pass/README.md

5.0 KiB

pass

posix password manager

A very simple password manager that keeps passwords inside gpg encrypted files inside a simple directory tree.

Similar to password-store, but written in POSIX compliant shell script instead of bash.

Requirements

Optional Requirements

Config

Edit the source code to change these settings:

Setting Description
GPG_ID Default GPG key ID to use for encrypting/decrypting
GPG_OPTS Do not edit this unless you know what you are doing
METHOD Method used for the menu ("copy" will use xclip to copy passwords & "type" will use xdotool to type passwords)
PASS_DIR Directory to store all password information

Usage

Command Description
pass Display a directory tree of stored passwords
pass <path> Display password information for <path> or a directory tree of stored passwords if <path> is a directory
pass menu Use pass in dmenu (Selected line is copied to the clipboard or typed out depending on the METHOD used)
pass edit <path> Display stored password information for <path>
pass gen <len> Generate a random password that is <len> characters long
pass otp <path> Return a 2-Factor-Authenticaion code for <path> (Last line of <path> must be a valid otpauth:// URI)
Note

<path> is not a direct path per-say. If the password is stored in $PASS_DIR/www/github.gpg all you have to put is www/github for <path>

When using the menu, the clipboard is cleared after 3 seconds or passwords are typed after 3 seconds, depending on what METHOD you set in the config.

For setting up 2FA, you can download the QR code image & use zbar to convert it to a string to get a valid URI.

Pinentry Setup

To keep everything in the command line, make sure you edit your $HOME/.gnupg/gpg-agent.conf to include pinentry-program /usr/bin/pinentry-curses

If you plan on using the menu features, pinentry-dmenu will allow you to enter your GPG key password inside of dmenu, but in order to do that you will need to create a wrapper for pinetry at $HOME/.gnupg/pinentry-wrapper:

if [ "$PINENTRY_USER_DATA" = "dmenu" ]; then
    exec /usr/local/bin/pinentry-dmenu "$@"
else
    exec /usr/bin/pinentry-curses "$@"
fi

Make it executable with chmod +x $HOME/.gnupg/pinentry-wrapper and then edit your $HOME/.gnupg/gpg-agent.conf to include pinentry-program $HOME/.gnupg/pinentry-wrapper.

SmartCard Support

Using a Smart Card such as a YubiKey with pass simply requires setting up your GPG key to recognize your card.

First, you will need to install scdaemon & enable the service on your system in order to recognize your smartcards. After you set this up, you can check if your card is recognized with the gpg --card-status command.

Edit your GPG key with gpg --edit-key [Your-Key-ID] & run the follow commands in the interactive session:

key 1
keytocard
save

Ideas & TODO

  • Hash file names for obsurity (pass rm <entry> & pass mv <entry> since file names will be hashed)
  • Better way than using a hard coded GPG_ID & maybe on the fly METHOD selection

Mirrors

acid.vegasGitHubGitLabSuperNETs