Pass, the password storage manager on FreeBSD ============================================= > The "standard UNIX password manager" Pass is a password storage manager that works on the command line. It advertises itself as the "standard UNIX password manager". The passwords are encrypted with GnuPG and saved in a directory structure. Pass uses Git for the version control of this directory. A sub directory tree inside this directory provides a structure. Each password is stored in a separate file, encrypted using GnuPG. Actions that affect passwords, like creation, editing, and deleting, are automatically committed to Git. Add a remote repository to share and synchronize the password store with your other machines. You start by adding existing passwords to the storage. For new accounts you let pass generate the password. Pass generates unique, strong passwords using /dev/urandom. Retrieved passwords can be shown on the command line, copied to the clipboard, or exported as a QR-code. The clipboard will be restored after 45 seconds. Pass is available for the most current operating systems. It support the use of multiple GnuPG keys. Convenience utilities --------------------- Pass comes with several convenience utilities. * completion is available for several shells * passmenu uses dmenu to let you select an account * pass-import imports several formats, used by some popular password managers * a Emacs mode to use pass from within Emacs * and more Directory structure ------------------- At initialization, pass creates a directory at the default location $HOME/.password-store. Set the environment variable `PASSWORD_STORE_DIR' to override the default location, By adding entries to pass, you create a structure within this directory. To add a new entry the name of the sub directory must be provided. Entries are grouped together in a sub directory, for example all a sub directory for your Fediverse accounts, a sub directory for news outlet accounts, and so on. Sub directories can be nested, you can add as many layers as you want. Install package --------------- On FreeBSD, install the packages "password-store" and "git". pkg install git password-store The package "password-store" provides "pass", our cli tool. Create a GnuPG key ------------------ You can use pass with an existing GnuPG key, or create a dedicated key. As an example we choose to create a new, dedicated key. Here's how to create an elliptic curve key: gpg2 --full-gen-key gpg (GnuPG) 2.4.3; Copyright (C) 2023 g10 Code GmbH This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) (9) ECC (sign and encrypt) *default* (10) ECC (sign only) (14) Existing key from card Your selection? 9 Please select which elliptic curve you want: (1) Curve 25519 *default* (4) NIST P-384 (6) Brainpool P-256 Your selection? 1 Please specify how long the key should be valid. 0 = key does not expire = key expires in n days w = key expires in n weeks m = key expires in n months y = key expires in n years Key is valid for? (0) Key does not expire at all Is this correct? (y/N) y Here, we did choose 0 - key does not expire. Depending on your thread model, you might prefer a different choice. GnuPG needs to construct a user ID to identify your key. Real name: Email address: Comment: The next step is to enter a password or passphrase (very long password). Choose a strong password, this is the protection of your data when your system, the Git repo or a backup from the repo gets compromised. Make sure you save the password in a safe place, without the password you won't be able to decrypt your data. Make a backup of your key: gpg -a --export-secret-key > backup-of-key.asc Here `backup-of-key.asc' is the name of the file. Choose any name you like. It is customary to use the .asc extension for ascii-armored keys. For you can use the email address with which you created the key (in our example: pks@home.network), or the long hexidecimal string shown when you request a list of your secret keys with `gpg -K' (that is an uppercase k). Keep the backup file separated from your passwords. Don't put the exported key (the backup file) in the same Git repository as your passwords. Initialize password storage manager ----------------------------------- Next, we initialize the storage directory. pass init pass git init The first command create a new directory, $HOME/.password-store The second command initializes Git in this directory. Initialize a remote repository ------------------------------ It's best to immediately create a remote repository, so your passwords live at least on two locations. ssh mkdir password-store ssh "cd password-store && git init --bare" Add the remote: pass git remote add origin :password-store Add an existing password ------------------------ Add the password: pass insert Yahoo/ You will be prompted for the password twice. Use `-e' to echo back your input to the console. This password will be saved in the encrypted file `$HOME/.password-store/Yahoo/maillinm@yahoo.com.gpg' Create a new, strong password ----------------------------- Random generated passwords are stronger than the passwords you can come up with. Pass generates passwords with any length. It shows the generated password on the command line, or copies it to the clipboard, or creates a QR-code. pass generate Yahoo/ This will generate a password with the default length (25 chars). To generate a password with the length of 35 chars: pass generate Yahoo/ 35 With the flag `-c' the password will be copied to the clipboard: pass generate -c Yahoo/ Set the environment variable `PASSWORD_STORE_GENERATED_LENGTH' to override the default length without having to provide a length at the command line. Push the Git repository to the remote ------------------------------------- Pass has automatically committed any changes to the local Git repository. You have to push these manually to the remote repository: pass git push -u --all If you started with a Git clone, `pass git push' will be enough. Likewise, you can pull the changes from the remote with: pass git pull By pushing the changes to a remote repo, the keys are stored at least at two different places, lowering the chance of total loss. List the available passwords ---------------------------- To get a list of the available passwords, simply issue the command; pass Pass creates a tree view of the directory structure and the files with the passwords. Retrieve the password --------------------- Retrieval of the password is easy: pass Yahoo/ This requires the password for your GnuPG key. The gpg-agent will make sure you don't have to type your password too often. Change the password ------------------- To change the password, use the `pass edit' command. pass edit Yahoo/ This will fire up your editor and let you edit the password. Which editor is used depends on the environment variable EDITOR, or using vi as a fallback. Use this not only for changing the password but also for adding multi-line entries (see below). Delete the password ------------------- pass rm Yahoo/ Usernames and passwords ----------------------- Suppose you have two different usernames or accounts at the same organization, just use the sub directory structure: pass insert Fediverse/Lemmy/ pass insert Fediverse/Lemmy/ This will result in: .password-store/ `-- Fediverse `-- Lemmy |-- username-1 `-- username-2 Multiline entries ----------------- To enter a multi-line entry, add the `-m' switch to the pass insert command: pass insert -m Group/account Enter as much info as you like, and finish with Ctrl-d. Another option to enter multi-line entries is to use the edit command, and create the multi-line entry in vi. This method is less error-prone, because it allows you to correct mistakes. When you retrieve a password with -c, pass copies only the first line of a multi-line entry to the clipboard. The first line in multi-line entries should therefor contain the password, and nothing else. This is useful when you also want to store the security questions and the answers you gave. This is also useful for websites where you are identified by both a username and an email address. Or if you need to store any other additional information. The information that you add below the first line doesn't harm the normal pass workflow and still enjoys the protection from the encryption. Organize the information in the lines below the password using the format fieldname: value This way, e.g., additional tools like the Emacs mode are able to fetch specific fields from it. Accessing the passwords on a different machine ---------------------------------------------- Two steps are needed to access the passwords on a different machine: * clone the Git repository * import the GnuPG key Clone the repostiroty from the remote ..................................... To clone the repository from the remote: git clone :password-store .password-store Where is the machine where you pushed the remote. Test that you see the tree when you issue the command `pass'. Importing the GnuPG key ....................... Copy the file `backup-of-key.asc' (or whatever file name you entered) to the machines where you also want to use your password store and import it in GnuPg with: gpg --import backup-of-key.asc After that, you must set the trust. Edit the key with gpg --edit-key and issue the command `trust'. gpg --edit-key ... trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Choose 5 - trust ultimately. Retrieve a password to check that GnuPG can decrypt the file with the password. After this, you can open, change and add passwords with the imported key. The good, the bad and the ugly ------------------------------ The good: * pass is easy to use * GnuPG provides secure encryption * pass supports multi-line entries for additional information * pass generates strong passwords * pass commits your changes to Git * the package comes with an Emacs mode The bad: * pass uses the name of the account as file name Somebody who reads the directory tree --which doesn't require a GnuPG key-- sees which accounts are in the tree. This requires either access to your machine or to the Git repo or a backup from the Git repo. The ugly: * When using multiple machines you have to keep the tree in sync This is probably the hardest part when using pass on multiple machines. - Whenever you make changes, make it a habit to immediately push your changes to the remote (`pass git push'). - Start your session with `pass git pull' to make sure you have the latest version. Emacs mode ---------- Of course there is an Emacs mode for pass! The FreeBSD package `password-store' installs a few files in `/usr/local/share/password-store/emacs/', among others the file `password-store.el' and `README.md'. After loading the `password-store.el' in Emacs, you can run commands like: * M-x password-store-insert * M-x password-store-copy * M-x password-store-copy-field The last option is useful for multi-line entries, where each line (except the first line, which contains the password) starts with `fieldname: '. There are more options than shown here, see the password-store.el file. The commands like password-store-copy will give you a list of the available passwords in the mini buffer, where you can pick the right one using completion. Much more --------- Pass can do much more, and there is a small ecosystem around it, with tools, clients, GUIs, and so on. See the friendly manual with `man pass', and also the website https://www.passwordstore.org/ Last edited: $Date: 2024/04/07 16:33:32 $