Intro to Linux pass

I’ve been doing some migration and isolation work lately to reduce the attack surface in the event of a supply chain compromise. The original intention of this post was to document the process of switching from a single password store for all services to several password stores each with their own virtual machine, disk resources, as well as pgp keys and passphrases. Half way through that process I realized there should be some context for that, queue this post. The decoupling post will follow soon.

I’ve always been leery of password managers. Some baggage from the super secure days of “Save password for this site” browser prompts no doubt, but it’s served me well. I discovered Pass years ago and instantly fell in love with it. It had everthing I was looking for, and got even better with bash completion. My requirements:

  • Offline without cloud synchronization
  • File based
  • Git based
  • PGP encrypted

Basically passwords are stored on the filesystem individually encrypted in the directory hierarchy of your choice.

Generate PGP Key

To get started you’ll need to generate a pgp key. I recommend ECC/Curve 25519 as you can always count on DJB. Click play below to see how this is done. During playback you can press the space bar to pause the video at any time. You can also select & copy and paste from the video, seriously, try it. Video functionality by Asciinema.

Initialize Password Store

Now that you have your PGP key, you’ll need to initialize the password store by providing the key to use.

Using Linux Pass

We’ve got our PGP key setup and our password store intitialized, it’s time to use pass.

Generate a random 32 character password for github:

[email protected]:~$ pass generate services/github/[email protected] 32
mkdir: created directory '/home/vince/.password-store/services'
mkdir: created directory '/home/vince/.password-store/services/github'
[master 91debbf] Add generated password for services/github/[email protected]
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 services/github/[email protected]
The generated password for services/github/[email protected] is:
^Xlx3`]QA'^Z}\D+8%*0<}/3).i%(wiZ

You can also find this specific password on the filesystem and unencrypt it, this isn’t the standard way to display a password, just for demonstration sake.

[email protected]:~$ ls -l ~/.password-store/services/github/[email protected]
-rw------- 1 vince vince 180 Feb 21 23:07 /home/vince/.password-store/services/github/[email protected]
[email protected]:~$ gpg -d ~/.password-store/services/github/[email protected] 
gpg: encrypted with 256-bit ECDH key, ID F2BF0037E7041A88, created 2020-02-16
      "Vince <[email protected]>"
^Xlx3`]QA'^Z}\D+8%*0<}/3).i%(wiZ

The standard way to display a password follows. You can use tab completion here, so pass se<tab>

[email protected]:~$ pass services/github/[email protected] 
^Xlx3`]QA'^Z}\D+8%*0<}/3).i%(wiZ

Want to copy it to the clipboard instead of displaying it?

[[email protected] ~]$ pass services/github/[email protected] -c
Copied services/github/[email protected] to clipboard. Will clear in 45 seconds.

Need to change the password?

[email protected]:~$ pass generate services/github/[email protected] 32
An entry already exists for services/github/[email protected] Overwrite it? [y/N] y
[master 403f83c] Add generated password for services/github/[email protected]
 1 file changed, 0 insertions(+), 0 deletions(-)
The generated password for services/github/[email protected]ca is:
^(c|[<]Jp4d2$2SSD;M$3sZ.U*.apxyJ

Need to access previous versions of the password? No problem, the encrypted blobs are stored in git and we can pull them out. They’re displaying here in git log because I have gpg-agent configured, otherwise you would see the encrypted value.

[email protected]:~$ pass git log -p services/github/[email protected]
commit 403f83cc2e895b0ba097daa808685f4eb5a7022e (HEAD -> master)
Author: Vince <[email protected]>
Date:   Fri Feb 21 23:13:39 2020 -0500

    Add generated password for services/github/[email protected]

diff --git a/services/github/[email protected] b/services/github/[email protected]
index 658664f..9d8a6a7 100644
--- a/services/github/[email protected]
+++ b/services/github/[email protected]
@@ -1 +1 @@
-^Xlx3`]QA'^Z}\D+8%*0<}/3).i%(wiZ
+^(c|[<]Jp4d2$2SSD;M$3sZ.U*.apxyJ

commit 91debbfc115405b19cea8593aaa422b06eb4151a
Author: Vince <[email protected]>
Date:   Fri Feb 21 23:07:17 2020 -0500

    Add generated password for services/github/[email protected]

diff --git a/services/github/[email protected] b/services/github/[email protected]
new file mode 100644
index 0000000..658664f
--- /dev/null
+++ b/services/github/[email protected]
@@ -0,0 +1 @@
+^Xlx3`]QA'^Z}\D+8%*0<}/3).i%(wiZ

Illustration of Vince

Vince Hillier is the President and Founder of Revenni Inc. He is an opensource advocate specializing in system engineering and infrastructure. Outside of building solid architecture that doesn't break the bank, he's interested in information security, privacy, and performance.