Using Pass for secure terminal-based password storage

Pass is a standard UNIX password manager that uses GPG to encrypt your passwords and stores them in a simple file-based structure. It is available from https://www.passwordstore.org/.

In order to set up Pass, first we need to generate a new GPG key. You can do this by using:

gpg2 --gen-key

From here, fill in the options, using majority defaults (unless you want to increase your key size), and enter a passphrase for your key. It is important that you remember this, as it will be what secures your password storage.

Now, list your keys using

gpg2 --list-keys --with-colons

This will output:

pub:u:4096:1:XXYYXXYYXXYYXXYY:other data
uid:u::::data::privatekeydata::My Name (Comment from key creation) <email>:
sub:etc.

We want to initialise pass using the long string XXYYXXYYXXYYXXYY from this output. This is the fingerprint of your public key.

So now, download and install pass and run:

pass init XXYYXXYYXXYYXXYY

Using the string found above.

This will initialise a password store stored in ~/.password-store which will encrypt passwords using that GPG public key.

Now, you can add passwords, for instance, using:

pass insert mysuperawesomesite/portal

Enter password for mysuperawesomesite/portal: XXXXX
Retype password for mysuperawesomesite/portal: XXXXX

And now, you've added your first password!

Retrieve your password by typing:

pass mysuperawesomesite/portal

and entering your GPG key password set before. The password will then be displayed in your terminal.

Or, just use pass's inbuilt clipboard system, which works on Mac OS X but may break on other OS's.

The following command copies the password to your clipboard and clears it after 45 seconds.

pass -c mysuperawesomesite/portal

Even better, assign an alias to pass -c such as:

echo 'alias pw="pass -c"' >> ~/.bashrc





Backups / Restoring

Back up your password store and GPG keys by doing the following:

mkdir passbackup
cp -R ~/.gpg passbackup/
cp -R ~/.password-store passbackup/
scp -r passbackup [email protected]:/backups/

Access your passwords on another machine (without pass) in an emergency:

Import GPG key

gpg --import passbackup/.gpg/secring.gpg

GPG decrypt password file

cd passbackup/.password-store/
gpg my-example-password.gpg
Enter Passphrase: ***************

Read decrypted password

cat my-example-password
Published 2017-06-04