https://www.passwordstore.org/

gpg "make-key"

mkdir -p ~/.passwordstore/foo/bar

echo "hunter2\nusername: [email protected]\n" \ | gpg "sign" > ~/.passwordstore/foo/bar/entry.gpg

gpg "decrypt" ~/.passwordstore/foo/bar/entry.gpg

tree ~/.passwordstore/

--

Basically, "passwordstore" is pretty trustworthy, open source, reasonably inspectable, and kindof automates the above steps in a decent CLI (and has a nice git integration for syncing).

There's another plugin: "password-tomb" which basically adds in a "zip -r tomb.zip ~/.passwordstore && unzip tomb.zip" with some extra encryption blobbing around things.

I'm nudging towards wanting all that "junk" stored on a mostly-offline (or read-only USB, or doing something with fetching encrypted secrets over the network), and trying to figure out in a temporary ram-disk to try and reduce exposure-time.

The reason it feels pretty good for me is that it degrades gracefully and can be used with standard tooling. It's totally possible to have a script which does: "foreach password => unlock && dump && append-to-pdf && qr-code => print.pdf" and print that out at intervals, so it's got great survivability characteristics. It allows me to self-host even completely offline using git. If I have the GPG key, I can recover the passwords w/o any tooling. Really it's kindof my ideal situation for trustworthiness.

Also, there's a firefox extension https://addons.mozilla.org/en-US/firefox/addon/passff/ (on github: https://github.com/passff/passff)

It requires the user to run a daemon that reads ~/.passwordstore passwords and feed it to the extension https://github.com/passff/passff-host - but the design is pretty transparent to inspection if you're inclined to check