Arseny Zinchenko
pass – a password manager for Linux/UNIX.
Stores data in tree-based directories/files structure and encrypts files with a GPG-key.
In Arch Linux present by default, in Debian can be installed using apt from default repositories:
$ sudo apt install pass
For macOS can be installed with Homebrew:
$ brew install pass
The pass itself is just a bash-script:
$ head /usr/bin/pass
# !/usr/bin/env bash
Copyright (C) 2012 - 2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
# This file is licensed under the GPLv2+. Please see COPYING for more information.
umask "${PASSWORD_STORE_UMASK:-077}"
set -o pipefail
GPG_OPTS=( $PASSWORD_STORE_GPG_OPTS "--quiet" "--yes" "--compress-algo=none" "--no-encrypt-to" )
GPG="gpg"
GPG keys management
Creating GPG key
The pass require a GPG-key to encrypt and decrypt files so let’s create it first:
$ gpg --full-gen-key
...
Please select what kind of key you want:
(1) RSA and RSA (default) // leave default RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) // leave default 2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) // leave default 0 - valide forever
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: example
Email address: example@example.com
Comment:
You selected this USER-ID:
"example <example@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...
Then a window will appear asking to set up a password for your GPG-key:
Enter the desired password and finish the key generation:
...
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 714F9CBFDA191430 marked as ultimately trusted
gpg: revocation certificate stored as '/home/setevoy/.gnupg/openpgp-revocs.d/E130BB49AAA234F2BE2A7F96714F9CBFDA191430.rev'
public and secret key created and signed.
pub rsa2048 2019-04-25 [SC]
E130BB49AAA234F2BE2A7F96714F9CBFDA191430
uid example <example@example.com>
sub rsa2048 2019-04-25 [E]
Check public keys in your storage:
$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 2 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 2u
/home/setevoy/.gnupg/pubring.kbx
--------------------------------
pub rsa2048 2010-02-11 [SC]
1C61A2656FB57B7E4DE0F4C1FC918B335044912E
uid [ unknown] Dropbox Automatic Signing Key <linux@dropbox.com>
pub rsa2048 2011-04-26 [SC]
FCF986EA15E6E293A5644F10B4322F04D67658D8
uid [ unknown] FFmpeg release signing key <ffmpeg-devel@ffmpeg.org>
sub rsa2048 2011-04-26 [E]
pub rsa4096 2018-04-02 [SC]
ABBAD1CB484F53024CF5868B69332F9203F21F5C
uid [ unknown] Andrew Richards (cancel) <cancel@cancel.fm>
sub rsa2048 2019-01-28 [S]
sub rsa4096 2018-04-02 [E]
pub rsa2048 2019-04-25 [SC]
DEB0D4AD41CC2612B1944D448D22D6610B2F6067
uid [ultimate] setevoy (my main) <reg@domain.kiev.ua>
sub rsa2048 2019-04-25 [E]
pub rsa2048 2019-04-25 [SC]
E130BB49AAA234F2BE2A7F96714F9CBFDA191430
uid [ultimate] example <example@example.com>
sub rsa2048 2019-04-25 [E]
And your private keys:
$ gpg --list-secret-keys
/home/setevoy/.gnupg/pubring.kbx
--------------------------------
sec rsa2048 2019-04-25 [SC]
DEB0D4AD41CC2612B1944D448D22D6610B2F6067
uid [ultimate] setevoy (my main) <reg@domain.kiev.ua>
ssb rsa2048 2019-04-25 [E]
Deleting key
To delete a key first need to delete its private part, and after then – its public part.
Remove the private key:
$ gpg --delete-secret-key E130BB49AAA234F2BE2A7F96714F9CBFDA191430
gpg (GnuPG) 2.2.15; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec rsa2048/714F9CBFDA191430 2019-04-25 example <example@example.com>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y
As an argument to the --delete-secret-key option a key’s fingerprint or ID (name) can be passed, here it is the “example“.
Now the public key can be removed using the --delete-key option:
$ gpg --delete-key E130BB49AAA234F2BE2A7F96714F9CBFDA191430
gpg (GnuPG) 2.2.15; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa2048/714F9CBFDA191430 2019-04-25 example <example@example.com>
Delete this key from the keyring? (y/N) y
Backuping GPG-keys
As this key(s) will be used to decrypt data – we don’t want to lose it.
You can create a backup just by copying the whole ~/.gnupg directory (in case if GnuPG package is used):
$ ll .gnupg/
total 52
drwx------ 2 setevoy setevoy 4096 Jan 22 12:44 crls.d
drwx------ 2 setevoy setevoy 4096 Apr 25 10:04 openpgp-revocs.d
drwx------ 2 setevoy setevoy 4096 Apr 25 10:11 private-keys-v1.d
-rw-r--r-- 1 setevoy setevoy 13732 Apr 25 10:14 pubring.kbx
-rw-r--r-- 1 setevoy setevoy 12317 Apr 25 09:58 pubring.kbx~
-rw-r----- 1 setevoy setevoy 676 Apr 25 09:54 sshcontrol
-rw------- 1 setevoy setevoy 1440 Apr 25 10:14 trustdb.gpg
Or by exporting private keys to a dedicated storage:
$ gpg --export-secret-keys > ~/Dropbox/Backups/gpg-setevoy-arch-work-secret-backup.gpg
During the export operation – a password will be asked:
Later you can restore keys using the --import option.
Remove an existing key:
$ gpg --delete-secret-key setevoy
And restore it from the backup:
$ gpg --import ~/Dropbox/Backups/gpg-setevoy-arch-work-secret-backup.gpg
gpg: key 8D22D6610B2F6067: "setevoy (my main) <reg@domain.kiev.ua>" not changed
gpg: key 8D22D6610B2F6067: secret key imported
gpg: Total number processed: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
Check now:
$ gpg --list-secret-keys
/home/setevoy/.gnupg/pubring.kbx
--------------------------------
sec rsa2048 2019-04-25 [SC]
DEB0D4AD41CC2612B1944D448D22D6610B2F6067
uid [ultimate] setevoy (my main) <reg@domain.kiev.ua>
ssb rsa2048 2019-04-25 [E]
The pass
A database initialization
Initialize new storage using an ID (name) or an email used during GPG-key creation:
$ pass init setevoy
Password store initialized for setevoy
pass will create an identity file ~/.password-store/.gpg-id:
$ cat .password-store/.gpg-id
setevoy
pass Git and Github
Besides a usual local storage pass can keep it as a git-repository with all changes history.
If you didn’t make global Git settings – add them now:
$ git config --global user.email reg@domain.kiev.ua
git config --global user.name "setevoy"
And create local git-repository in your existing pass‘s storage:
$ pass git init
Initialized empty Git repository in /home/setevoy/.password-store/.git/
[master (root-commit) 7e19ab0] Add current contents of password store.
1 file changed, 1 insertion(+)
create mode 100644 .gpg-id
[master 19aaf2c] Configure git repository for gpg file diff.
1 file changed, 1 insertion(+)
create mode 100644 .gitattributes
Now you can check history as in a common Git:
$ cd .password-store/
git log
commit d8f791453fd1e8be7cf6126cde7f32df3bd351cc (HEAD -> master)
Author: setevoy <reg@domain.kiev.ua>
Date: Thu Apr 25 11:08:19 2019 +0300
Configure git repository for gpg file diff.
commit d49c886510221f31268f22cd74d0859965bafb7b
Author: setevoy <reg@domain.kiev.ua>
Date: Thu Apr 25 11:08:19 2019 +0300
Add current contents of the password store.
Then you can create a private repository in Github or Bitbucket and import your pass‘s database there to synchronize it between multitype computers.
Although the idea to keep all your passwords in an even private repository, even in a GPG-encrypted file maybe not too good.
Another solution could be to create own git-server and use it.
Still, just for example – let’s create a private Github repository:
Copy its address, here it is the git@github.com:setevoy2/pass-example.git:
Go to your local directory:
$ cd ~/.password-store/
Update its repository settings – add remote:
$ git remote add origin git@github.com:setevoy2/pass-example.git
Check it:
$ cat .git/config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[diff "gpg"]
binary = true
textconv = gpg2 -d --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agent
[remote "origin"]
url = git@github.com:setevoy2/pass-example.git
fetch = +refs/heads/*:refs/remotes/origin/*
And push to the Github:
$ git push origin master
To github.com:setevoy2/pass-example.git
* [new branch] master -> master
Check:
Adding passwords
To add a new password use insert with a path to dirs/file:
For example, a password for the RTFM could be added like this:
$ pass insert rtfm.co.ua/admin/setevoy
mkdir: created directory '/home/setevoy/.password-store/rtfm.co.ua'
mkdir: created directory '/home/setevoy/.password-store/rtfm.co.ua/admin'
Enter password for rtfm.co.ua/admin/setevoy:
Retype password for rtfm.co.ua/admin/setevoy:
[master 7ae47c9] Add given password for rtfm.co.ua/admin/setevoy to store.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 rtfm.co.ua/admin/setevoy.gpg
Retrieve secrets
Now the storage’s structure is like next:
$ pass
Password Store
└── rtfm.co.ua
└── admin
└── setevoy
To retrieve a password – specify a path to its file and enter your GPG-key password:
$ pass rtfm.co.ua/admin/setevoy
p@ssw0rd
It can be copied to the clipboard using the -c option:
$ pass -c rtfm.co.ua/admin/setevoy
Copied rtfm.co.ua/admin/setevoy to clipboard. Will clear in 45 seconds.
And git history now:
$ git log
commit 7ae47c9535eabddc64c89df39c7db720a2cd5244 (HEAD -> master)
Author: setevoy <reg@domain.kiev.ua>
Date: Thu Apr 25 11:12:16 2019 +0300
Add given password for rtfm.co.ua/admin/setevoy to store.
...
Multiline records
Instead of adding just a password you can specify some additional fields.
To add multitype lines to your password’s file use-m. Set a password itself in the first line: -c will use it to copy a password to the buffer:
$ pass insert -m rtfm.co.ua/admin/setevoy
An entry already exists for rtfm.co.ua/admin/setevoy. Overwrite it? [y/N] y
Enter contents of rtfm.co.ua/admin/setevoy and press Ctrl+D when finished:
p@ssw0rd
Username: setevoy
URL: rtfm.co.ua
[master fc43a4c] Add given password for rtfm.co.ua/admin/setevoy to store.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 rtfm.co.ua/admin/setevoy.gpg
Check:
$ pass show rtfm.co.ua/admin/setevoy
p@ssw0rd
Username: setevoy
URL: rtfm.co.ua
Looking for records and passwords
For search pass has two options – find, and grep.
find will do fast search by a directories/files names:
$ pass find setevoy
Search Terms: setevoy
├── rtfm.co.ua
└── admin
└── setevoy
And grep will search over all files text:
$ pass grep rtfm.
rtfm.co.ua/admin/setevoy:
URL: rtfm.co.ua
...
Removing passwords
Call the pass with the rm option:
$ pass rm rtfm.co.ua/admin/setevoy
Are you sure you would like to delete rtfm.co.ua/admin/setevoy? [y/N] y
removed '/home/setevoy/.password-store/rtfm.co.ua/admin/setevoy.gpg'
[master 7a23ede] Remove rtfm.co.ua/admin/setevoy from store.
1 file changed, 0 insertions(+), 0 deletions(-)
delete mode 100644 rtfm.co.ua/admin/setevoy.gpg
To delete a directory – use rm -r:
$ pass rm -r Main
Are you sure you would like to delete Main? [y/N] y
removed '/home/setevoy/.password-store/Main/Work/blabla.com.gpg'
...
Import from a KeePass database
Actually, I’m using pass as a backup storage.
In general, I’m using KeePass (KeePassXC), its database is stored in a Dropbox account and synchronize KeePass’s instances between multiple computers.
In case if this database will break somewhen – I want to have its backup, so let’s import it to the pass.
Here the pass-import utility can be used which can import data from various managers and a KeePass’s XML-file.
it can be installed on Arch Linux from AUR:
$ yaourt -S pass-import
Now create a database’s copy (using KeePass – KeePassXC can’t import to XML):
And run an import to the pass‘s storage passing a source type (here – keepass) and a path to the file:
$ pass import keepass ~/Backups/KeePassBKP/KeePass-Main-25-04-2019-bkp.xml
(*) Importing passwords from keepass
. File: /home/setevoy/Backups/KeePassBKP/KeePass-Main-25-04-2019-bkp.xml
. Number of password imported: 294
. Passwords imported:
Main/AWS/AWS root user
Main/AWS/AWS setevoy
Main/Cards/Aval Credit
...
Check the pass‘s database now:
$ pass
Password Store
├── Main
│ ├── AWS
│ │ ├── AWS root user
│ │ └── AWS setevoy
│ ├── Cards
│ │ ├── Aval Credit
│ │ ├── OtherCards
│ │ │ ├── Masha
│ │ │ ├── Stromenko etabak
...
QtPass
The terminal is awesome but can be better to work using some UI.
For the pass there is the QtPass utility.
In Arch Linux can be installed from the common repository:
$ sudo pacman -S qtpass
Run it:
Done.
Similar posts
- 03/28/2017 Arch: Git – github.com errno=Connection refused (0)
- 01/27/2017 Debian: apt – GPG error: The following signatures were invalid: KEYEXPIRED (0)
- 05/08/2017 Arch Linux: keyserver receive failed: No keyserver available и ручной импорт ключа (0)
- 05/31/2016 Github: авторизация по SSH ключам (0)
