Password management has become a hot topic within the last decade. A quick Google search unveils various options for selecting the tool that will safeguard the strings that unlock your personal information. Some of these applications simply run on your computer and store your passwords offline in an encrypted format.
Others are more feature-rich, offering online synchronization with multiple devices, password sharing, two-factor authentication (2FA), and more. With some of these services, the simplicity of password management has been lost amongst the ocean of features that are on offer. Not only that, but through the convenience of the online vaults that many of these services offer, you are losing some control over your data as your credentials are synchronized with servers outside your control.
There is an alternative available that provides simplicity and gives you full control over your credentials. It can provide many of the same features that you will get from a paid service, while still maintaining its simplicity. It is open source and is written by the same author who created Wireguard, which received high praise from Linus Torvalds before it was fast-tracked into the Linux kernel. This alternative is called
pass which is also known as password-store.
[ You might also enjoy: Managing Linux users with the passwd command ]
Password management should be simple and follow Unix philosophy. With
pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities. --Pass: The Standard Unix Password Manager
Why use password-store?
- It is open source
- It is simple to use
- It is well documented
- It is CLI based, but there are GUI extensions available
- It is encrypted with GnuPG to a level of your choosing
- It is entirely under your control. Passwords do not sync to third-party servers
- Your password store can remain on your system only, or you can sync it with a private Git repo of your choosing (strongly recommended)
$ sudo dnf install pass
2. If you don't already have a GPG keypair, you will need to create one:
$ gpg2 --full-generate-key
Select option 1 (RSA and RSA) for the key type.
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1
Select your desired keysize. In this example, choose 4096:
RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years
Now choose how long you want the key to be valid for, in this example choose two years:
Key is valid for? (0) 2y Key expires at Sat 18 Mar 2023 15:03:38 CET Is this correct? (y/N) y
Input your full name, e-mail address and then confirm with 'O' when prompted.
GnuPG needs to construct a user ID to identify your key. Real name: John Doe Email address: firstname.lastname@example.org Comment: You selected this USER-ID: "John Doe <email@example.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
One of the last steps of the GPG creation process is to set your password. Be sure to use a strong password containing uppercase, lowercase, and symbols. This will be your master password to unlock your
3. Now that your GPG key is created you'll need to list your keys and take note of the secret (sec) key ID:
$ gpg2 --list-secret-keys --keyid-format LONG sec 4096R/AAAA2222CCCC4444 2021-03-18 [expires: 2023-03-18] uid John Doe <firstname.lastname@example.org>
4. With your GPG key ID you can now initiate your
$ pass init 'AAAA2222CCCC4444' mkdir: created directory ‘/home/myhome/.password-store’ Password store initialized for AAAA2222CCCC4444.
5. You can now generate and fetch passwords from the RSA4096-encrypted password store. To generate a new password (
-c copies to clipboard after creation and 21 specifies a password with a 21-character length):
$ pass generate -c Internet/github.com 21
Fetch a password from the store:
$ pass show Internet/github.com <enter GPG password at prompt>
A stock installation of
pass provides you with a secure, local datastore for your credentials. There are, however, a couple of other functions I think are important in order to improve useability.
Sync with a Git repo
For the purposes of redundancy and sharing your credentials across multiple devices, I strongly recommend syncing your
pass store with a Git repository. The good news is that
pass already has Git functionality built-in; all you need to do is create a remote repository and initialize it in your pass store. Armed with your remote Git repository, you can go ahead and initialize it for
pass. In the example below, I use Github, but remember, you can use any version control hosting provider or set up your own.
1. Once you have set up a private repository on your remote Git server, you will need to initialize locally with pass git repo and add the remote origin:
$ pass git init Initialized empty Git repository in /home/myhome/.password-store/.git/ [master (root-commit) 998c8fd] Added current contents of password store. 1 file changed, 1 insertion(+) create mode 100644 .gpg-id $ pass git remote add origin email@example.com:johndoe/pass-store.git
2. As long as your authentication to the repository is properly configured, you can push your pass store to the remote repository with the built-in
pass git push command:
$ pass git push -u --all Enumerating objects: 14, done. Counting objects: 100% (14/14), done. Delta compression using up to 12 threads Compressing objects: 100% (12/12), done. Writing objects: 100% (12/12), 2.68 KiB | 913.00 KiB/s, done. Total 12 (delta 6), reused 0 (delta 0), pack-reused 0 To firstname.lastname@example.org:johndoe/pass-store.git 212af8c..d1c11c5 master -> master
Automatically populate web login forms
There are extensions available for all major browsers that allow you to automatically fill login forms with your stored credentials. You will need to install the browserpass-native client and the browser extension. Check out the instructions for installing the native client. Once both the native client and
browserpass extension are installed, you can use the shortcut Ctrl-Shift-L to automatically populate login forms with your pass store credentials.
1. Install the browserpass extension for Chrome/Chromium .
2. Next, compile and install the browser-pass native client. You will likely need to do this manually.
3. Clone the
browserpass-native repository to your system
4. If Golang is already installed, skip this step. Otherwise, install Golang:
$ sudo dnf install golang
cd to where you cloned the repo and run the following
$ make $ make configure $ sudo make install
6. Go to the
browserpass program directory and compile the extension for your specific browser. For Chromium, run:
$ cd /usr/lib/browserpass/ $ make hosts-chromium-user
There are examples of how to compile it for your particular browser.
7. You can now use the browserpass extension to fill in forms from your password store.
There is an Android app called Android-Password-Store and another for iOS called passforios, both of which are open source and available on their respective app stores. Both apps support form autofill and both have built-in Git functionality, so it’s easy to push and pull from your remote pass repository.
[ Get this free ebook: Managing your Kubernetes clusters for dummies. ]
In this article I introduced you to
pass, an open source password management tool that uses the tried and true GNU Privacy Guard (GPG) encryption software to keep your credentials secure. The core
pass software allows for simple password management, with the ability to extend functionality through other open source extensions.
pass data-stores are simply a collection of GPG encrypted files, so your credentials can be easily synchronized between devices by using a tool already common among Sysadmins; Git. This allows you to decide where your credentials are stored, whether it be a private Git repository on a version control hosting provider or even your own virtual private server.
pass you take full control of your password management, without sacrificing functionality and while still maintaining simplicity.