How to manage Linux passwords with the pass command

Password management has become a hot topic within the last decade. A quick Google search unveils various options for selecting the tool that will safeguard the strings that unlock your personal information. Some of these applications simply run on your computer and store your passwords offline in an encrypted format.
Others are more feature-rich, offering online synchronization with multiple devices, password sharing, two-factor authentication (2FA), and more. With some of these services, the simplicity of password management has been lost amongst the ocean of features that are on offer. Not only that, but through the convenience of the online vaults that many of these services offer, you are losing some control over your data as your credentials are synchronized with servers outside your control.

There is an alternative available that provides simplicity and gives you full control over your credentials. It can provide many of the same features that you will get from a paid service, while still maintaining its simplicity. It is open source and is written by the same author who created Wireguard, which received high praise from Linus Torvalds before it was fast-tracked into the Linux kernel. This alternative is called pass which is also known as password-store.

[ You might also enjoy: Managing Linux users with the passwd command ]

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities. --Pass: The Standard Unix Password Manager

Why use password-store?

• It is open source
• It is simple to use
• It is well documented
• It is CLI based, but there are GUI extensions available
• It is encrypted with GnuPG to a level of your choosing
• It is entirely under your control. Passwords do not sync to third-party servers
• Your password store can remain on your system only, or you can sync it with a private Git repo of your choosing (strongly recommended)

Installation

1. Install pass:

$ sudo dnf install pass 

2. If you don't already have a GPG keypair, you will need to create one:

$ gpg2 --full-generate-key

Select option 1 (RSA and RSA) for the key type.

Please select what kind of key you want:

   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)

Your selection? 1

Select your desired keysize. In this example, choose 4096:

RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits

Please specify how long the key should be valid.

        0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years

Now choose how long you want the key to be valid for, in this example choose two years:

Key is valid for? (0) 2y
Key expires at Sat 18 Mar 2023 15:03:38 CET
Is this correct? (y/N) y

Input your full name, e-mail address and then confirm with 'O' when prompted.

GnuPG needs to construct a user ID to identify your key.

Real name: John Doe
Email address: john.doe@example.com
Comment: 
You selected this USER-ID:
    "John Doe <john.doe@example.com>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

One of the last steps of the GPG creation process is to set your password. Be sure to use a strong password containing uppercase, lowercase, and symbols. This will be your master password to unlock your pass datastore.

3. Now that your GPG key is created you'll need to list your keys and take note of the secret (sec) key ID:

$ gpg2 --list-secret-keys --keyid-format LONG

sec   4096R/AAAA2222CCCC4444 2021-03-18 [expires: 2023-03-18] uid         John Doe <jdoe@example.com>

4. With your GPG key ID you can now initiate your pass datastore:

$ pass init 'AAAA2222CCCC4444'

mkdir: created directory ‘/home/myhome/.password-store’ Password store initialized for AAAA2222CCCC4444.

5. You can now generate and fetch passwords from the RSA4096-encrypted password store. To generate a new password (-c copies to clipboard after creation and 21 specifies a password with a 21-character length):

$ pass generate -c Internet/github.com 21

Fetch a password from the store:

$ pass show Internet/github.com
<enter GPG password at prompt>

Additional Steps

A stock installation of pass provides you with a secure, local datastore for your credentials. There are, however, a couple of other functions I think are important in order to improve useability.

Sync with a Git repo

For the purposes of redundancy and sharing your credentials across multiple devices, I strongly recommend syncing your pass store with a Git repository. The good news is that pass already has Git functionality built-in; all you need to do is create a remote repository and initialize it in your pass store. Armed with your remote Git repository, you can go ahead and initialize it for pass. In the example below, I use Github, but remember, you can use any version control hosting provider or set up your own.

1. Once you have set up a private repository on your remote Git server, you will need to initialize locally with pass git repo and add the remote origin:

$ pass git init

Initialized empty Git repository in /home/myhome/.password-store/.git/ [master (root-commit) 998c8fd] Added current contents of password store. 1 file changed, 1 insertion(+)

create mode 100644 .gpg-id

$ pass git remote add origin git@github.com:johndoe/pass-store.git

2. As long as your authentication to the repository is properly configured, you can push your pass store to the remote repository with the built-in pass git push command:

$ pass git push -u --all
                                                                            
Enumerating objects: 14, done.
Counting objects: 100% (14/14), done.
Delta compression using up to 12 threads
Compressing objects: 100% (12/12), done.
Writing objects: 100% (12/12), 2.68 KiB | 913.00 KiB/s, done.
Total 12 (delta 6), reused 0 (delta 0), pack-reused 0
To git@github.com:johndoe/pass-store.git
  212af8c..d1c11c5  master -> master

Automatically populate web login forms

There are extensions available for all major browsers that allow you to automatically fill login forms with your stored credentials. You will need to install the browserpass-native client and the browser extension. Check out the instructions for installing the native client. Once both the native client and browserpass extension are installed, you can use the shortcut Ctrl-Shift-L to automatically populate login forms with your pass store credentials.

Configuring Chrome


1. Install the browserpass extension for Chrome/Chromium
.

2. Next, compile and install the browser-pass native client. You will likely need to do this manually.

3. Clone the browserpass-native repository to your system
.

4. If Golang is already installed, skip this step. Otherwise, install Golang:

$ sudo dnf install golang

5. cd to where you cloned the repo and run the following make commands:

$ make

$ make configure

$ sudo make install 

6. Go to the browserpass program directory and compile the extension for your specific browser. For Chromium, run:

$ cd /usr/lib/browserpass/

$ make hosts-chromium-user 

There are examples of how to compile it for your particular browser.


7. You can now use the browserpass extension to fill in forms from your password store.

Mobile Apps

There is an Android app called Android-Password-Store and another for iOS called passforios, both of which are open source and available on their respective app stores. Both apps support form autofill and both have built-in Git functionality, so it’s easy to push and pull from your remote pass repository.

[ Get this free ebook: Managing your Kubernetes clusters for dummies. ]

Wrap up

In this article I introduced you to pass, an open source password management tool that uses the tried and true GNU Privacy Guard (GPG) encryption software to keep your credentials secure. The core pass software allows for simple password management, with the ability to extend functionality through other open source extensions. pass data-stores are simply a collection of GPG encrypted files, so your credentials can be easily synchronized between devices by using a tool already common among Sysadmins; Git. This allows you to decide where your credentials are stored, whether it be a private Git repository on a version control hosting provider or even your own virtual private server.

With pass you take full control of your password management, without sacrificing functionality and while still maintaining simplicity.