HPR4377: Password store and the pass command

This show has been flagged as Clean by the host.

Standard UNIX password manager

Password management is one of those computing problems you probably don't think about often, because modern computing usually has an obvious default solution built-in.

A website prompts you for a password, and your browser auto-fills it in for you.

Problem solved.

However, not all browsers make it very easy to get to your passwords store, which makes it complex to migrate passwords to a new system without also migrating the rest of your user profile, or to share certain passwords between different users.

There are several good open source options that offer alternatives to the obvious defaults, but as a user of Linux and UNIX, I love a minimal and stable solution when one is available.

The pass command is a password manager that uses GPG encryption to keep your passwords safe, and it features several system integrations so you can use it seamlessly with your web browser of choice.

Install pass

The pass command is provided by the PasswordStore project.

You can install it from your software repository or ports collection.

For example, on Fedora:

$ sudo dnf install pass

On Debian and similar:

$ sudo apt install pass

Because the word pass is common, the name of the package may vary, depending on your distribution and operating system.

For example, pass is available on Slackware and FreeBSD as password-store.

The pass command is open source, so the source code is available at git.zx2c4.com/password-store.

Create a GPG key

First, you must have a GPG key to use for encryption.

You can use a key you already have, or create a new one just for your password store.

To create a GPG key, use the gpg command along with the --gen-key option (if you already have a key you want to use for your password store, you can skip this step):

$ gpg --gen-key

Answer the prompts to generate a key.

When prompted to provide values for Real name, Email, and Comment, you must provide a response for each one, even though GPG allows you to leave them empty.

In my experience, pass fails to initialize when one of those values is empty.

For example, here are my responses for purposes of this article:

Real name: Tux Email: [email protected] Comment: My first key

This information is combined, in a different order, to create a unique GPG ID.

You can see your GPG key ID at any time:

$ gpg --list-secret-keys | grep uid uid: Tux (My first key) [email protected]

Other than that, it's safe to accept the default and recommended options for each prompt.

In the end, you have a GPG key to serve as the master key for your password store.

You must keep this key safe.

Back it up, keep a copy of your GPG keyring on a secure device.

Should you lose this key, you lose access to your password store.

Initialize a password store

Next, you must initialize a password store on your system.

When you do, you create a hidden directory where your passwords are stored, and you d