{"id":10545,"date":"2025-05-06T06:05:27","date_gmt":"2025-05-06T10:05:27","guid":{"rendered":"https:\/\/www.both.org\/?p=10545"},"modified":"2025-05-06T06:05:27","modified_gmt":"2025-05-06T10:05:27","slug":"standard-unix-password-manager","status":"publish","type":"post","link":"https:\/\/www.both.org\/?p=10545","title":{"rendered":"Standard UNIX password manager"},"content":{"rendered":"
\r\n
\r\n \r\n <\/i>\r\n <\/a>\r\n <\/span>\r\n<\/div><\/div>\n

The pass<\/code> command is a password manager that uses GPG encryption to keep your passwords safe, and it features several system integrations so you can use it seamlessly with your web browser of choice.<\/p>\n\n\n\n

Password management is one of those computing problems you probably don’t think about often, because modern computing usually has an obvious default solution built-in. A website prompts you for a password, and your browser auto-fills it in for you. Problem solved. However, not all browsers make it very easy to get to your passwords store, which makes it complex to migrate passwords to a new system without also migrating the rest of your user profile, or to share certain passwords between different users. There are several good open source options that offer alternatives to the obvious defaults, but as a user of Linux and UNIX, I love a minimal and stable solution when one is available.<\/p>\n\n\n\n

Install pass<\/h2>\n\n\n\n

The pass<\/code> command is provided by the PasswordStore<\/a> project. You can install it from your software repository or ports collection. For example, on Fedora:<\/p>\n\n\n\n

$ sudo dnf install pass<\/code><\/pre>\n\n\n\n
On Debian and similar:<\/p>\n\n\n\n
$ sudo apt install pass<\/code><\/pre>\n\n\n\n
Because the word pass<\/code> is common, the name of the package may vary, depending on your distribution and operating system. For example, pass<\/code> is available on Slackware and FreeBSD as password-store<\/code>.<\/p>\n\n\n\n
The pass<\/code> command is open source, so the source code is available at git.zx2c4.com\/password-store<\/a>.<\/p>\n\n\n\n
Create a GPG key<\/h2>\n\n\n\n
First, you must have a GPG key to use for encryption. You can use a key you already have, or create a new one just for your password store.<\/p>\n\n\n\n
To create a GPG key, use the gpg<\/code> command along with the --gen-key<\/code> option (if you already have a key you want to use for your password store, you can skip this step):<\/p>\n\n\n\n
$ gpg --gen-key<\/code><\/pre>\n\n\n\n
Answer the prompts to generate a key. When prompted to provide values for Real name<\/strong>, Email<\/strong>, and Comment<\/strong>, you must provide a response for each one, even though GPG allows you to leave them empty. In my experience, pass<\/code> fails to initialize when one of those values is empty. For example, here are my responses for purposes of this article:<\/p>\n\n\n\n
Real name: Tux\nEmail: tux@example.com\nComment: My first key<\/code><\/pre>\n\n\n\n
This information is combined, in a different order, to create a unique GPG ID. You can see your GPG key ID at any time:<\/p>\n\n\n\n
$ gpg --list-secret-keys | grep uid\nuid:      Tux (My first key) tux@example.com<\/code><\/pre>\n\n\n\n
Other than that, it’s safe to accept the default and recommended options for each prompt.<\/p>\n\n\n\n
In the end, you have a GPG key to serve as the master key for your password store. You must keep this key safe. Back it up, keep a copy of your GPG keyring on a secure device. Should you lose this key, you lose access to your password store.<\/p>\n\n\n\n
Initialize a password store<\/h2>\n\n\n\n
Next, you must initialize a password store on your system. When you do, you create a hidden directory where your passwords are stored, and you define which GPG key to use to encrypt passwords. To initialize a password store, use the pass init<\/code> command along with your unique GPG key ID. Using my example key:<\/p>\n\n\n\n
$ pass init \"Tux (My first key) <tux@example.com>\"<\/code><\/pre>\n\n\n\n
You can define more than one GPG key to use with your password store, should you intend to share passwords with another user or on another system using a different GPG key.<\/p>\n\n\n\n
Add and edit passwords<\/h2>\n\n\n\n
To add a password to your password store, use the pass insert<\/code> command followed by the URL (or any string) you want pass<\/code> to keep.<\/p>\n\n\n\n
$ pass insert example.org<\/code><\/pre>\n\n\n\n
Enter the password at the prompt, and then again to confirm.<\/p>\n\n\n\n
Most websites require more than just a password, and so pass<\/code> can manage additional data, like username, email, and any other field. To add extra data to a password file, use pass edit<\/code> followed by the URL or string you saved the password as:<\/p>\n\n\n\n
$ pass edit example.org<\/code><\/pre>\n\n\n\n
The first line of a password file must be the password itself. After that first line, however, you can add any additional data you want, in the format of the field name followed by a colon and then the value. For example, to save tux<\/code> as the value of the username<\/code> field on a website:<\/p>\n\n\n\n
myFakePassword123\nusername: tux<\/code><\/pre>\n\n\n\n
Some websites use an email address instead of a username:<\/p>\n\n\n\n
myFakePassword123\nemail: tux@example.com<\/code><\/pre>\n\n\n\n
A password file can contain any data you want, so you can also add important notes or one-time recovery codes, and anything else you might find useful:<\/p>\n\n\n\n
myFake;_;Password123\nemail: tux@example.com\nrecovery email: tux@example.org\nrecovery code: 03a5-1992-ee12-238c\nnote: This is your personal account, use company SSO at work<\/code><\/pre>\n\n\n\n
List passwords<\/h2>\n\n\n\n
To see all passwords in your password store:<\/p>\n\n\n\n
$ pass list\nPassword Store\n\u251c\u2500\u2500 example.com\n\u251c\u2500\u2500 example.org<\/code><\/pre>\n\n\n\n
You can also search your password store:<\/p>\n\n\n\n
$ pass find bandcamp\nSearch Terms: bandcamp\n\u2514\u2500\u2500 www.bandcamp.com<\/code><\/pre>\n\n\n\n
Integrating your password store<\/h2>\n\n\n\n
Your password store is perfectly usable from a terminal, but that’s not the only way to use it. Using extensions, you can use pass<\/code> as your web browser’s password manager.<\/p>\n\n\n\n
There are several different applications that provide a bridge between pass<\/code> and your browser. Most are listed in the CompatibleClients<\/strong> section of passwordstore.org<\/a>.<\/p>\n\n\n\n
I use PassFF<\/a>, which provides a Firefox extension<\/a>. For browsers based on Chromium, you can use Browserpass<\/a> with the Browserpass extension<\/a>.<\/p>\n\n\n\n
In both cases, the browser extension requires a “host application”, or a background bridge service to allow your browser to access the encrypted data in your password store.<\/p>\n\n\n\n
For PassFF, download the install script:<\/p>\n\n\n\n
$ wget https:\/\/codeberg.org\/PassFF\/passff-host\/releases\/download\/latest\/install_host_app.sh<\/code><\/pre>\n\n\n\n
Review the script to confirm that it’s just installing the host application, and then run it:<\/p>\n\n\n\n
$ bash .\/install_host_app.sh firefox\nPython 3 executable located at \/usr\/bin\/python3\nPass executable located at \/usr\/bin\/pass\nInstalling Firefox host config\nNative messaging host for Firefox has been installed to \/home\/tux\/.mozilla\/native-messaging-hosts.<\/code><\/pre>\n\n\n\n
Install the browser extension, and then restart your browser. When you navigate to a URL with an file in your password store, a pass<\/code> icon appears in the relevant fields. Click the icon to complete the form.<\/p>\n\n\n\n
Alternately, a pass<\/code> icon appears in your browser’s extension tray, providing a menu for direct interaction with many pass<\/code> functions (such as copying data directly to your system clipboard, or auto-filling only a specific field, and so on.)<\/p>\n\n\n\n
Password management like UNIX<\/h2>\n\n\n\n
The pass<\/code> command is extensible, and there are some great add-ons for it. Here are some of my favourites:<\/p>\n\n\n\n