pass password-store — Password manager

I use PASS multiple times a day and it never fails me. If you're looking for a secure offline password manager, look no further. Add a GIT repository and it's fantastic. Add a GUI, QtPass. Also, OTP TOTP and 2FA are possible directly in the command line.

pass password-store — Password manager
Photo by Jason Dent / Unsplash

Everyone need a password manager, even we who live in the world of CLI and TUI, maybe even more so. We require a safe place for all passwords of course but also keys and registration info of various sizes and types.

Pass is an easy-to-use and lightweight password store that keeps passwords inside gpg2 encrypted files in a directory, ~/.password-store. Using pass the user can add, remove, edit, synchronize, generate, and manipulate passwords and other secrets like tokens and multi line log in data. It's basically a shell script.

Pass is capable of copying passwords to your clipboard and tracking password changes using git.

The community has produced GUIs and importer and extensions for pass.

Examples

Show list of password store by issuing the command pass

Password Store
├── Business
│   ├── my-business-site.com
│   └── other-site.net
├── Email
│   ├── casaursus.net
│   └── gmail.com
├── PVE
│   ├── Pve1
│   │   └── token  
│   ├── Pve2
│   │   └── token
│   └── Pve3
│       └── token
└── boss
    ├── bank
    ├── email
    └── login

Output from issuing pass

How to show a password

$ pass Email/casaursus.net
$ sup3r$tr0ng4ndC0mplicat3dPa$$w0rd=a_JOKE

How to copy a password to clipboard

$ pass -c Email/casaursus.net
$ Copied Email/[email protected] to clipboard. Will clear in 45 seconds.

Install pass

We can use pass alone but adding a GIT repository (GitLab, GitHub, Bitbucket … or a self-hosted GIT storage) makes this fascinating and more useful.

Debian based

sudo apt update && sudo apt install pass

Homebrew

brew install pass

Generate a GPG key

You need to create a GPG key if you do not have one

gpg --expert --pinentry-mode=loopback --full-gen-key
    • Choose option 9 ECC and ECC,
    • Choose option 1 Curve 25519,
    • Enter e.g., 3y (valid for 3 years → o never expires), shorter is better
    • Enter your name and email (or any email), but no comment
    • Add a passphrase to secure the key pair

Initialize

pass init "[email protected]"

Local storage only. Used to ready your store for action.

mkdir: created directory ‘/home/user/.password-store’
Password store initialized for [email protected].

Typical output

You will need that password to open your store.

Initialize using GIT

git pass git see this link for details.
Gives several benefits as GIT do. It can be local, or it can be linked to a repository and stored off site on GitHub/GitLab … if you don't self-host a GIT service.

You may want to add completion (bash/fish/zsh) from this location.

How to use pass

The main use cases are listed, but for more information see the documentation. Password is used here as a general term for what we have in the store.

List

passwords and other stored info pass ls

Add

Adding a password pass insert Sites/example.com
Add to a subdirectory pass insert -m API/pypi
Add a multiline thing pass insert -m snippet

Edit

Insert a new or edit a password using your editor pass edit special

Show or Copy a password

Show password pass Sites/example.com
Copy to clipboard pass -c Sites/example.com

Remove

Delete entry pass rm Sites/example.com

Generate

Generate a password pass generate Sites/anothersite.org
Generate and add to clipboard pass generate -c Sites/anothersite123.org

Git

Running GIT commands use pass git <command>

Find

pass search Site1
pass find token

Move

pass mv API/token Site1/API/token

Copy

pass cp Site1/password Site2/password

Grep

pass grep "email:"

Use pass with GIT

Create a git powered password store

Type pass init <your key> and pass git init, and you have all the benefits of a local git repository, e.g., if you delete the wrong password you can restore it

Use a remote GIT repository

This is an easy way of getting our passwords and tokens backed up, but also a tool to copy our password store to a new device.

Type pass git remote add origin [email protected]:example.com/pw-store.git
Use the correct address for your GIT remote site.

Then you can push it by pass git push origin main

Clone the password-store to a new machine

On the new machine, clone the GIT repository into a hidden directory, and we have the GPG coded passwords on the new machine too.

We need the GPG key-pair on the new machine.

  • On the original machine, export the files
    • mkdir -p export/keys && cd export/keys and export both parts to it
    • gpg --output public.pgp --armor --export <[email protected]>
    • gpg --output private.pgp --armor --export-secret-key <[email protected]> it will ask for the passphrase.
    • check for success type ls, output should be private.pgp public.pgp
  • On the new machine
    • scp -r me@mypc:export/keys .
    • cd export/keys
    • gpg --import private.pgp it will ask for the passphrase
    • gpg --import public.pgp
    • To be able to encrypt new passwords, you need to edit the trust level
    • gpg --edit-key [email protected]
    • type trust and choose the max value 5

Change Expire Date for a GPG-key

List the key gpg -K (--list-secret-keys) copy the key you want to change

Edit that by key gpg --edit-key <key>, and:

    • type expire
    • set type your time, 0 = newer <n> y for number of years
    • then save by typing save.

See the man page for full details.

Pass in your workflow

Pass is superb when integrating into our workflow.

Logging into a remote server/service

Using an alias: alias cus="ACCESS_KEY_ID=$(pass show cu/cus/access-id) SECRET_KEY=$(pass show cu/cus/token) cus"

Now I can run a custom service, “cus”, by cus run [email protected]

Using export

Using tokens, you do not want them in your shell history, for security reasons.
export SERVER_TOKEN=$(pass show servers/api/token).


Usefull add-ones

You might like to add these

My usage includes OTP for 2FA using TOTP codes. From the CLI or piped into other commands or applications. You can include these features into a script, it just commands.


Pass-OTP

A pass extension for managing one-time-password (OTP) tokens.

Install

  • On Debian: sudo apt && sudo apt -y install pass-extension-otp
  • On macOS, Homebrew: brew install pass-otp
  • Browser Support, passff >= 1.6.0 now supports using pass-otp to fill login forms. zx2c4 pass management extension for Mozilla Firefox. Pending Chrome port. An official signed version can be found on the Mozilla add-on page. This extension allows you to access your zx2c4 pass repository directly from your web browser. You can choose to automatically fill and submit login forms if a matching password entry is found. Add-on that allows users of the Unix password manager 'pass' to access their password store from Firefox. PassFF allows users of the Unix password manager pass password repository directly from Firefox. PassFF can be configured to autofill and auto-submit login forms when a matching password entry is found.

👍 Pass-OTP is one of the tools I use daily. I use ZBar to read various QR-codes.


OATHtool

Generate and validate OATH one-time passwords.  KEY and OTP is the string '-' to read from standard input, '@FILE' to read from indicated filename, or a hex encoded value (not recommended on multi-user systems).

Install

  • Debian based sudo apt install oathtool gnupg2
  • macOS, Homebrew brew install oath-toolkit

PassFF

The zx2c4 pass management extension for Firefox. (Pending Chrome port.) This extension allows you to access your zx2c4 pass repository directly from your web browser. You can select to automatically fill and submit login forms if a matching password entry is found.

Install

An official signed version can be found on the Mozilla add-on page.

👍 PassFF is one of the tools I use daily.


ZBar

ZBar Bar Code Reader is an open source software suite for reading bar codes from various sources, such as video streams, image files and raw intensity sensors. It supports EAN-13/UPC-A, UPC-E, EAN-8, Code 128, Code 93, Code 39, Codabar, Interleaved 2 of 5, QR Code and SQ Code.

Install

  • On Debian: sudo apt update && sudo apt -y install zbar-tools
  • On macOS, Homebrew: brew install zbar

Using it

Download your QR-code and type

  • zbarimg -q my_qr.png to read it in clear text.

Using it with pass and OTP by

  • Typing pass otp add my_service,
  • copy the output of the previous otpauth://...
  • add it when asked to Enter otpauth:// URI for my_service:
  • add it when asked to Retype otpauth:// URI for my_service:

and, you are clear to go.

Generate a TOTP code

  • Type pass otp my_service and you will get a 6-digit code as output.

👍 ZBar is one of the tools I use.


PAM-GnuPG

Unlock GnuPG keys on login by a PAM module that hands over your login password to gpg-agent. This can be useful if you are using a GnuPG-based password manager like pass.

⚠️ Your store will automatically be opened at login ⚠️.
You need to turn on auto close the desktop to add security.

Requires GnuPG 2.1, and probably only works on Linux.

💡
This approach undoubtedly introduces certain vulnerabilities within the system. You have been warned ⚠️

QtPass — GUI

Many times I use a GUI, QtPass, a cross-platform app for Linux-macOS-Windows.

QtPass is a multi-platform GUI for pass, the standard Unix password manager.

Install

  • On Debian: sudo apt update && sudo apt -y install qtpass
  • Install from the homepage
  • Edit settings, password length and how to use pass, OTP Extension. GIT …

References

pass [1]pass-otp [2] QtPass GUI [3] passff [4] OATHtool [5] PAM-GnuPG [6] ZBar [7]


  1. Pass homepage, getting started GitHub, extensions section, clients section, import section, man page ↩︎

  2. pass-otp GitHub, man page ↩︎

  3. QtPass homepage and install for macOS and Windows, GitHub, docs ↩︎

  4. PassFF can be configured to autofill and auto-submit login forms when a matching password entry is found. GitHub, Download page ↩︎

  5. OATHtool man page, Arch wiki ↩︎

  6. PAM-GnuPG GitHub ↩︎

  7. ZBar barcode reader homepage ↩︎