pass

What is pass? It's just a password manager. It works by using gpg encrypted files which are your passwords. This means they are encrypted and safe. It's also a password manager that is offline, so that means you have no issues with hosting it. You can if you would like, host your gpg encrypted passwords in a git repository, or in the cloud, or on an online machine so you can get them using rsync or some other file transfer tool.

There's a number of commands I will share here.

pass init passwordStoreName 

This lets you initialise a password store. A password store is just a place for your passwords to be stored hence the name. This is where gpg-encryption comes in, as all the passwords are encrypted using your gpg password. There is technically more involved that you can find out using `man pass`, as pass is really just a very nice and convenient frontend for gpg.

pass add passwordName 

This lets you add a password under that password name. When you do it, you'll be prompted for a password. Unless I am adding a password that I already know, I usually do not use this, as the next command is far more useful.

pass generate passwordName 20 

This lets you generate a cryptographically strong password for the password named passwordName that is 20 characters long. It's fairly obvious why this is good, because it means you don't use the same password for each online service, nor have to remember them.

pass ls 

This gives you a list of all password names in the password store.

Now you know all the password names(not their values) in your password store, now you need to acquire a password? Simple.

pass passwordName 

This will prompt you for your gpg password, and if successful in decryption, give you the password. There is more you can do with this command that is beyond the scope of this article, such as multiple password stores, and using more than one gpg key for your password encryption. There's even OTP(One Time Passwords, the timed 6 character codes) that you can use with it.

A demonstration use is listed below.

#!/usr/bin/env bash 
 
shopt -s nullglob globstar 
 
typeit=0 
if [[ $1 == "--type" ]]; then 
 typeit=1 
 shift 
fi 
 
prefix=${PASSWORD_STORE_DIR-~/.password-store} 
password_files=( "$prefix"/**/*.gpg ) 
password_files=( "${password_files[@]#"$prefix"/}" ) 
password_files=( "${password_files[@]%.gpg}" ) 
 
password=$(printf '%s\n' "${password_files[@]}" | dmenu "$@") 
 
[[ -n $password ]] || exit 
 
if [[ $typeit -eq 0 ]]; then 
 pass show -c "$password" 2>/dev/null 
else 
 pass show "$password" | { IFS= read -r pass; printf %s "$pass"; } | 
 xdotool type --clearmodifiers --file - 
fi 

For reference, dmenu is a suckless utility. This script is not my own, but is zx2c4's script I am using as an example.

This script takes the list of passwords, lets you select one in the interface created by dmenu, and when you select one, copies it to the clipboard so you can paste it in the respective password box for any account you need to log into. I also have this mapped to a keybind in DWM, "Mod+Shift+P", so any time I need a password, I can get it("Mod+P" is used for pausing music which I do more frequently than I get passwords).

As you can see, it follows the UNIX philosophy pretty well, making it very useful as a password manager. It dodges the issues of contemporary online password managers that are centralised and very much so freedom-restricting, leveraging the passwords to make money from the end users. The fact it's gpg-encrypted means it's also good to use with cloud storage solutions. Overall, it's a tool oft-overlooked by people.

Published on 2022/10/06