Linux pass is actually the standard Unix password manager, and is actually a gpg wrapper for securing your passwords all within the Linux terminal. To setup pass first you need to setup gpg keys on your computer, and if you aren't familiar with gpg there is a GPG cheat-sheet here on this blog for a quick crash course. Once you have your key setup and most importantly BACKED UP to an alternative safe location you may return here to setup your password store with pass.
More information you can find on their website. In short, the passwords live inside ~/.password-store. Each password by itself is nothing more but a GPG encrypted file with the key that you specify during the creation of the password or the password store itself. Additionally you can also use a code repository with git to synchronize you passwords. If you use a public service like GitHub, make sure that you protect your private gpg key with a very strong password and use a private repo on GitHub so that only you can access it.
So let's begin.
0. Check your GPG secret keys
You will need the secret key ID of the key that you plan to use.
In the example bellow my I have two private keys and can either use the ID A702669F3C06991ABC78593894541C5910815E34 or the email alias tango-omega-mike@mail.com.
$ gpg --list-secret-keys
/home/tom/.gnupg/pubring.kbx
----------------------------
sec rsa4096 2022-07-12 [SC]
A7843B064654452486FD843C04AA8F86B4B22790
uid [ultimate] Tom Spirit (Personal key) <tango-omega-mike@mail.com>
ssb rsa4096 2022-07-12 [E]
sec rsa4096 2022-06-11 [SC]
22053812FD9F2939C0E7747340E84A573F0A34CD
uid [ultimate] Tom Spirit (Corporate key) <wrigley-spearmint@corpmail.com>
ssb rsa4096 2022-06-11 [E]
1. Setup your passwords layout
It is entirely up to you how you will set this up. The most basic command is for creating the password store is pass init <YOUR-GPG-KEY>. This will generate your password store simply in ~/.password-store.
What I prefer however it to have it organized into multiple sub-directories and each of these to use a different key for a different purpose. For example I can have one password store and use the personal key there and another for my work passwords and use the corporate key to encrypt these passwords.
This can be done by passing the --path=<subfolder> flag to the pass init command.
So let's setup our layout
$ pass init --path=Personal tango-omega-mike@mail.com
mkdir: created directory '/home/tom/.password-store'
mkdir: created directory '/home/tom/.password-store/Personal'
Password store initialized for tango-omega-mike@mail.com (Personal)
$ pass init --path=Corporate wrigley-spearmint@corpmail.com
mkdir: created directory '/home/tom/.password-store/Corporate'
Password store initialized for wrigley-spearmint@corpmail.com (Corporate)
## List your password store by invoking just `pass`
## It is empty atm
$ pass
Password Store
├── Corporate
└── Personal
2. Add some passwords
Use pass insert <PasswordStore/PasswordName> to add a simple password by your self:
$ pass insert Personal/twitter.com
pass insert Personal/twitter.com
Enter password for Personal/twitter.com:
Retype password for Personal/twitter.com:
Use pass insert -m <PasswordStore/PasswordName> to add a multiline password:
$ pass insert -m Corporate/wrigley-spearmint@corpmail.com
Enter contents of Corporate/wrigley-spearmint@corpmail.com and press Ctrl+D when finished:
Uses MFA with UbiKey
Password: %1s234x13#42d5432s!@#
Use pass generate --clip <PasswordStore/PasswordName> <pass-length> to quickly generate a password, store it in the password store and copy it in the clipboard where it will persist for 45 secs by default.
## Will generate a 10 character password
pass generate --clip Corporate/reddit.com 10
Copied Corporate/reddit.com to clipboard. Will clear in 45 seconds.
Alternatively use the --qrcode option to print a QR code instead. The bellow example looks much better at the actual terminal prompt.
$ pass generate --qrcode Personal/gmail.com 10
█████████████████████████████
█████████████████████████████
████ ▄▄▄▄▄ █ ▀█▀▄█ ▄▄▄▄▄ ████
████ █ █ █ ▄ ▄ █ █ █ ████
████ █▄▄▄█ █▀▄ ▄ █ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄█▄█▄█▄▄▄▄▄▄▄████
████▄ ██▄ ▄███▀█ ▀█ ▀ ▄ ▄████
████▀▀█▄▀ ▄█▄█▄▀ ▄█ ▄▄▄█▀████
█████▄██▄█▄▄▀█▄ ▀ ▀██▄ █ ████
████ ▄▄▄▄▄ █▀█ ▄█ █▀ ▄▄▄▀████
████ █ █ █▄▀▀█ ▄ ▀ ▄█ ▀████
████ █▄▄▄█ █▀▀▄▀ ██▄ ███████
████▄▄▄▄▄▄▄█▄▄█▄█▄▄▄▄▄██▄████
█████████████████████████████
█████████████████████████████
3. Listing passwords
After adding some passwords use the pass again to list the passwords. It uses the tree command in the background to display the passwords. All your passwords are stored inside ~/.password-store and you can achieve the same with the tree or ls commands:
$ pass
Password Store
├── Corporate
│ ├── reddit.com
│ └── wrigley-spearmint@corpmail.com
└── Personal
├── gmail.com
└── twitter.com
$ ls -la .password-store/
total 16
drwx------ 4 tom tom 4096 Aug 18 02:21 .
drwxr-xr-x 13 tom tom 4096 Aug 18 02:21 ..
drwx------ 2 tom tom 4096 Aug 18 02:37 Corporate
drwx------ 2 tom tom 4096 Aug 18 02:36 Personal
$ tree .password-store/
.password-store/
├── Corporate
│ ├── reddit.com.gpg
│ └── wrigley-spearmint@corpmail.com.gpg
└── Personal
├── gmail.com.gpg
└── twitter.com.gpg
2 directories, 4 files
To preview a password you can use the pass show <PasswordStore/PasswordName> command. This will simply display your password at the output. To prevent prying eyes from seing it use the -c flag.
One thing to note here is that the first time you ask to show a password, it will ask you for your GPG key passphrase.
$ pass show Corporate/reddit.com -c
Copied Corporate/reddit.com to clipboard. Will clear in 45 seconds.
4. Use version control for password storage
Uploading your password store to a public repository cloud like GitHub might feel a bit controversial, but think again. If you use a strong passphrase for your GPG key use a private GitHub repo it will be just as safe as anything else on the cloud.
- First thing would be to create your repository on the code repo (GitHub, GitLab, BitBucket or local repo) as you normally would;
- With
pass git inityou initialize a local repo within your password store. Yes, just execute that command and it will initialize the repository inside your.password-storefolder; - Add your GitHub repository as a remote repository using
pass git remote add origin git@github.com/YOUR-REPOSITORY.
$ pass git init
Initialized empty Git repository in /home/tom/.password-store/.git/
$ pass git remote add origin git@github.com/mystore
## To push your local changes to the repo
$ pass git push -u --all
5. Restore your passwords from the repo after you switch computers
It goes without saying that first you need your GPG key. After you have that set up on the new computer perform the following steps.
- Clone the passwords repo with
gitto your new computer; - Create a new hidden folder
.password-store; - Copy everything from the repository folder inside your
.password-storefolder; - You can continue working from there as usual;
- Once you are done push your local changes again with
pass git push -u --all