I’ve been using pass as my password manager for the last months.

In Linux, Android and Windows.

Here’s how I set it up and the apps that can be used.

Installation

Arch Linux

I installed pass, pass-otp for one time password support, dmenu for an easy way to copy your passwords to the clipboard and if you prefer qtpass foi a gui application.

sudo pacman -S pass pass-otp dmenu qtpass

You can use the command passmenu to open a list of your passwords using dmenu. For convenience you can assign it to a keyboard shortcut.

In XFCE you can go to XFCE > Keyboard > Application Shortcut:

passmenu | Ctrl+Super+P

Android

pass encrypts your passwords with a gpg key, so you’ll need an app to manage your key and an app compatible with pass.

I’m using OpenKeychain and Password Store.

Firefox

You’ll need to install passff-host and the passff extension.

You can follow the instructions here.

Windows

You can use QtPass or just use the pass script in a bash terminal.

I use the bash shell from git for windows and download the pass script here.

Create a new password store

I will be using git to keep my passwords. This is optional. See more in the pass homepage.

  • Create a gpg key to encrypt your passwords
gpg --full-generate-key
  • Create a new pass repository
pass init your_mail@mail.com
  • In you server
git init --bare ~/.password-store
  • In you desktop
pass git init
pass git config --global --edit

pass git commit --amend --reset-author
pass git remote add origin your_user@server:~/.password-store
pass git push -u --all

pass insert test/test3
pass git push

pass git log --pretty=format:"%h - %ae, %cr - %s" -5
  • In another machine
git clone your_user@server:~/.password-store

GPG tips

Here’s cheetsheet for GPG.

Configuration files

Just some configurations I tuned.

vi ~/.gnupg/gpg.conf
	(...)
	###+++--- GPGConf ---+++###
	utf8-strings
	#debug-level basic
	(...)
cat ~/.gnupg/gpg-agent.conf
debug-level basic
log-file socket:///home/your_user/.gnupg/log-socket
pinentry-program /usr/bin/pinentry-gtk-2
default-cache-ttl 1800
gpg-connect-agent reloadagent /bye

Reset cached passwords

echo RELOADAGENT | gpg-connect-agent

Transfer GPG keys between machines

  1. Export to file using a temporary random password
# list gpg private keys
gpg -K
# generate random password
gpg --armor --gen-random 1 20
		xxxxxxxxxxxxxx
# export *private* key
gpg --armor --export-secret-keys your_mail@mail.com | gpg --armor --symmetric --output yourkey.asc
# export public key
gpg --armor --export your_mail@mail.com | gpg --armor --symmetric --output yourkey.gpg
  1. Send to another device

Example for Android:

  • I sent an email to myself using ProtonMail
  • Saved the keys in the sdcard
  • Imported the key in the OpenKeyChain app using the random password generated
  • Deleted the keys from the sdcard
  • Delete the exported keys (generad in the first step)

Example in another computer with access to you main machine and using the random password generated:

  • scp your_user@server:~/yourkey.gpg .
  • gpg --decrypt yourkey.gpg > yourkey1.gpg
  • gpg --decrypt yourkey.asc > yourkey1.asc
  • gpg --import yourkey1.gpg
  • gpg --allow-secret-key-import --import yourkey1.asc
  • Delete the keys you copied from your main machine
  • Delete the exported keys (generad in the first step)

Managing passwords

Here some examples, be sure to check pass homepage.

# insert a new password (multiple lines)
# firt line always the password
pass insert -m banking/bank
	XXXXXXXXX
	user: ------
	url: https://------
	email: @---.---
# edit a password (vi like)
pass edit banking/bank
# remove a password
pass rm banking/bank
# push local changes to keybase
pass git push
# check last 5 commits
pass git log --pretty=format:"%h - %ae, %cr - %s" -5
	851fc19 - your_mail@mail.com, 4 hours ago - Add given password for banking/bank to store.
# show the commit changes (q for quit)
pass git show 851fc19
# show commits from a specific dir
pass git log --follow banking
# your password are individual gpg files
ls .password-store/banking
	bank.gpg
# copy your passwords to the clipboard
pass -c banking/bank
# generate passwords for new sites (with 25 characters for example)
pass generate banking/bank 25
# generate passwords for existing passwords
pass generate --in-place banking/bank 25
# support for one time passwords
pass edit banking/bank
	XXXXXXXXX
	user: ------
	url: https://------
	email: @---.---
	otpauth://totp/Bank:you_bank_mail@mail.com?secret=YOUR_OTP_KEY&issuer=Bank
pass otp banking/bank