HPR4377: Password store and the pass command
This show has been flagged as Clean by the host.
Standard UNIX password
manager
Password management is one of those computing problems you
probably don't think about often, because modern computing usually
has an obvious default solution built-in.
A website prompts you for a password, and your browser auto-fills
it in for you.
Problem solved.
However, not all browsers make it very easy to get to your
passwords store, which makes it complex to migrate passwords to a
new system without also migrating the rest of your user profile,
or to share certain passwords between different users.
There are several good open source options that offer
alternatives to the obvious defaults, but as a user of Linux and
UNIX, I love a minimal and stable solution when one is available.
The pass command is a password manager that uses
GPG encryption to keep your passwords safe, and it features
several system integrations so you can use it seamlessly with your
web browser of choice.
Install pass
The pass command is provided by the PasswordStore project.
You can install it from your software repository or ports
collection.
For example, on Fedora:
$ sudo dnf install pass
On Debian and similar:
$ sudo apt install pass
Because the word pass is common, the name of the
package may vary, depending on your distribution and operating
system.
For example, pass is available on Slackware and
FreeBSD as password-store.
The pass command is open source, so the source code
is available at git.zx2c4.com/password-store.
Create a GPG key
First, you must have a GPG key to use for encryption.
You can use a key you already have, or create a new one just for
your password store.
To create a GPG key, use the gpg command along with
the --gen-key option (if you already have a key you
want to use for your password store, you can skip this step):
$ gpg --gen-key
Answer the prompts to generate a key.
When prompted to provide values for Real name,
Email, and Comment, you must
provide a response for each one, even though GPG allows you to
leave them empty.
In my experience, pass fails to initialize when one
of those values is empty.
For example, here are my responses for purposes of this article:
Real name: Tux
Email: tux@example.com
Comment: My first key
This information is combined, in a different order, to create a
unique GPG ID.
You can see your GPG key ID at any time:
$ gpg --list-secret-keys | grep uid
uid: Tux (My first key) tux@example.com
Other than that, it's safe to accept the default and recommended
options for each prompt.
In the end, you have a GPG key to serve as the master key for
your password store.
You must keep this key safe.
Back it up, keep a copy of your GPG keyring on a secure device.
Should you lose this key, you lose access to your password store.
Initialize a password store
Next, you must initialize a password store on your system.
When you do, you create a hidden directory where your passwords
are stored, and you define which GPG key to use to encrypt
passwords.
To initialize a password store, use the pass init
command along with your unique GPG key ID.
Using my example key:
$ pass init "Tux (My first key) <tux@example.com>"
You can define more than one GPG key to use with your password
store, should you intend to share passwords with another user or
on another system using a different GPG key.
Add and edit passwords
To add a password to your password store, use the pass
insert command followed by the URL (or any string) you
want pass to keep.
$ pass insert example.org
Enter the password at the prompt, and then again to confirm.
Most websites require more than just a password, and so pass
can manage additional data, like username, email, and any other
field.
To add extra data to a password file, use pass edit
followed by the URL or string you saved the password as:
$ pass edit example.org
The first line of a password file must be the password itself.
After that first line, however, you can add any additional data
you want, in the format of the field name followed by a colon and
then the value.
For example, to save tux as the value of the username
field on a website:
myFakePassword123
username: tux
Some websites use an email address instead of a username:
myFakePassword123
email: tux@example.com
A password file can contain any data you want, so you can also
add important notes or one-time recovery codes, and anything else
you might find useful:
myFake;_;Password123
email: tux@example.com
recovery email: tux@example.org
recovery code: 03a5-1992-ee12-238c
note: This is your personal account, use company SSO at work
List passwords
To see all passwords in your password store:
$ pass list
Password Store
├── example.com
├── example.org
You can also search your password store:
$ pass find bandcamp
Search Terms: bandcamp
└── www.bandcamp.com
Integrating your password
store
Your password store is perfectly usable from a terminal, but
that's not the only way to use it.
Using extensions, you can use pass as your web
browser's password manager.
There are several different applications that provide a bridge
between pass and your browser.
Most are listed in the CompatibleClients
section of passwordstore.org.
I use PassFF,
which provides a Firefox
extension.
For browsers based on Chromium, you can use Browserpass
with the Browserpass
extension.
In both cases, the browser extension requires a "host
application", or a background bridge service to allow your browser
to access the encrypted data in your password store.
For PassFF, download the install script:
$ wget https://codeberg.org/PassFF/passff-host/releases/download/latest/install_host_app.sh
Review the script to confirm that it's just installing the host
application, and then run it:
$ bash ./install_host_app.sh firefox
Python 3 executable located at /usr/bin/python3
Pass executable located at /usr/bin/pass
Installing Firefox host config
Native messaging host for Firefox has been installed to /home/tux/.mozilla/native-messaging-hosts.
Install the browser extension, and then restart your browser.
When you navigate to a URL with an file in your password store, a
pass icon appears in the relevant fields.
Click the icon to complete the form.
Alternately, a pass icon appears in your browser's
extension tray, providing a menu for direct interaction with many
pass functions (such as copying data directly to your
system clipboard, or auto-filling only a specific field, and so
on.)
Password management like UNIX
The pass command is extensible, and there are some
great add-ons for it.
Here are some of my favourites:
pass-otp:
Add one-time password (OTP) functionality.
pass-update:
Add an easy workflow for updating passwords that you
frequently change.
pass-import:
Import passwords from chrome, 1password, bitwarden,
apple-keychain, gnome-keyring, keepass, lastpass, and many
more (including pass itself, in the event you
want to migrate a password store).
The pass command and the password store system is a
comfortably UNIX-like password management solution.
It stores your passwords as text files in a format that doesn't
even require you to have pass installed for access.
As long as you have your GPG key, you can access and use the data
in your password store.
You own your data not only in the sense that it's local, but you
have ownership of how you interact with it.
You can sync your password stores between different machines
using rsync or syncthing, or even backup the store to cloud
storage.
It's encrypted, and only you have the key.Provide feedback on this episode.
South Africa