Save Your Passwords at the Command Line With gopass (With Browser Plugins!)

Having a solid password manager is an absolute must these days, especially if you work in IT or regularly login to various social media. There are various options available under Linux, some more elegant than others. Out of all the options available, one that looks well crafted is gopass.

In this tutorial you will learn:

  • How to install gopass, the command line password manager
  • How to setup GPG and Git to work in conjunction with gopass
  • How to use gopass and what benefits and features it offers
  • How to enable the gopass browser extensions available for Firefox, Chrome and Chromium
  • How healthy the gopass and pass (on which it is based) communities and repositories are

Save Your Passwords at the Command Line With gopass (With Browser Plugins!)

Save Your Passwords at the Command Line With gopass (With Browser Plugins!)

Software requirements and conventions used

Software Requirements and Linux Command Line Conventions
Category Requirements, Conventions or Software Version Used
System Linux Distribution-independent
Software Bash command line, Linux based system
Other Any utility which is not included in the Bash shell by default can be installed using sudo apt-get install utility-name (or yum install for RedHat based systems)
Conventions # – requires linux-commands to be executed with root privileges either directly as a root user or by use of sudo command
$ – requires linux-commands to be executed as a regular non-privileged user

What is gopass?

At first, a person may be turned off by the fact that gopass is a command line based password manager, but once you find out there are browser plugins for popular browsers, a well maintained codebase and community, a clean and well documented website, and a clear list of security tradeoffs, things may change.

One can use gopass on Linux, on Mac, on BSD and even on Windows! gopass was designed to be an easy-to-use program for technical users who are used to the command line. At the same time, gopass was designed with a high level of security in mind. A final consideration was for gopass to be extensible, and we can see this realized through browser plugins for example.

Installing gopass

Installing gopass is quite straightforward on Ubuntu, Mint, and Debian. If you are using another operating system like MacOS or Fedora, please see the gopass GitHub installation documentation.

To install gopass on your Debian/Apt based Linux distribution (Like Ubuntu and Mint), you will need to execute the following commands in your terminal. Note that we assume here that you do not have any secret GPG keys on your system yet.

sudo apt install gnupg2 gnupg git rng-tools
git config --global gpg.program gpg2
gpg --full-generate-key

Running gpg --full-generate-key

When you execute the gpg –full-generate-key command, you will be presented with a number of options to configure your key. For the key type, simply accept the default which is RSA and RSA. Set the key length to at least 2048, but higher is better. We selected 4096. When asked about key validity you can set 5 or 10 years, by entering 5y or 10y. After this, enter your name and email and a comment.

When this is done, use O (from Okay) to confirm the setup and you will be presented with a passphrase dialog for the key, which will present as the topmost window in your Linux Desktop. Enter a complex and long passphrase, at least as long as the longest item you will store inside your password manager. You can later on configure the GPG Agent to avoid repetitive typing.

Next, we need to configure a (local for the moment) Git repository to allow Git to interface with GPG. To do so, you can follow these steps:

mkdir ~/my_password_store && cd ~/my_password_store
git init
echo 'My password store' > README
git add README
git commit -S -m "Adding README"

Initializing git and GPG signing the first commit

If this should fail at any point, something in your environment may be amiss or broken. Start by checking if you can use git in other settings correctly. If you receive the dreaded error: gpg failed to sign the data and fatal: failed to write commit object errors, you can reference this thread on stackoverflow to troubleshoot the same. Check the next paragraph first; the solution may be simple.

It may be that you have defined multiple keys and need to select the right signing key with git config –global user.signingKey your_key_ID where you swap your_key_ID with a key ID. Use gpg –list-secret-keys to see your list of keys. The key ID’s are the long hexadecimal (0-9 and A-F) numbers shown.

Now that git and GPG are correctly configured, the next step is to install gopass itself. It is important to note here that the default Debian repositories may have a package named gopass within them (i.e. which could be installed directly by using the apt package manger). However, this package is unrelated to gopass itself. It is a similar tool with an independent implementation and feature set.

For installing gopass there are several methods you can use, though it is recommend to download the latest release version rather than installing the latest development branch directly using go, especially if you will be using gopass in a production/real life setting. To do so, go to the gopass releases page, and right click and copy on/for the link relevant to your system. In our case we are selecting the gopass_1.12.1_linux_amd64.deb Debian package for AMD64 (i.e. all ADM/Intel x64 processors) architecture for installation on Ubuntu or Mint.

If you have not heard about the Mint operating system yet, you may like to read our article Mint 20 Better Than Ubuntu and Microsoft Windows and explore Mint further.

Once you have the link copied into your clipboard, swap back to the terminal and execute a wget command (if you do not have wget installed on your system yet, simply execute sudo apt install wget to install the same) to download the package, and then it can be installed with dpkg -i:

cd ~
sudo dpkg -i gopass_1.12.1_linux_amd64.deb

After this you can simply start gopass by executing gopass from the command line. This will start the initial setup configuration which will assist you with getting gopass up and running. The first command you will want to enter is gopass setup. Follow the steps from there.

There are a few optional steps that you can take to secure your installation further, see Optional Post-Installation Steps on the gopass GitHub page.

Using a GUI and importing data from other password managers

Besides being able to use a GUI like qtpass (as gopass is fully backwards compatible with pass, the Linux password manager, it is also compatible with qtpass which was developed for pass), you can also import data from other password managers.

You can import data from 1Password, Keepass, LastPass, RoboForm and many others. For this, there are various tools, again provided by the pass website (instead of gopass) and they are fully compatible. Checkout the full list towards the end of the pass page.

Each of the tools and utilities in the various pass and gopass frameworks (if you will), requires a separate installation. There is even a Android client which can be installed right from the Appstore.

Browser extensions

gopass by default is a command/terminal based program based on the solid core of GPG encryption. On top of this, various other integrations can be added. One can add a GUI, or an Android App, or a browser plugin. For Firefox, Chrome and Chromium based browsers, you can use gopassbridge, another well maintained project in the gopass community, which has achieved 100% code coverage and an A rating for maintainability.

As we most often use passwords from the browser when logging in on various websites, installing a browser extension is a great way to enable easy fill-in of login details instead of having to swap back and forth between the password manager and the browser. For installation of gopassbridge, simply follow the instructions provided on the gopassbridge website linked in the last paragraph.

First impressions

While researching this article, I looked into the feedback the community was providing, joined the gopass Slack group, the health of the repositories, and tested some of the documented processes. I also note here that the tools are built around an open and accepted security technology like PGP. I was overall very impressed by what I saw. The whole pass and gopass community seem very healthy, thriving and well maintained. This is a must with security oriented packages.

I provided some bits of feedback on the gopass Slack page and was met with friendly, well-crafted and resource laden replies and an encouragement for users to reach out via GitHub (gopass github issues), if they experienced any issues. Well done team. It is great to see people contributing, free of charge, to a small ecosystem like this and thrive!

Wrapping up

Happily surprised with what I found; a full fledged password manager, with the ability to sync to a remote system (I would recommend looking into using a private Git or private GitLab repo, which are both free), to be able to use it on all operating systems (including Android!), a solid terminal base core based on GPG, with a GUI to match, browser plugins, and more!

And then there is a healthy community, a responsive Slack group, and every possible migration (and other) utility one could want. In terms of setting up, yes it may take you a small day if you have a handful of devices, and to learn more and get it setup well, correctly and securely. But it looks to be worth the effort. Enjoy gopass!

Comments and Discussions
Linux Forum