Tech

Linux and Windows Password Manager Pass

password store ascii

I have been using pass for quite awhile now on both Linux and Windows, and I think it’s a great terminal password manager. It uses gpg to encrypt your passwords into physical files in an organized folder structure, this means that your encrypted passwords are not anywhere on the cloud.

I’ve previously wrote an article on this on my Medium, but I have quit using medium for now and thought that I would move that article to here and improve on it.

Windows (WSL)

The commands that are shown in this article are done on Linux, but Windows has the option to use Linux via WSL. Follow the steps on microsoft’s website for installing WSL, and install Ubuntu from the microsoft store.

Setup GPG

Check your gpg’s version:

gpg --version

Create a GPG Key

If you are on version 2.1.17+, then you need to run:

gpg --full-generate-key

# Answers in order, incase you're not able to follow the questions:
(1) RSA and RSA
3072
0 (key does not expire)
y
Real name: YOUR_NAME
Email: YOUR_EMAIL
O
ENTER_PASSWORD

Else:

gpg --default-new-key-algo rsa4096 --gen-key

List Your GPG Keys

Now you can check for that key:

gpg --list-keys

. . .

pub   rsa3072 2024-03-28 [SC]
      99999ABC999999999999999999999ABC99999999
uid           [ultimate] Chad Gippity <[email protected]>
sub   rsa3072 2024-03-28 [E]

Have that long string of capital letters and numbers on your clipboard or something, you will need it later when setting up pass.

Delete a GPG Key

Incase you need to delete a key:

# Need to delete secret key, then pub key
gpg --delete-secret-key GPG_ID
gpg --delete-key GPG_ID

Install/Setup Pass

On Windows, we will use WSL (ubuntu) since it’s easier:

sudo apt install pass

On Linux, we will use our given package manager (check the website’s download section). I use Arch, so the snippet below is what I use:

sudo pacman -S pass

Initializing Single or Multi Pass

Now we need to initialize pass. You will need your GPG key id, which is that long string of capital letters and numbers from above:

pass init GPG_KEY_ID

# multi gpg key usage
pass init -p USERNAME GPG_KEY_ID

This will create a folder ~/.password-store/ in your home directory with ~/.password-store/.gpg-id in it, and this is where all your encrypted passwords will be stored.

If you used the -p flag, this will create a folder in ~/.password-store/ with the name you specified after the -p flag. This lets you use multiple GPG keys by having all passwords stored in that folder instead of the main folder. The .gpg-id file is for encrypting all passwords in that folder with that GPG key id.

So for example, say you did pass init -p chad 1234ABCS.... Now chad’s GPG key will be used whenever you create or call a password like pass chad/gmail/main

Importing Pass passwords

All you need to do is copy the contents of ~/.password-store/* from your previous machine to your current one.

Pass commands

Create Password

pass add gmail/main

After creating a password, you can auto complete by tab if you have bash completion (or other shell).

Delete Password

pass rm gmail/main

Alternatively, we can also just delete the folder and or file ~/.password-store/gmail/main.gpg.

Copy Password

# linux
pass -c category/key

# windows (wsl)
pass category/key | clip.exe

Importing and Exporting GPG Keys

Using the same pass folder and passwords is possible, all you need to do is export your keys and import them on the machine you want to use it on.

Exporting

# in a folder you want the keys to be stored
gpg --output FILENAME_public.gpg --armor --export GPG_KEY_ID
gpg --output FILENAME_secret.gpg --armor --export-secret-key GPG_KEY_ID

The above command will generate 2 files in the directory you ran the command in, a public and a secret key.

The --armor flag is for exporting the key as text instead of binary, you can test this by exporting one with and without the flag. The --armor version makes things easier to move around since it is just a text file.

Importing

There are several ways to import the keys, but we need to just move these files we just made onto whatever machine we need them on. If we need them on a server, then we can just ssh into the server from where my made the keys, and just copy and paste the file contents (--armor flag allows us to copy it as plain text) into newly made text files on the server. So the contents of the public.gpg file can go into a new public.gpg file on the server.

I have only exported keys to be imported on personal laptops, so my preferred method is to just use a flash drive and do it manually.

Once imported, we will need to trust the keys. You can use pass without having a trusted gpg key after importing, but if you need to edit the passwords, then it will required trusted gpg keys.

$ gpg --edit-key 99999ABC999999999999999999999ABC99999999

gpg> trust
# select 5th option, ultimate trust
gpg> 5

I think pass is a great simple and extensible password manager that can be used offline or online, depending on how you set it up. The fact that it has little to no dependencies and is a CLI makes it a great recommendation for anyone.

kokopi
coding tools password-manager security