As the number of username-passwords we need to remember increases, password managers are becoming more and more relevant. By using a password manager we no longer have to revert our password because we can’t remember the variation we used for that particular website, or use the same one everywhere. But chances are you already know that since you came across this post, so let’s cut to the chase and talk about pass, the standard unix password manager.
Pass is a simple password manager that stores our credentials in gpg encrypted files, where the filenames correspond to the respective titles of the service / website.
We can also utilize the build-in git integration to keep those credentials synced between our devices - including Android, iOS devices windows computers etc.
Create a PGP key
In order to start using pass, we need a PGP key with encryption capabilities.
In most Linux distributions GnuPG toolchain should already be installed and is avaliable through their package managers.
If not, get the latest verion from GnuPG website. Make sure you use a GnuPG version > 2
(in Ubuntu for example, that would be the
$ gpg --version gpg (GnuPG) 2.2.5 libgcrypt 1.8.2 Copyright (C) 2018 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Home: /home/mike/foo Supported algorithms: Pubkey: RSA, ELG, DSA, ECDH, ECDSA, EDDSA Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH, CAMELLIA128, CAMELLIA192, CAMELLIA256 Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224 Compression: Uncompressed, ZIP, ZLIB, BZIP2
So let’s generate our gpg key using the following command:
$ gpg --full-generate-key
I went with the default options for the key type (RSA and RSA), and the key size (2048). I could have selected a 4096-bits long key, but I intend to use with my YubiKey Neo and it doesn’t support 4096-bit keys yet. I then specified the valid until date, my name - email, a password. Make sure you don’t forget that key’s password cause every password managed by pass is encrypted with that private key. But we used to remember our credentials for all those services that we use so a single key’s password won’t be much of an issue!
We can verify that the key was successfully generated, using the command below:
$ gpg -K gpg: checking the trustdb gpg: marginals needed: 3 completes needed: 1 trust model: pgp gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u gpg: next trustdb check due at 2019-06-10 /home/mike/foo/pubring.kbx -------------------------- sec rsa2048 2018-06-10 [SC] [expires: 2019-06-10] 15E886BF97A7828A2F5795DBC22FADC6585FDF18 uid [ultimate] Michail Mylonakis (My gpg key) <email@example.com> ssb rsa2048 2018-06-10 [E] [expires: 2019-06-10]
Pass is available on all major linux distributions, so it should be easy to install using the package manager. In Arch linux that would be pacman, and we can easily install pass.
$ pacman -S pass
In order to set up pass, we need to run the following:
$ pass init firstname.lastname@example.org
Note that we used the same email address of our secret gpg key. Let’s also enable the git integration:
$ pass git init
Now our password store (the ~/.password-store directory) is a git repository, so we can utilize git to keep our password synced between our multiple devices (we ll see how in a next section).
Export the private key
Now let’s export our private key so that we can import it into our other devices. It also makes sense to save it somewhere “safe” as a backup.
$ gpg --export-secret-keys > secret.asc
Generate a new pass
Now we are ready to start using pass. Let’s generate our first simple password, for the website test.com:
$ pass generate test.com 10 [master e065551] Add generated password for test.com. 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 test.com.gpg The generated password for test.com is: +U%90>_*=Y
In the last line above, we see the (randomly) generated password. The number 10 that we passed as the last argument of
the pass generate command specifies the password length. We can use the
-n or --no-symbols option to blacklist specific
chars. Our password is stored at the file
~/.password-store/test.com.gpg in an encrypted format.
Insert an existing password
Now let’s insert an already existing password.
$ pass insert social/twitter mkdir: created directory '/home/mike/.password-store/social' Enter password for social/twitter: Retype password for social/twitter: [master d2f3237] Add given password for social/twitter to store. 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 social/twitter.gpg
We can organize the password store directory structure into categories, as seen bellow.
Update an existing password
We can update an existing password like this:
$ pass edit social/twitter
or have pass generate a new password for us.
$ pass generate -i social/twitter
Retrieve a password
We can see what passwords exist in the password store usgin the
pass ls command:
$ pass ls Password Store ├── social │ └── twitter └── test.com
We can reveal a password like this:
$ pass test.com
If we pass the
-c flag on the above command the password is copied to our clipboard and stays there for 45 seconds by
Store more details
Another interesting feature of pass is that we can store more details alongside with the password - just make sure
that the first line contains the password as that’s what pass copies into our clipboard. We can edit an existing
password using the
pass edit command, in which case the text editor specified by the $EDITOR env variable will
open up and let us modify the file. We can also use the
-m flag in the pass insert command to add the details
in one go:
$ pass insert -m github Enter contents of github and press Ctrl+D when finished: mypassword url: github.com username: myusername [master 791253d] Add given password for github to store. 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 github.gpg
Remove a password
We can easily remove an existing password:
$ pass rm github Are you sure you would like to delete github? [y/N] y removed '/home/mike/.password-store/github.gpg' [master 99c7fda] Remove github from store. 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 github.gpg
Interacting with the git repo
As we have enabled git integration in the beginning of this guide our passwords are stored encrypted in a full-fledged git repository. We can examine the repo using the normal git commands prepended by pass:
$ pass git log commit 791253d6ad8bd4149f1106a3a32f1d65c55c34df (HEAD -> master) Author: Mike <email@example.com> Date: Sat Jun 16 17:58:00 2018 +0100 Add given password for github to store. commit 99c7fdaf5a902f2dd6e31f211933fdb950b8548b Author: Mike <firstname.lastname@example.org> Date: Sat Jun 16 17:53:41 2018 +0100 Remove github from store. commit 53f887ce03aadbe865daead5923fb6dbb2e44b26 Author: Mike <email@example.com> Date: Sat Jun 16 17:51:23 2018 +0100 Edit password for test.com using vi. ...
Adding a remote
We can easily add a remote so that we can clone the repo from other devices. Note however that, although our passwords are encrypted (so without our private key they cannot be decrypted) the filenames are not encrypted so one could see the websites / services that we maintain an account.
We could use a private or a self-hosted git repository as a workaround:
$ pass git remote add origin firstname.lastname@example.org:username/private-git-repo.git
And then push our password-store to the remote:
$ pass git push origin master
Now all we have to do is import our private key (using the .asc file that we have exported) into our other device and clone the repo to start using pass and have our passwords synced!
Pass is a very simple but powerful password manager that is open source (thus free) easy to use and can keep our passwords synced across many devices. There are also some very cool pass clients and extensions that make working with pass even easier.