ObjectiveLearn to organize your passwords using the "pass" password manager on linux
- Root permissions needed to install required packages
- # - requires given linux commands to be executed with root privileges either directly as a root user or by use of
- $ - requires given linux commands to be executed as a regular non-privileged user
IntroductionIf you have the good habit to never use the same password for more than one purpose, you have probably already felt the need for a password manager. There are many alternatives to choose from on linux, both proprietary (if you dare) and open source. If you, like me, think that simplicity it's the way to go, you may be interested in knowing however to use the
First stepsPass it's a password manager that it's really a wrapper on well trusted and useful tools that you probably already use every day, like
git. Although graphical interfaces exists for it, it is designed to work from command line: therefore it will work even on headless machines.
Step 1 - installationPass it's easily available on the majority of linux distributions, you can obtain via package manager:
# dnf install pass
RHEL and CentOSPass is not available in the official repositories, but you can obtain it from
epel. To make the latter source available on CentOS7, all you have to do is:
# yum install epel-releaseOn Red Hat Enterprise Linux, however, the package that enables this extra source it's not available; you can download it from the official EPEL site.
Debian and Ubuntu
# apt-get install pass
# pacman -S pass
Initialize the password storeOnce we have
passinstalled, we can begin to use it and configure it. First of all, since pass relies on
gpgto encrypt our passwords and store it in a secure way, we must have a
gpg keypairalready in place.
First thing to do is to initialize the
password store: this is simply the directory where all your gpg-encrypted password will be saved. By default it will be created as a hidden directory inside your
$HOME, however you can specify an alternative path, by using the
PASSWORD_STORE_DIRenvironment variable. Let's proceed:
$ pass initThe
password-storedirectory will be created. Now, let's try to store our first password:
$ pass edit mysiteAt this point an instance of our default text editor will be opened, and all we have to do is to enter our password in it. The file will be encrypted using gpg, and stored as
mysite.gpginside the password-store directory.
Pass stores encrypted files in a directory tree, which means that we can logically group more files in subdirectories to obtain a better organization, we will just have to specify it on file creation, for example:
$ pass edit foo/barJust as above, this will prompt for password insertion, but the file will be created inside the
foosubdirectory of the password store. To visualize the file structure, all we have to do is to use the
passcommand without any arguments:
$ pass Password Store ├── foo │ └── bar └── mysiteWhenever we need to modify our password, we will just have to repeat the same command used to create it, as shown above.
Access the passwordsThere are basically two ways we can access our password: the first one is to display it on the terminal, by using:
pass mysiteHowever a better way is to let pass copy it directly to the clipboard, by using the
pass -c mysiteIn this case the clipboard will be cleared after
45seconds. In both cases, a prompt will appear where you will have to insert your gpg password.
Generate passwordsPass can also generate (and automatically store) secure passwords for us. Say we want to generate a password composed by 15 characters: alphanumeric and symbols. The command to use will be:
pass generate mysite 15If we want our password to contain only alphanumeric characters we can use the
--no-symbolsoption. The generated password will displayed onscreen. Alternatively, it can be copied directly to the clipboard, using the
-coption. You can even generate a QR code, by using the
As you can see from the screenshot above, the qrcode has been generated, but since a password for
mysitealready existed at the time we invoked the command, pass showed a prompt to let us confirm that we want to override it.
Pass uses the
/dev/urandomdevice as a (pseudo) random data generator to create the passwords, while it uses the
xcliputility to copy them to the clipboard, and
qrencodeto display them as qrcodes. This modularity is, in my opinion, its greatest strength: it doesn't reinvent anything, it just wraps common used tools to reach its goal.
You can also rename, copy or delete files from the password store, respectively using the
pass cp, or
Using the password store as a git repositoryAnother great feature of
passis that it can treat the password store as a git repository: letting us manage our password more easily, under a version control system.
pass git initThis will create the git repository, and automatically create a commit with all the existing files. The next step is to specify the remote repository to track:
pass git remote add <name> <url>We can manage this repository just like we do with all other repository we use. The only "difference" is that every time we add or modify a password,
passwill automatically add the file to the index and create a commit.
A graphical interface exists for
pass, it is called
qtpassand it's available also for Windows and MacOs. It's also possible to access the password store from firefox, using the
PassFFextension. You will find more detailed informations on the project site. Go on an try
pass, you will not regret it!