Whenever I can update something I am delighted to see the new functionalities, bug fixes and goodies roll in. For phones this is true as well except for Apple. Their updates usually make your phone slower, your battery worse worse or they simply deactivate a feature of your phone. Google seems to have found some inspiration in Apple's playbook as the latest update for Google Phone 4A hurt the battery in such a severe way they felt compelled to rush ahead and offer owners three options. I am an owner of a Google 4A Pixel phone so now I needed to decide whether I want to have the battery swapped free of charge, $50 in hand or $100 for the Google Play store. It is important for me to live sustainably but I was also looking at the latest Google Pixel 9 and considering buying that. My good friend Daniel has usually the latest nicest tech so I asked him for advice and in that conversation we stumbled upon the question: "How do you backup your One time password secret (OTP) from the google authenticator, when there isn't a secret?". Well my answer was simple, I don't. Quite a long time ago I moved away from an authenticator approach to using a password safe with OTP features on every device. This allows me to access my OTP and passwords everywhere. Now Daniel wanted to know how I set everything up so I thought I'd share it with everyone.
Cloud vs. Local Password Management
Before we get into that though, let me make a case for cloud password safes because I believe it is valuable for everyone no matter how tech adept you are to use a password safe. My approach may be too technical for you, so I would recommend using Lastpass or 1Password. Be warned though, these types of cloud password safes have led to leaks like this and that. I hope both companies have learned their lesson and improved the safety of the passwords. For me though, this was a killer argument. I would never let anyone manage my passwords who had a leak. Therefore I looked for a different solution and found it in Keepass. The open source password safe has undergone several transformations from Keepass to Keepass2 and now to KeepassXC. The community is active and healthy so that this password safe can be considered safe to use. If you don't need to manage your passwords on several devices try this first before you pay for a cloud option. Go to a cryptoparty if you need help with setting a password safe up. Here you can find more information about digital self-defense.
Building a Git-Synced Password System
The challenge with KeepassXC for me was how to synchronize the encrypted database between devices. I didn't want to use cloud storage services like Dropbox, Mega, or Cubbit, as they would require additional apps and potentially expose my file to their systems. Furthermore, I needed version control capabilities to roll back changes if necessary, and ensure offline availability across all devices. The answer to these questions is Git. It provides all the features I was looking for and can be installed on all devices. Here's an overview of how that looks.
I followed a simple rule of "One device writes, all others only read" for quite a while. Whenever I didn't follow the rule, it wouldn't take long before my Git repository would be out of sync. Then I would need to check which passwords I had recently added and resolve the conflicts. This happened more than I'd like to admit. Finally, I had a moment with enough time on my hands and decided to solve this issue once and for all. On all devices that allow for cron jobs, I now use the following:
#!/bin/bash
# */5 * * * * /bin/bash ~/name_of_script.bash "/path/to/your/local/repository" > /dev/null 2>&1
cd "$1" || exit 1
if ! git diff-index --quiet HEAD --; then
sleep 180
git add -A
COMMIT_MESSAGE="Update: $(date '+%Y-%m-%d %H:%M:%S')"
git commit -m "$COMMIT_MESSAGE"
git push origin master
else
git pull --rebase
fiThis script checks whether there is a change registered by Git, waits for three minutes, and then commits. As a user, you will start typing and change your password database, and the cron job will pick this up. I have configured it to check every five minutes using: */5 * * * * /bin/bash ~/name_of_script.bash "/path/to/your/local/repository" > /dev/null 2>&1. This timeframe is up to you to choose. You can see here how to configure a cron job on macOS. For Linux, it is similar.
On Windows, I used WSL to fetch the latest version of the database and copy it over to the Windows side. However, since I no longer use Windows, I won't address those specific challenges. For Android, I use the app termux to sync the file via Git. Here's another script for Termux to fetch the latest version and copy the file into the Android storage space.
#!/bin/bash
function main {
git pull
cp -f ./repository/DB.kdbx ../storage/shared/KeePassXD/DB.kdbx
}
mainYou will need to create a shared storage to transfer files between termux and android. Here is the tutorial: https://wiki.termux.com/wiki/Sharing_Data
Implementing both scripts took away a lot of struggle for me and I hope for you as well. As for my Pixel 4A's battery issue? I chose the free replacement option. During the service period, my git-synced KeepassXC setup proved its worth – I accessed all my passwords and OTP codes seamlessly from other devices. Conversations about tech troubles often spark opportunities to share solutions. Though my password management system predates the current Pixel battery situation, Daniel's curiosity reminded me that personal solutions can help others. In a world of unpredictable updates and hardware issues, having a robust, device-independent security system gives us one less thing to worry about.