UPDATE: Due to collisions with the global keyboard shortcuts on Chrome OS, the default shortcut for this extension has been changed to Ctrl+Shift+P (resp. Cmd+Shift+P on Mac). The keyboard shortcut can always be changed under chrome:https://extensions/shortcuts.
smart-pass is a Chrome/Chromium extension that automatically fills login forms with passwords encrypted using OpenPGP-enabled smart card. The encrypted password files are fetched from Google Drive and decrypted on the smart card using the Smart Card Connector extension. As all operations run either directly on the smart card or in the browser, the extension can be used in cases where a full gpg/smart card stack cannot be installed, e.g., under Chrome OS or without admin/root privileges. Password stores can be maintained with zx2c4's pass and uploaded to Google Drive using the web UI or a command line tool such as drive.
smart-pass is based on browserpass and compatible with one of its two storage formats for passwords.
- An OpenPGP-enabled smart card such as
- a YubiKey
- a Nitrokey
- the OpenPGP Smartcard
- ...
- A password store on Google Drive, consisting of
gpg-encrypted password files adhering to the format outlined below
Passwords for the domain www.a.example.com or a.example.com can be stored in any Google Drive folder with the name a.example.com. Password files in such a folder will also be used for subdomains such as foo.a.example.com and mail.a.example.com, but not for domains like evil.example.com or example.com.
In such a folder, a username/password combination is stored as a .gpg-file containing the password encrypted with the user's public key. The name of the file (minus the .gpg) will be taken as the username.
Example: If the user [email protected] uses the password 123457 on mail.example.com, smart-pass would look for a folder mail.example.com containing a file [email protected] with the encrypted password.
- Install the Smart Card Connector extension from the web store.
- Install smart-pass from the web store.
On first use, both Google Drive and the Smart Card Connector extension will show a warning dialog outlining the permissions requested by the extension.
- Click on the extension icon in the toolbar or press Ctrl+Shift+P (Mac: Cmd+Shift+P) to open a list of logins for the current page.
- Select a login or search for logins for a different domain by pressing Enter. You can optionally choose to copy the corresponding password to the clipboard instead of filling a login form by clicking on the copy icon.
- Enter your smart card's PIN and press Enter. You can optionally choose to cache your PIN until you have either been inactive for 60 seconds or have locked your device. The PIN cache can always be cleared manually from the extension icon's context menu.
- After possibly confirming the decryption operation on your smart card reader, you will be logged in automatically.
See CONTRIBUTING.md.
- Support inserting, editing and generating passwords
- Use random numbers generated by the hardware RNG on the smart card
- Offer to fill one-time passwords generated from TOTP secrets stored on the smart card