pass: Unix Password Manager
About
It is no secret that keeping passwords safe has become more and more important
over the years. Enter pass, the standard unix password!
The official website is a great resource. This
post only intends to summarize the main points such that you can get started
using pass as quickly as possible.
If you have already been convinced to use pass, you can skip to
the Getting Started section. This post will walk you
through the steps
for installing, initializing, and
using pass on your machine and phone.
Why pass?
I can’t say if pass is better or worse than any other password manager out
there since this is the first and only one I’ve ever used. In case the official
website hasn’t yet conviced you to switch to pass, the following are the main
reasons why I don’t feel the need to play with any other passwords managers.
One Master Password
Similar to other password managers, with pass you have to memorize only one
password.
Git Tracker
Did you decied to update a password or your login credentials? You can easily keep track of your changes via git. Whatever changes you make on machine A, you can easily keep track of on machine B.
Note that you’ll be commiting binary .gpg files, which git doesn’t track well,
but at least you’ll have access to the latest files and organzation.
Android Client
Do you need to access an entry from your phone? You can use pass on the go!
You can easily access your sensitive information from your phone the same way
you would from your machine (more details here).
Passwords and More!
pass keeps not only your passwords organized and secure, but also the
corresponding email for the account, username, potential security questions,
etc. This is an example of what a raw entry looks like (not a real entry):
gywGY76^5;)knde8
memberID: 63546348
email: name.last@mail.com
website: https://www.website.com
Getting Started
The following instructions are for your Ubuntu/Debian system. To use pass in
other systems, refer to the official website.
Installation
Execute:
$ sudo apt install pass
Setup GPG Keys
Execute:
$ gpg --full-generate-key
After following the instructions in the prompts, you can execute $ gpg
--list-key to make sure that it was created correctly. Make note of the uid
phrase you chose, you’ll need it to initialize your password store.
Initialize
Execute the following to initialize the password store, where GPG UID is the
uid stored from above:
$ pass init [GPG UID]
Executing this command will create the ~/.password-store directory, where all
of your passwords will be stored.
Connect to git repo
Start by creating a new (local) git repository under the ~/.password-store
directory by executing:
$ pass git init
If you’d like to pair this repo with an existing one, execute the following:
$ pass git remote add origin [GIT URL]
$ cd ~/.password-store
$ git fetch -p
$ git branch password-store
$ git push origin password-store
Keep in mind that everytime you execute a pass command, it will create a new
(local) commit inside the ~/.password-store directory - within whatever branch
is being pointed at at the moment. You can then execute the following to push
the commits to the server:
$ pass git push
Using pass
Add a new entry
To create a new entry you can either generate a new password for the entry, or you can insert your own if you already have one.
To generate a password for the entry, execute the following to generate a 20
character password, where OPTIONAL DIR is an optional directory name to
provide a file structure for your password store (you can nest as many
directories as you wish), and FILENAME is the filename that pass will use to
store the password:
$ pass generate [OPTIONAL DIR]/[FILENAME] 20
Some websites don’t allow the use of symbols or special characters in the passwords. Execute the following to generate a 20 character password in FILENAME that will not contain special characters:
$ pass generate --no-symbols [OPTIONAL DIR]/[FILENAME] 20
To insert a password, execute the following:
$ pass insert [OPTIONAL DIR]/[FILENAME]
You can also edit an existing entry by generating a new password from the command line:
$ pass generate --in-place [OPTIONAL DIR]/[FILENAME] 30
When editing an entry via the command line, keep in mind that only the first row of the entry will be updated. Execute the following to edit any other information in the entry:
$ pass edit [OPTIONAL DIR]/[FILENAME]
This command will open your default text editor and you will be able to add whatever text is relevant to the corresponding entry. All this senstitive information will be maintained together in the same ecrypted file.
Access an entry
Execute the following to display the password for the provided FILENAME:
$ pass [OPTIONAL DIR]/[FILENAME]
Use in a different machine
To use the same git repo with all of your passwords in a different machine,
you’ll need to export/import the GPG key pair used to generate/insert the
passwords. Remember that you can execute $ gpg --list-key to list the
available GPG IDs available in your machine.
-
Export the GPG key pair that was generated on the original machine to the
public.keyandprivate.keyfiles by executing:$ gpg --export [GPG ID] > public.key $ gpg --export-secret-key [GPG ID] > private.key -
Copy the key pair files to the secondary machine(s) you wish to use.
-
Import the pair in the new machine(s) by executing:
$ cd /path/to/*.key $ gpg --import public.key $ gpg --import private.key -
Set the trust permissions on the new key pair by executing:
$ gpg --edit-key [GPG ID] $ gpg> trust $ "follow the prompts" $ gpg> quit
Android Client
One of the beautiful things about pass is that you can use it mobily! I use
the Android app
(called
Password Store). There
are other compatible clients in
the official website.
To use pass from your Android phone, you need to first download and install
the
OpenKeychain app
to hold your gpg key. This will allow the Password Store app to decrypt your
pass
entries. Follow
these steps to
export your gpg key from your computer to your phone.
Feel free to drop whatever questions you may have in the comments.