass2 and now to KeepassXC. The community is active and healthy so that this password safe can be considered save to use. If you don't need to manage your passwords on several devices try this first before you pay for a cloud option
Building a Git-Synced Password System
The challenge with KeepassXC for me was how to synchronize the encrypted database between devices. I didn't wanted to use a cloud storage like Dropbox, Mega or Cubbit as it would always require some app to use and I might share the file with them. Furthermore how could I versioning the file and roll it back if I needed or make sure it is really available on all devices without internet? The answer to these questions is GIT. It brings all feature I was looking for and can be installed in all devices. Here is an overview how that looks like.
I followed a simple rule of "One device writes, all other only read" for quite a while. Whenever I didn't follow the rule it wouldn't take long and my git repository would be out of sync. Then I would need to check which password I had recently added and resolve the conflict. This happened more than I would like to admit. There was this moment where I had enough time at my had and said fuck it, let's solve this issue once and for all. On all devices that allow for cronjob I am now using one to do the following:
#!/bin/bash
# */5 * * * * /bin/bash ~/name_of_script.bash "/path/to/your/local/repository" > /dev/null 2>&1
cd "$1" || exit 1
if ! git diff-index --quiet HEAD --; then
sleep 180
git add -A
COMMIT_MESSAGE="Update: $(date '+%Y-%m-%d %H:%M:%S')"
git commit -m "$COMMIT_MESSAGE"
git push origin master
else
git pull --rebase
fiThis script will check whether there is a change registered by git wait for three minutes and then commit. As a user you will start typing and change your password database and the cronjob will pick this up. I have configured it to look every five minutes */5 * * * * /bin/bash ~/name_of_script.bash "/path/to/your/local/repository" > /dev/null 2>&1. This timeframe is up to you to chose. You can see here how to configure a cronjob on MacOS. For Linux it is similar. On Windows I used WSL to fetch the latest version of the database and copy it over to the windows side. As I don't use windows anymore I don't care how to solve the challenge on this system. For my android I use the app termux to sync the file via git. Here is another script for termux to fetch the latest version and copy the file into the android storage space.
#!/bin/bash
function main {
git pull
cp -f ./repository/DB.kdbx ../../storage/shared/KeePassXD/DB.kdbx
}
mainImplementing both scripts took away a lot of struggle for me and I hope for you as well. As for my Pixel 4A's battery issue? I chose the free replacement option. During the service period, my git-synced KeepassXC setup proved its worth – I accessed all my passwords and OTP codes seamlessly from other devices. Conversations about tech troubles often spark opportunities to share solutions. Though my password management system predates the current Pixel battery situation, Daniel's curiosity reminded me that personal solutions can help others. In a world of unpredictable updates and hardware issues, having a robust, device-independent security system gives us one less thing to worry about.