Install pass
– use the package manager for your distro.
$ sudo apt install pass
$ sudo yum install pass
$ sudo pacman -S pass
Let’s try it out.
$ pass
Error: password store is empty. Try "pass init".
$ pass init
Usage: pass init [--path=subfolder,-p subfolder] gpg-id...
We need a GPG key. Your distro should come with GNU Privacy Guard (GPG) installed already; if not install it now.
Create a new GPG key just to use with this program. There are multiple ways to create keys with GPG, with different levels of control over options:
$ gpg --quick-generate-key
$ gpg --generate-key
$ gpg --full-generate-key
Note that GPG shows you a 40 byte hash of the public key when you generate one. You can use that to associate the public key with your password store. If you need it at some point you can always see it with the following command.
$ gpg --list-secret-keys --keyid-format LONG
Using the command shown above to list your GPG keys you should see the same hash you generated displayed, along with the a fingerprint – the last 16 bytes of it. Either one can be used to initialize the password store; we’re going to use the shorter of them.
When you create a new password store using pass
it creates a hidden folder in your home directory.
$ pass init "BE3507CE22462669"
mkdir: created directory '/home/mdw/.password-store/'
Password store initialized for BE3507CE22462669
$ pass ls
Password Store
pass
is telling us we have an empty password store.
Notice the directory where our passwords will be stored has been created with permissions of 700 so that only we can access the encrypted password files inside.
$ ls -ld ~/.password-store/
drwx------ 2 mdw mdw 4096 Sep 1 13:12 .password-store/
Our password store has been created but it’s empty. Let’s create a new password using the insert
option to see how it works.
$ pass insert somesite.com
Enter password for somesite.com:
Retype password for somesite.com:
Great job, our first password has been created for somesite.com.
Check it by viewing the list with the ls
option, which is the default option, so it’s often omitted.
$ pass ls
There it is, our one entry. ls
is typical of pass
options, patterned after familiar Unix commands.
If we want to view the password for somesite.com we can use the same ls
option with the name of one entry to display.
$ pass ls somesite.com
Note again that ls
is the default option and we can omit it.
We can also create multiline entries, for those times we want to store more than a simple password. Pass is simply encrypting a text file for each entry, so we can put anything in them. It’s a good idea to put the password on the first line however, since as we’ll see later you can easily copy it into the paste buffer.
$ pass add -m anothersite
password1
anothersite@freemail.com
more info about this site
The -m
switch indicates we want to insert multi-line data, and in case you didn’t guess add
is an alias for insert
. If we now display the contents of anothersite
we’ll see both lines displayed. The multiline content can be as many lines as needed, as it’s simply written to a text file.
$ pass -c anothersite
Copied anothersite to clipboard. Will clear in 45 seconds.
Using the -c
switch is one of the best features of pass
. Many password managers allow you to copy a password to be pasted into a web form and this is great because it eliminates the need for a browser plugin which, is a rich attack vector. Unlike most, pass
properly removes it from memory after allowing a reasonable amount of time to elapse, 45 seconds by default. You can adjust this time interval by setting the PASSWORD_STORE_CLIP_TIME
environmental variable.
$ pass generate foo
The generated password for foo is: ]6h2YEQ?2yW`C3-jCa6>dUx,S
$ pass generate bar 12 The generated password for bar is: Pa61ZN!k\wv]
Another useful feature we get with pass is generating passwords. Instead of creating a new password entry by using the insert
option, we can use generate
and pass will generate a password for us using /dev/urandom
. An optional trailing argument specifies the desired length, in the example above we get a twelve character password. The default length can be modified using the PASSWORD_STORE_GENERATED_LENGTH
environmental variable.
$ pass generate -n strictsite
The generated password for strictsite is:
U9084dDTh3zW0biZxIrfZ9uRl
Use an additional switch -n
to use only alphanumeric characters. The default character set can be changed as you might suspect, by setting environmental variables PASSWORD_STORE_CHARACTER_SET
and PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS
.
Be sure to watch for the next installment where we’ll dive a bit deeper into how pass actually works, and ways to use this in the way that makes the most sense for you. Stay Tuned!