Pass linux how to use

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

pass is a simple password manager for the command line. pass is a shell script that makes use of existing tools like GnuPG, tree and Git.

Installation

An optional Qt GUI is available via the qtpass package.

Basic usage

To initialize the password store:

To create a new password, first provide a descriptive hierarchical name. In this example, this is archlinux.org/wiki/username.

To get a view of the password store do the following. Note the example output which shows the hierarchy we just created.

To generate a new random password for the above example, do the following, where n is the desired password length as a number:

To retrieve a password, enter the gpg passphrase at the following prompt, again using the example name from above:

Users of Xorg with xclip installed can retrieve the password directly onto the clipboard temporarily (e.g., to paste into web forms). In a Wayland session, pass-git AUR will use wl-clipboard instead. To do so, do the following (again with the same example hierarchical name from above):

/.shellrc for this behavior: export PASSWORD_STORE_X_SELECTION=primary

pass comes with a dmenu wrapper to enable easy searching/copying. To use it, install the optional dependency dmenu and run:

Then selecting an entry will copy its password to the clipboard. See dmenu(1) for customization options such as case-insensitivity. You may want to set this to a systemwide keybinding in order to easily access passwords from any application.

Data organization

By default, the credential file created with pass insert will only contain your password. However, it may not be enough since several applications ask for detail data like username, url, etc. You can edit an existing file the way you want with command pass edit password_name . Below is the preferred organizational scheme provided by pass-project page. When using the option -c or —clip with this scheme, only the password will be copied.

Migrating to pass

There are multiple scripts listed on the pass-project page to import passwords from other programs

Extensions

Since version 1.7, pass supports extensions developed by the community. These extensions extend the features of pass with the support of new commands.

Advanced usage

Environment variables can be used to alter where pass looks to do store and git operations via:

For more information on how this can be used to support multiple pass repositories see this link. The following pw() example alias sends the first line of the named database to the clipboard before sending the second line five seconds thereafter and finally an OTP code five seconds after that. Assuming that a password occupies the first line and a username the second line and an OTP URI exists anywhere in the named database, the net effect is passing username > password > otp code for consecutive primary pasting into available (e.g. browser) entry fields:

Multiple pass contexts (e.g. teaming)

One can use aliases to set up different pass contexts, which helps when collaborating with different teams. We have gotten this working in bash as follows:

Add aliases to your

Add these for bash-completion to your

/.bash_completion and make sure bash-completion is installed:

Now you can initialize into

/.pass/blue and have two pass contexts with the passred and passblue aliases. You can generalize this further into as many contexts as you like.

Git integration

Git helper usage

You can use pass as a credentials helper for git . Install the pass-git-helper AUR or pass-git-helper-git AUR package. Details are described in the github README file.

git configuration

Configure pass-git-helper as a git credentials helper by calling:

Mapping file

Create the file

/.config/pass-git-helper/git-pass-mapping.ini . It is used to map git remote hosts to your pass database. The format is something like this:

You can use wildcards in the host part, as shown in the example.

Password store layout

As usual with pass, the helper assumes that the password is contained in the first line of the passwordstore entry. Additionally, if a second line is present, this line is interpreted as the username.

For this to work, you have to use pass insert —multiline to create a multi line password store entry.

Central Git server for pass in combination with GnuPG (SSH example)

You are able to setup a password management system by setting up a central Git server for pass. This allows you to synchronize your central password repository through multiple client environments.

Install a bare Git repository for pass on the server

On the server run git init —bare

/.password-store to create a bare repository you can push to.

Import authorized public SSH keys

On the client

This section assumes you have configured GnuPG and have a key pair to encrypt passwords. On your local client ensure you have a local password store on the client, then enable management of local changes through Git, add your remote Git repository, and push your local pass history.

Now you can use the standard Git commands, prefixed by pass . For example: pass git push , or pass git pull . pass will automatically create commits when you use it to modify your password store.

Troubleshooting

Encryption failed: Unusable public key

The following error can occur when attempting to insert a new entry:

This occurs if the trust level of the GnuPG key is set to anything other than «ultimate.» Edit the key used for pass to set its trust level to «ultimate.»

Источник

Pass linux how to use

Password management should be simple and follow Unix philosophy. With pass , each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

pass makes managing these individual password files extremely easy. All passwords live in

/.password-store , and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It’s capable of temporarily putting passwords on your clipboard and tracking password changes using git .

You can edit the password store using ordinary unix shell commands alongside the pass command. There are no funky file formats or new paradigms to learn. There is bash completion so that you can simply hit tab to fill in names and commands, as well as completion for zsh and fish available in the completion folder. The very active community has produced many impressive clients and GUIs for other platforms as well as extensions for pass itself.

The pass command is extensively documented in its man page.

Using the password store

We can list all the existing passwords in the store:

And we can show passwords too:

Or copy them to the clipboard:

There will be a nice password input dialog using the standard gpg-agent (which can be configured to stay authenticated for several minutes), since all passwords are encrypted.

We can add existing passwords to the store with insert :

This also handles multiline passwords or other data with —multiline or -m , and passwords can be edited in your default text editor using pass edit pass-name .

The utility can generate new passwords using /dev/urandom internally:

It’s possible to generate passwords with no symbols using —no-symbols or -n , and we can copy it to the clipboard instead of displaying it at the console using —clip or -c .

And of course, passwords can be removed:

If the password store is a git repository, since each manipulation creates a git commit, you can synchronize the password store using pass git push and pass git pull , which call git-push or git-pull on the store.

You can read more examples and more features in the man page.

Setting it up

To begin, there is a single command to initialize the password store:

Here, ZX2C4 Password Storage Key is the ID of my GPG key. You can use your standard GPG key or use an alternative one especially for the password store as shown above. Multiple GPG keys can be specified, for using pass in a team setting, and different folders can have different GPG keys, by using -p .

We can additionally initialize the password store as a git repository:

If a git repository is initialized, pass creates a git commit each time the password store is manipulated.

Download

The latest version is 1.7.4.

Ubuntu / Debian

Fedora / RHEL

openSUSE

Gentoo

Macintosh

The password store is available through the Homebrew package manager:

FreeBSD

Tarball

Version 1.7.4
Latest Git

The tarball contains a generic makefile, for which a simple sudo make install should do the trick.

Git Repository

You may browse the git repository or clone the repo:

All releases are tagged, and the tags are signed with 0xA5DE03AE.

Data Organization

Usernames, Passwords, PINs, Websites, Metadata, et cetera

The password store does not impose any particular schema or type of organization of your data, as it is simply a flat text file, which can contain arbitrary data. Though the most common case is storing a single password per entry, some power users find they would like to store more than just their password inside the password store, and additionally store answers to secret questions, website URLs, and other sensitive information or metadata. Since the password store does not impose a scheme of it’s own, you can choose your own organization. There are many possibilities.

One approach is to use the multi-line functionality of pass ( —multiline or -m in insert ), and store the password itself on the first line of the file, and the additional information on subsequent lines. For example, Amazon/bookreader might look like this:

This is the preferred organzational scheme used by the author. The —clip / -c options will only copy the first line of such a file to the clipboard, thereby making it easy to fetch the password for login forms, while retaining additional information in the same file.

Another approach is to use folders, and store each piece of data inside a file in that folder. For example Amazon/bookreader/password would hold bookreader’s password inside the Amazon/bookreader directory, and Amazon/bookreader/secretquestion1 would hold a secret question, and Amazon/bookreader/sensitivecode would hold something else related to bookreader’s account. And yet another approach might be to store the password in Amazon/bookreader and the additional data in Amazon/bookreader.meta . And even another approach might be use multiline, as outlined above, but put the URL template in the filename instead of inside the file.

The point is, the possibilities here are extremely numerous, and there are many other organizational schemes not mentioned above; you have the freedom of choosing the one that fits your workflow best.

Extensions for pass

In order to faciliate the large variety of uses users come up with, pass supports extensions. Extensions installed to /usr/lib/password-store/extensions (or some distro-specific variety of such) are always enabled. Extensions installed to

/.password-store/.extensions/COMMAND.bash are enabled if the PASSWORD_STORE_ENABLE_EXTENSIONS environment variable is true Read the man page for more details.

The community has produced many such extensions:

pass-tomb: manage your password store in a Tomb
pass-update: an easy flow for updating passwords
pass-import: a generic importer tool from other password managers
pass-extension-tail: a way of printing only the tail of a file
pass-extension-wclip: a plugin to use wclip on Windows
pass-otp: support for one-time-password (OTP) tokens

Compatible Clients

The community has assembled an impressive list of clients and GUIs for various platforms:

Migrating to pass

To free password data from the clutches of other (bloated) password managers, various users have come up with different password store organizations that work best for them. Some users have contributed scripts to help import passwords from other programs:

Credit & License

pass was written by Jason A. Donenfeld of zx2c4.com and is licensed under the GPLv2+.

Contributing

This is a very active project with a healthy dose of contributors. The best way to contribute to the password store is to join the mailing list and send git formatted patches. You may also join the discussion in #pass on Libera.Chat.

Источник

Pass linux how to use

Pass — отличный консольный менеджер паролей

Что такое Pass

Как это работает

Чего не хватает

Pass linux how to use

Contents

Installation

Basic usage

Data organization

Migrating to pass

Extensions

Advanced usage

Multiple pass contexts (e.g. teaming)

Git integration

Git helper usage

git configuration

Mapping file

Password store layout

Central Git server for pass in combination with GnuPG (SSH example)

Install a bare Git repository for pass on the server

Import authorized public SSH keys

On the client

Troubleshooting

Encryption failed: Unusable public key

Pass linux how to use

Using the password store

Setting it up

Download

Ubuntu / Debian

Fedora / RHEL

openSUSE

Gentoo

Macintosh

FreeBSD

Tarball

Git Repository

Data Organization

Usernames, Passwords, PINs, Websites, Metadata, et cetera

Extensions for pass

Compatible Clients

Migrating to pass

Credit & License

Contributing