My initial way to keep my long list of passwords/secrets safe in my computer was using the password manager keepassxc it served well, the way to share this with my mobile was putting the kdbx file in Dropbox and use KeePassDroid app to be able to use my passwords on the go.
Well I've started to have a couple of issues with my current setup, the main issue I was having was I have to keep a window open for the password manager, where I have to go search and copy/paste the data or ask to perform an auto type for me, I started to dislike this because as a developer I normally work only in 2 windows: the browser and a terminal, so that is why I started to look for an alternative. The second issue was that when I tried to configure gmail with mutt I had to put my password in plain text in a file.
When I was setting up my mutt/mbsync/msmtp to use gmail from the terminal (topic for another post), I've found that you have to enter your credentials in a plain text config file, I didn't want to do that, and some other people also didn't do that and they have a solution: pass with this simple cli utility I no longer have to write passwords in config files, it can be automated to consume the password from my store without intervention.
- It follows the Unix philosophy, it does one thing well and can be composable.
- Each password lives inside a gpg encrypted file that can be organized using standard unix commands cp, mv, rm
- It has the feature to copy to clipboard built-in
- It tracks password changes using
gitthis is supe awesome because this way I can distribute my passwords to other devices without much hassle.
- Before the migration I checked that it support the import from other password managers and indeed has an extension with support for 25 different managers pass-import
- Also has nice list of compatible clients, I'll use Android-Password-Store for my mobile.
- And it has a couple of browser extensions to fill/submit on sites really easy without having another window open
All the setup was done in a linux machine with Pop!OS 18.10.
First we need to create a gpg key that pass will use to encrypt/decrypt the password files.
% gpg --gen-key
It will ask for a real name of the key and an email, and also a passphrase that should be at least 8 characters and have a digit.
⏚ [marcelo:~] % gpg --gen-key gpg (GnuPG) 2.2.8; Copyright (C) 2018 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Pass Migration Email address: firstname.lastname@example.org You selected this USER-ID: "Pass Migration <email@example.com>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? O We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. We need to generate a lot of random bytes. It is a good idea to perform some other action (type on the keyboard, move the mouse, utilize the disks) during the prime generation; this gives the random number generator a better chance to gain enough entropy. gpg: key B9E32CDD4190FC22 marked as ultimately trusted gpg: revocation certificate stored as '/home/marcelo/.gnupg/openpgp-revocs.d/23434EEF535B0E7C702E36A9B9E32CDD4190FC22.rev' public and secret key created and signed. pub rsa3072 2019-04-11 [SC] [expires: 2021-04-10] 23434EEF535B0E7C702E36A9B9E32CDD4190FC22 uid Pass Migration <firstname.lastname@example.org> sub rsa3072 2019-04-11 [E] [expires: 2021-04-10]
Check that the gpg key exists:
% gpg -k /home/marcelo/.gnupg/pubring.kbx -------------------------------- pub rsa3072 2019-04-11 [SC] [expires: 2021-04-10] 23434EEF535B0E7C702E36A9B9E32CDD4190FC22 uid [ultimate] Pass Migration <email@example.com> sub rsa3072 2019-04-11 [E] [expires: 2021-04-10]
The command to init the store in pass is the following, you need the key id created in the previous step as the parameter:
% pass init "Pass Migration"
This will create a directory in your ~/.password-store/ and will write a .gpg-id so pass know what key to use to encrypt/decrypt from now on.
mkdir: created directory '/home/marcelo/.password-store' Password store initialized for Pass Migration (migration)
To track all your password changes with git, you just need to init the repo on the directory:
% pass git init Initialized empty Git repository in /home/marcelo/.password-store/.git/
This allows you to keep the history of your passwords, and it helps with the distribution of the store to other devices and to keep them in sync.
In order to backup/distribute your passwords you can set a remote for the .password-store repository, you need to change the data between <>
% pass git remote add origin firstname.lastname@example.org:<your-user>/<your-repo>.git % pass git push -u master
After that when anything happens in pass, it will create a commit for each change automatically, you just need to do a push/pull to sync it
% pass git push % pass git pull
The insert command allows you to manually enter the password to be saved.
% pass insert Personal/testing Enter password for Personal/testing:****** Retype password for Personal/testing:****** [master bf1bc88] Add given password for Personal/testing to store. 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Personal/testing.gpg
As you can see pass created the testing.gpg file and committed to the repo.
If you want that pass generate a password for you, use the generate command:
% pass generate Personal/testing2 [master 8b0da79] Add generated password for Personal/testing2. 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Personal/testing2.gpg The generated password for Personal/testing2 is: kqc9b7v=c7~e)D/vIBScEz;%u
Given that pass encrypt all the file, you can add some other metadata to the file like usernames, urls, secret question answers, etc. For that you should use insert in multiple lines, the only thing you need to remember is that the first line is always the password.
% pass insert -m Personal/testing-multiline Enter contents of Personal/testing-multiline and press Ctrl+D when finished: thisismypassword url: http://example.com login: marceloandrade question1: xhdjahdfasdjfkasjdfaks question2: fjasdkfj9dfas0dfa9d8f7 [master 3a133ec] Add given password for Personal/testing-multiline to store. 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 Personal/testing-multiline.gpg
To use a password just do
pass Personal/testing that will echo your password, if you don't want to show the password in your terminal, pass the -c parameter to copy to clipboard
pass -c Personal/testing that will keep your password in the clipboard for 45 seconds, enough to paste it where you need it.
You can use
pass edit Personal/testing-multiline that will open the decrypted content in a temporary file with your default editor, you can do changes and save & exit.
[master fa72ec0] Edit password for Personal/testing-multiline using nvim. 1 file changed, 0 insertions(+), 0 deletions(-) rewrite Personal/testing-multiline.gpg (100%)
After you have edited a password you can check directly with git what the change was:
% pass git log
To copy the sha1 of the commit where you did the change
% pass git show fa72ec0a9e51459e8223a6872647f3388ff8a96f commit fa72ec0a9e51459e8223a6872647f3388ff8a96f (HEAD -> master) Author: Marcelo Andrade R Date: Thu Apr 11 12:11:11 2019 -0500 Edit password for Personal/testing-multiline using nvim. diff --git a/Personal/testing-multiline.gpg b/Personal/testing-multiline.gpg index 1c957b8..7dfa9a4 100644 --- a/Personal/testing-multiline.gpg +++ b/Personal/testing-multiline.gpg @@ -1,4 +1,4 @@ -thisismypassword +thisismypassword2 url: http://example.com login: marceloandrade
To delete use
pass rm Personal/testing and will be removed from the store.
Are you sure you would like to delete Personal/testing? [y/N] y removed '/home/marcelo/.password-store/Personal/testing.gpg' [master 151f502] Remove Personal/testing from store. 1 file changed, 0 insertions(+), 0 deletions(-) delete mode 100644 Personal/testing.gpg
Go to the pass-import github repo and install it the way best suit your needs and environment, I cloned it, make and then sudo make install
From KeePassXC application, open your database with your master password, and then go to menu Database/Export to CSV file... that will write the file to disk, make sure it's secured because all your passwords are written in plain text in that file.
The tool to import is really easy to use:
% pass import keepassxc /path/to/file.csv
That command will insert each entry to the store, and do a commit on each one.
Because the file.csv is really unsecure way to save your passwords make sure to delete it securely:
% shred -u file.csv
It became a bit of a long post, let me know if something is not clear, I'll be happy to answer. Also maybe I'll do another post about the android app configuration to use the git repo.