pass – use the package manager for your distro.
$ sudo apt install pass
$ sudo yum install pass
$ sudo pacman -S pass
Let’s try it out.
Error: password store is empty. Try "pass init".
$ pass init
Usage: pass init [--path=subfolder,-p subfolder] gpg-id...
We need a GPG key. Your distro should come with GNU Privacy Guard (GPG) installed already; if not install it now.
Create a new GPG key just to use with this program. There are multiple ways to create keys with GPG, with different levels of control over options:
$ gpg --quick-generate-key
$ gpg --generate-key
$ gpg --full-generate-key
Note that GPG shows you a 40 byte hash of the public key when you generate one. You can use that to associate the public key with your password store. If you need it at some point you can always see it with the following command.
$ gpg --list-secret-keys --keyid-format LONG
Using the command shown above to list your GPG keys you should see the same hash you generated displayed, along with the a fingerprint – the last 16 bytes of it. Either one can be used to initialize the password store; we’re going to use the shorter of them.
When you create a new password store using
pass it creates a hidden folder in your home directory.
$ pass init "BE3507CE22462669"
mkdir: created directory '/home/mdw/.password-store/'
Password store initialized for BE3507CE22462669
$ pass ls
pass is telling us we have an empty password store.
Notice the directory where our passwords will be stored has been created with permissions of 700 so that only we can access the encrypted password files inside.
$ ls -ld ~/.password-store/
drwx------ 2 mdw mdw 4096 Sep 1 13:12 .password-store/
Our password store has been created but it’s empty. Let’s create a new password using the
insert option to see how it works.
$ pass insert somesite.com
Enter password for somesite.com:
Retype password for somesite.com:
Great job, our first password has been created for somesite.com.
Check it by viewing the list with the
ls option, which is the default option, so it’s often omitted.
$ pass ls
There it is, our one entry.
ls is typical of
pass options, patterned after familiar Unix commands.
If we want to view the password for somesite.com we can use the same
ls option with the name of one entry to display.
$ pass ls somesite.com
Note again that
ls is the default option and we can omit it.
We can also create multiline entries, for those times we want to store more than a simple password. Pass is simply encrypting a text file for each entry, so we can put anything in them. It’s a good idea to put the password on the first line however, since as we’ll see later you can easily copy it into the paste buffer.
$ pass add -m anothersite
more info about this site
-m switch indicates we want to insert multi-line data, and in case you didn’t guess
add is an alias for
insert. If we now display the contents of
anothersite we’ll see both lines displayed. The multiline content can be as many lines as needed, as it’s simply written to a text file.
$ pass -c anothersite
Copied anothersite to clipboard. Will clear in 45 seconds.
-c switch is one of the best features of
pass. Many password managers allow you to copy a password to be pasted into a web form and this is great because it eliminates the need for a browser plugin which, is a rich attack vector. Unlike most,
pass properly removes it from memory after allowing a reasonable amount of time to elapse, 45 seconds by default. You can adjust this time interval by setting the
PASSWORD_STORE_CLIP_TIME environmental variable.
$ pass generate foo
The generated password for foo is: ]6h2YEQ?2yW`C3-jCa6>dUx,S
$ pass generate bar 12 The generated password for bar is: Pa61ZN!k\wv]
Another useful feature we get with pass is generating passwords. Instead of creating a new password entry by using the
insert option, we can use
generate and pass will generate a password for us using
/dev/urandom. An optional trailing argument specifies the desired length, in the example above we get a twelve character password. The default length can be modified using the
PASSWORD_STORE_GENERATED_LENGTH environmental variable.
$ pass generate -n strictsite
The generated password for strictsite is: U9084dDTh3zW0biZxIrfZ9uRl
Use an additional switch
-n to use only alphanumeric characters. The default character set can be changed as you might suspect, by setting environmental variables
Be sure to watch for the next installment where we’ll dive a bit deeper into how pass actually works, and ways to use this in the way that makes the most sense for you. Stay Tuned!