Friday, August 28, 2015

Pass Store (Password Manager in command line)

Everybody is facing a problem: too many password to remember. If there are too many to store in brian, then its time to store somewhere else. Some people will simply write on a notebook, some will store it in an excel, and some will download a password manager such as KeePass/KeePassX and LastPass. But as a Linux guy I would like to try another tool in command line: Pass (

Why need a command line password manager? Having a command line password manager can provide flexibility:

  • you use SSH to connect to the Linux so it is secure and you can view a password of a particular account without touching a mouse
  • you can write simple script to deal with the passwords. for example, generate a number of account/ password pair, or dump a password list
  • This tool is very lightweight. You can store your passwords in a Raspberry Pi !

If you visit the website you may find it is not difficult to use. However, there are some tricks

1. You must setup gpg keyrings before initialising the pass store
2. The name of the pass store is the ID of the gpg key.

Once you setup the pass store you are good to enjoy this tool.

The following steps are the example:

Install pass
apt-get install pass
pacman -Sy pass

1. setup gpg
$ gpg --full-gen-key
gpg (GnuPG) 2.1.7; Copyright (C) 2015 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
(1) RSA and RSA (default)
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
= key expires in n days
w = key expires in n weeks
m = key expires in n months
y = key expires in n years
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: xxxx yyy
Email address:
Comment: demo
You selected this USER-ID:
"xxxx yyy (demo) "

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

gpg: key CE98CB0F marked as ultimately trusted
gpg: directory '/home/xxxxx/.gnupg/openpgp-revocs.d' created
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
pub rsa2048/CE98CB0F 2015-08-21
Key fingerprint = C5ED C5F6 ABF5 7471 AD2C 55B5 A48D 0B82 CE98 CA0F
uid [ultimate] XXXX YYY
sub rsa2048/F628187A 2015-08-21

$ gpg --list-keys
pub rsa2048/CE98CB0F 2015-08-21
uid [ultimate] XXXX YYY
sub rsa2048/F628187A 2015-08-21

2. Create the pass store
$ pass init "CE98CB0F"
mkdir: created directory ‘/home/xxxxx/.password-store/’
Password store initialized for CE98CB0F

3. Add an entry for blogger
$ pass insert blog/blogger/
mkdir: created directory ‘/home/xxxxx/.password-store/blog’
mkdir: created directory ‘/home/xxxxx/.password-store/blog/blogger’
Enter password for blog/blogger/
Retype password for blog/blogger/
$ pass
Password Store
└── blog
└── blogger
$ pass blog/blogger/

No comments: