Standard UNIX password manager

0

The pass command is a password manager that uses GPG encryption to keep your passwords safe, and it features several system integrations so you can use it seamlessly with your web browser of choice.

Password management is one of those computing problems you probably don’t think about often, because modern computing usually has an obvious default solution built-in. A website prompts you for a password, and your browser auto-fills it in for you. Problem solved. However, not all browsers make it very easy to get to your passwords store, which makes it complex to migrate passwords to a new system without also migrating the rest of your user profile, or to share certain passwords between different users. There are several good open source options that offer alternatives to the obvious defaults, but as a user of Linux and UNIX, I love a minimal and stable solution when one is available.

Install pass

The pass command is provided by the PasswordStore project. You can install it from your software repository or ports collection. For example, on Fedora:

$ sudo dnf install pass

On Debian and similar:

$ sudo apt install pass

Because the word pass is common, the name of the package may vary, depending on your distribution and operating system. For example, pass is available on Slackware and FreeBSD as password-store.

The pass command is open source, so the source code is available at git.zx2c4.com/password-store.

Create a GPG key

First, you must have a GPG key to use for encryption. You can use a key you already have, or create a new one just for your password store.

To create a GPG key, use the gpg command along with the --gen-key option (if you already have a key you want to use for your password store, you can skip this step):

$ gpg --gen-key

Answer the prompts to generate a key. When prompted to provide values for Real name, Email, and Comment, you must provide a response for each one, even though GPG allows you to leave them empty. In my experience, pass fails to initialize when one of those values is empty. For example, here are my responses for purposes of this article:

Real name: Tux
Email: tux@example.com
Comment: My first key

This information is combined, in a different order, to create a unique GPG ID. You can see your GPG key ID at any time:

$ gpg --list-secret-keys | grep uid
uid:      Tux (My first key) tux@example.com

Other than that, it’s safe to accept the default and recommended options for each prompt.

In the end, you have a GPG key to serve as the master key for your password store. You must keep this key safe. Back it up, keep a copy of your GPG keyring on a secure device. Should you lose this key, you lose access to your password store.

Initialize a password store

Next, you must initialize a password store on your system. When you do, you create a hidden directory where your passwords are stored, and you define which GPG key to use to encrypt passwords. To initialize a password store, use the pass init command along with your unique GPG key ID. Using my example key:

$ pass init "Tux (My first key) <tux@example.com>"

You can define more than one GPG key to use with your password store, should you intend to share passwords with another user or on another system using a different GPG key.

Add and edit passwords

To add a password to your password store, use the pass insert command followed by the URL (or any string) you want pass to keep.

$ pass insert example.org

Enter the password at the prompt, and then again to confirm.

Most websites require more than just a password, and so pass can manage additional data, like username, email, and any other field. To add extra data to a password file, use pass edit followed by the URL or string you saved the password as:

$ pass edit example.org

The first line of a password file must be the password itself. After that first line, however, you can add any additional data you want, in the format of the field name followed by a colon and then the value. For example, to save tux as the value of the username field on a website:

myFakePassword123
username: tux

Some websites use an email address instead of a username:

myFakePassword123
email: tux@example.com

A password file can contain any data you want, so you can also add important notes or one-time recovery codes, and anything else you might find useful:

myFake;_;Password123
email: tux@example.com
recovery email: tux@example.org
recovery code: 03a5-1992-ee12-238c
note: This is your personal account, use company SSO at work

List passwords

To see all passwords in your password store:

$ pass list
Password Store
├── example.com
├── example.org

You can also search your password store:

$ pass find bandcamp
Search Terms: bandcamp
└── www.bandcamp.com

Integrating your password store

Your password store is perfectly usable from a terminal, but that’s not the only way to use it. Using extensions, you can use pass as your web browser’s password manager.

There are several different applications that provide a bridge between pass and your browser. Most are listed in the CompatibleClients section of passwordstore.org.

I use PassFF, which provides a Firefox extension. For browsers based on Chromium, you can use Browserpass with the Browserpass extension.

In both cases, the browser extension requires a “host application”, or a background bridge service to allow your browser to access the encrypted data in your password store.

For PassFF, download the install script:

$ wget https://codeberg.org/PassFF/passff-host/releases/download/latest/install_host_app.sh

Review the script to confirm that it’s just installing the host application, and then run it:

$ bash ./install_host_app.sh firefox
Python 3 executable located at /usr/bin/python3
Pass executable located at /usr/bin/pass
Installing Firefox host config
Native messaging host for Firefox has been installed to /home/tux/.mozilla/native-messaging-hosts.

Install the browser extension, and then restart your browser. When you navigate to a URL with an file in your password store, a pass icon appears in the relevant fields. Click the icon to complete the form.

Alternately, a pass icon appears in your browser’s extension tray, providing a menu for direct interaction with many pass functions (such as copying data directly to your system clipboard, or auto-filling only a specific field, and so on.)

Password management like UNIX

The pass command is extensible, and there are some great add-ons for it. Here are some of my favourites:

  • pass-otp: Add one-time password (OTP) functionality.
  • pass-update: Add an easy workflow for updating passwords that you frequently change.
  • pass-import: Import passwords from chrome, 1password, bitwarden, apple-keychain, gnome-keyring, keepass, lastpass, and many more (including pass itself, in the event you want to migrate a password store).

The pass command and the password store system is a comfortably UNIX-like password management solution. It stores your passwords as text files in a format that doesn’t even require you to have pass installed for access. As long as you have your GPG key, you can access and use the data in your password store. You own your data not only in the sense that it’s local, but you have ownership of how you interact with it. You can sync your password stores between different machines using rsync or syncthing, or even backup the store to cloud storage. It’s encrypted, and only you have the key.

Leave a Reply