pass password-store — Password manager
I use PASS multiple times a day and it never fails me. If you're looking for a secure offline password manager, look no further. Add a GIT repository and it's fantastic. Add a GUI, QtPass. Also, OTP TOTP and 2FA are possible directly in the command line.
Everyone need a password manager, even we who live in the world of CLI and TUI, maybe even more so. We require a safe place for all passwords of course but also keys and registration info of various sizes and types.
Pass is an easy-to-use and lightweight password store that keeps passwords inside gpg2 encrypted files in a directory, ~/.password-store
. Using pass the user can add, remove, edit, synchronize, generate, and manipulate passwords and other secrets like tokens and multi line log in data. It's basically a shell script.
Pass is capable of copying passwords to your clipboard and tracking password changes using git
.
The community has produced GUIs and importer and extensions for pass.
Examples
Show list of password store by issuing the command pass
How to show a password
$ pass Email/casaursus.net
$ sup3r$tr0ng4ndC0mplicat3dPa$$w0rd=a_JOKE
How to copy a password to clipboard
$ pass -c Email/casaursus.net
$ Copied Email/[email protected] to clipboard. Will clear in 45 seconds.
Install pass
We can use pass alone but adding a GIT repository (GitLab, GitHub, Bitbucket … or a self-hosted GIT storage) makes this fascinating and more useful.
Debian based
sudo apt update && sudo apt install pass
Homebrew
brew install pass
Generate a GPG key
You need to create a GPG key if you do not have one
gpg --expert --pinentry-mode=loopback --full-gen-key
- Choose option 9 ECC and ECC,
- Choose option 1 Curve 25519,
- Enter e.g., 3y (valid for 3 years → o never expires), shorter is better
- Enter your name and email (or any email), but no comment
- Add a passphrase to secure the key pair
Initialize
You will need that password to open your store.
Initialize using GIT
git pass git
see this link for details.
Gives several benefits as GIT do. It can be local, or it can be linked to a repository and stored off site on GitHub/GitLab … if you don't self-host a GIT service.
You may want to add completion (bash/fish/zsh) from this location.
How to use pass
The main use cases are listed, but for more information see the documentation. Password is used here as a general term for what we have in the store.
List
passwords and other stored info pass ls
Add
Adding a password pass insert Sites/example.com
Add to a subdirectory pass insert -m API/pypi
Add a multiline thing pass insert -m snippet
Edit
Insert a new or edit a password using your editor pass edit special
Show or Copy a password
Show password pass Sites/example.com
Copy to clipboard pass -c Sites/example.com
Remove
Delete entry pass rm Sites/example.com
Generate
Generate a password pass generate Sites/anothersite.org
Generate and add to clipboard pass generate -c Sites/anothersite123.org
Git
Running GIT commands use pass git <command>
Find
pass search Site1
pass find token
Move
pass mv API/token Site1/API/token
Copy
pass cp Site1/password Site2/password
Grep
pass grep "email:"
Use pass with GIT
Create a git powered password store
Type pass init <your key>
and pass git init
, and you have all the benefits of a local git repository, e.g., if you delete the wrong password you can restore it
Use a remote GIT repository
This is an easy way of getting our passwords and tokens backed up, but also a tool to copy our password store to a new device.
Type pass git remote add origin [email protected]:example.com/pw-store.git
Use the correct address for your GIT remote site.
Then you can push it by pass git push origin main
Clone the password-store to a new machine
On the new machine, clone the GIT repository into a hidden directory, and we have the GPG coded passwords on the new machine too.
- use
git clone [email protected]:example.com/pw-store.git .password-store
We need the GPG key-pair on the new machine.
- On the original machine, export the files
mkdir -p export/keys && cd export/keys
and export both parts to it
gpg --output public.pgp --armor --export <[email protected]>
gpg --output private.pgp --armor --export-secret-key <[email protected]>
it will ask for the passphrase.- check for success type
ls
, output should beprivate.pgp public.pgp
- On the new machine
scp -r me@mypc:export/keys .
cd export/keys
gpg --import private.pgp
it will ask for the passphrasegpg --import public.pgp
- To be able to encrypt new passwords, you need to edit the trust level
gpg --edit-key [email protected]
- type
trust
and choose the max value5
Change Expire Date for a GPG-key
List the key gpg -K
(--list-secret-keys) copy the key you want to change
Edit that by key gpg --edit-key <key>
, and:
- type
expire
- set type your time, 0 = newer <n> y for number of years
- then save by typing
save
.
See the man page for full details.
Pass in your workflow
Pass is superb when integrating into our workflow.
Logging into a remote server/service
Using an alias: alias cus="ACCESS_KEY_ID=$(pass show cu/cus/access-id) SECRET_KEY=$(pass show cu/cus/token) cus"
Now I can run a custom service, “cus”, by cus run [email protected]
Using export
Using tokens, you do not want them in your shell history, for security reasons.export SERVER_TOKEN=$(pass show servers/api/token)
.
Usefull add-ones
You might like to add these
My usage includes OTP for 2FA using TOTP codes. From the CLI or piped into other commands or applications. You can include these features into a script, it just commands.
Pass-OTP
A pass extension for managing one-time-password (OTP) tokens.
Install
- On Debian:
sudo apt && sudo apt -y install pass-extension-otp
- On macOS, Homebrew:
brew install pass-otp
- Browser Support, passff >= 1.6.0 now supports using
pass-otp
to fill login forms. zx2c4 pass management extension for Mozilla Firefox. Pending Chrome port. An official signed version can be found on the Mozilla add-on page. This extension allows you to access your zx2c4 pass repository directly from your web browser. You can choose to automatically fill and submit login forms if a matching password entry is found. Add-on that allows users of the Unix password manager 'pass' to access their password store from Firefox. PassFF allows users of the Unix password manager pass password repository directly from Firefox. PassFF can be configured to autofill and auto-submit login forms when a matching password entry is found.
👍 Pass-OTP is one of the tools I use daily. I use ZBar to read various QR-codes.
OATHtool
Generate and validate OATH one-time passwords. KEY and OTP is the string '-' to read from standard input, '@FILE' to read from indicated filename, or a hex encoded value (not recommended on multi-user systems).
Install
- Debian based
sudo apt install oathtool gnupg2
- macOS, Homebrew
brew install oath-toolkit
PassFF
The zx2c4 pass management extension for Firefox. (Pending Chrome port.) This extension allows you to access your zx2c4 pass repository directly from your web browser. You can select to automatically fill and submit login forms if a matching password entry is found.
Install
An official signed version can be found on the Mozilla add-on page.
👍 PassFF is one of the tools I use daily.
ZBar
ZBar Bar Code Reader is an open source software suite for reading bar codes from various sources, such as video streams, image files and raw intensity sensors. It supports EAN-13/UPC-A, UPC-E, EAN-8, Code 128, Code 93, Code 39, Codabar, Interleaved 2 of 5, QR Code and SQ Code.
Install
- On Debian:
sudo apt update && sudo apt -y install zbar-tools
- On macOS, Homebrew:
brew install zbar
Using it
Download your QR-code and type
-
zbarimg -q my_qr.png
to read it in clear text.
Using it with pass and OTP by
- Typing
pass otp add my_service
, - copy the output of the previous
otpauth://...
- add it when asked to
Enter otpauth:// URI for my_service:
- add it when asked to
Retype otpauth:// URI for my_service:
and, you are clear to go.
Generate a TOTP code
- Type
pass otp my_service
and you will get a 6-digit code as output.
👍 ZBar is one of the tools I use.
PAM-GnuPG
Unlock GnuPG keys on login by a PAM module that hands over your login password to gpg-agent
. This can be useful if you are using a GnuPG-based password manager like pass.
⚠️ Your store will automatically be opened at login ⚠️.
You need to turn on auto close the desktop to add security.
Requires GnuPG 2.1, and probably only works on Linux.
QtPass — GUI
Many times I use a GUI, QtPass, a cross-platform app for Linux-macOS-Windows.
QtPass is a multi-platform GUI for pass, the standard Unix password manager.
Install
- On Debian:
sudo apt update && sudo apt -y install qtpass
- Install from the homepage
- Edit settings, password length and how to use pass, OTP Extension. GIT …
References
pass [1]pass-otp [2] QtPass GUI [3] passff [4] OATHtool [5] PAM-GnuPG [6] ZBar [7]
Pass homepage, getting started GitHub, extensions section, clients section, import section, man page ↩︎
QtPass homepage and install for macOS and Windows, GitHub, docs ↩︎
PassFF can be configured to autofill and auto-submit login forms when a matching password entry is found. GitHub, Download page ↩︎