Firefox Browserpass with firejail and Apparmor

Published on

This is a guide describing how to set up Firefox with firejail + AppArmor with password management in pass. The passwords are filled in websites forms through Browserpass addon + Browserpass native application.

The setup password store will only contain passwords used by the websites encrypted through a separate key.

Setup #

Creating new .gnupg directory #

First, the separate .gnupg directory needs to be set up. This can be done by following the “Creating a key” tutorial, but the gpg command should be run with --homedir=~/.gnupg_ff option.

(user) ~ # gpg --homedir=~/.gnupg_ff --gen-key

Create the new password store #

The browser-only password store may be set up at ${HOME}/.websites-passwords. Pass can set up several stores with PASSWORD_STORE_GPG_OPTS and PASSWORD_STORE_DIR variables, e.g.:

(user) ~ # PASSWORD_STORE_GPG_OPTS="--homedir=${HOME}/.gnupg_ff" PASSWORD_STORE_DIR=".websites-passwords" pass init

Configuring the Browserpass native application #

At the time of writing, Browserpass addon does not support running gpg with predefined parameters, so it is possible to either:

# Since firejail will probably strip the environment variables, replace with real path to ${HOME}, like /home/larry
/usr/bin/gpg2 --homedir="${HOME}/.gnupg_ff" $@
diff --git a/request/fetch.go b/request/fetch.go
index fd35610..83d4259 100644
--- a/request/fetch.go
+++ b/request/fetch.go
@@ -154,7 +154,7 @@ func decryptFile(store *store, file string, gpgPath string) (string, error) {

    var stdout, stderr bytes.Buffer
-	gpgOptions := []string{"--decrypt", "--yes", "--quiet", "--batch", "-"}
+	gpgOptions := []string{"--homedir=/home/larry/.gnupg_ff", "--decrypt", "--yes", "--quiet", "--batch", "-"}

    cmd := exec.Command(gpgPath, gpgOptions...)
    cmd.Stdin = passwordFile

If using Gentoo, make sure to use the built-in patch management, see /etc/portage/patches.

Configuring addon #

If you installed the gpg_forced_homedir wrapper, configure the Browserpass addon to use the wrapper as the custom gpg binary in addon Preferences.

In any case, the new store will need to be specified in the Customer store location

Modifying the firejail profile #

Create a local copy of the profile as per the firejail instructions. Include the following in the copy:

mkdir ${HOME}/.gnupg_ff
whitelist ${HOME}/.gnupg_ff
mkdir ${HOME}/.websites-passwords
whitelist ${HOME}/.websites-passwords

Note on D-Bus #

If the only available pinentry programs are gnome ones, I believe ignore nodbus is required in the profile, otherwise the pinentry window would not launch. As an alternative, pinentry-fltk may be used(available on Gentoo with USE="ftlk" for app-crypt/pinentry). D-Bus is by default disabled in the Firefox firejail profile.

Configuring gpg-agent #

Set the needed pinentry in ${HOME}/.gnupg_ff/gpg-agent.conf:

pinentry-program /usr/bin/pinentry-fltk

Modifying the AppArmor profile #

AppArmor should allow executables to be run from /usr/libexec/Browserpass-native

(user) ~ # cat /etc/AppArmor.d/local/firejail-local
# Site-specific additions and overrides for 'firejail-default'.
# For more details, please see /etc/AppArmor.d/local/README.
/{,run/firejail/mnt/oroot/}{,usr/,usr/local/}libexec/Browserpass-native ix,

Integrating with the standard pass directory #

As an optional measure, it is possible to configure the usual pass to the passwords created in the second store. This can be automated if the standard .password-store is set up as a git repo (pass git init) and is easier if all Browserpass passwords are in a separate directory, e.g. .password-store/site-passwords.

First, import the key from .gnupg_ff into the keyring at .gnupg.

Back up the password storage directory (if not using a remote repository) and run gpg --list-keys to determine the newly imported key fingerprint.

To propagate changes done in .password-store/site-passwords to .websites-passwords password store, create a git post-commit hook that would rsync the changed site-passwords subdirectory into .websites-passwords.

(user) ~/.password-store # echo > .git/hooks/post-commit <<EOF
rsync -avh site-passwords/ ${HOME}/.websites-passwords --delete

The -avh with --delete will make ${HOME}/.websites-passwords/ an exact copy of site-passwords/ subdirectory.

The following command will reencrypt the specified directory with the new key. Run pass init -p site-passwords <fingerprint> where site-passwords is the directory with the passwords to be used with Browserpass.

For more info on how to backup .password-store as a git repo, see this gist by abtrout. The post-commit hook may be expanded to automatically run git push

If you want to manage the new password store separately, you can add an alias to your shell:

alias wpass="PASSWORD_STORE_GPG_OPTS='--homedir=~/.gnupg_ff' PASSWORD_STORE_DIR='.websites-passwords' pass"

Further configuration and notes #

The sandbox may be separated from the host even further by running it in Xephyr as in this guide by Sakaki, however there are a few minor problems: