Manage Passwords With GPG, The Command Line, And Pass

There are a lot of password managers on the market, some in the cloud, some local, all with features that may or may not be useful in all circumstances. I’m personally an advocate of being in control of your secure information and shedding reliance on closed source or cloud alternatives. This is why I use pass, the standard unix password manager.

The pass application is Mac and Linux compatible, but Windows support probably isn’t impossible. The application works by maintaining a list of password files that have been encrypted using GPG, a widely used cryptography software. Decrypting the files will result in access to your password information.

We’re going to take a look at using pass and see why it is a convenient option for password management.

Creating a GPG Key for Encryption and Decryption

Since the pass application is heavily reliant on GPG encryption and decryption, you must have it available on your computer. On Linux it should be readily available, but on Mac you might have to use Homebrew or download it externally.

To create a new GPG key, execute the following:

gpg --full-generate-key

After executing the above command, you’ll be asked a series of questions. Make sure that you choose the default and give it a key size of 4096. Remember, this is your sensitive password data so you should be choosing a large key size.

It is up to you if you want your key to expire. Just because it expires, doesn’t mean your password data is lost. You can always renew the key and continue using everything without problems.

During the question process you’ll be asked for your name and email. Fill in the information and then proceed to generate entropy for your key using your mouse and keyboard. When finished you’ll need to provide a passphrase. Treat this passphrase as your master password to all your other passwords, so make sure it is strong.

You can view your GPG keys by executing the following:

gpg --list-keys

You’ll need to list your keys because we’ll need some information to initialize our password store. When listing your keys you’ll see something like this:

pub   rsa4096 2018-11-30 [SC]
      1A35565C9FE601446AC30BDE55238D2674A7BAD4
uid           [ultimate] Test User <test@test.com>
sub   rsa4096 2018-11-30 [E]

What is important to us is the GPG id, which in our example is the 1A35565C9FE601446AC30BDE55238D2674A7BAD4 value. By using this id value we’ll be telling the pass application that we want to use this particular key to encrypt and decrypt our passwords.

Initializing the Password Store with the CLI

With a GPG key available, we can initialize our password manager. The initialization process could use a single GPG key with a default storage path, or we can customize it to use multiple keys or even a Git repository for maintaining a history of every manipulation made to our passwords.

At a basic level, the password manager can be initialized through the following command:

pass init "GPG-ID-HERE"

When executing the above command, you’ll want to use the actual ID of your GPG key. When initializing the password store, you might be asked for your GPG passphrase as part of the validation process.

While our password manager will be empty as of now, you can list your passwords by executing the following command:

pass

The passwords will be organized by directory and file structure which we’ll see in the next step. However, the list of passwords are not encrypted as nothing within the password files are exposed, only the names themselves.

Organizing Password Data and Storing Custom Information

Because passwords are stored as files, the organization of them can be considered the most complicated part of using the pass application. However, if you decide later that you don’t like how you’ve organized your passwords, you can always change it.

Whether you’ve used the default storage path of ~/GPG-ID-HERE/.password-store or a custom path, you password data is just stored as file data. Each file within your path represents a password with any amount of associated data, such as pins, usernames, websites, etc.

With that said, I’m personally organizing my passwords like the following:

system
--> imac
website
--> google.com
--> twitter.com
database
--> mraboy.com

Based on the above example you can see that I have several directories within my path. I, of course, have more, but the above is an example. Within each of the directories, I have a password file. When listing my passwords the file extensions won’t show, but each of the files ends with a .gpg extension.

So how would we start working with our password data?

When you’ve just initialized your password store, you actually won’t have any directories or password files. Don’t try to create them manually, but let the pass application do it for you.

To create your first password, execute the following:

pass generate website/facebook.com 15

The above command will create a directory titled website if it doesn’t already exist and create a password file titled facebook.com with a randomly generated 15 character password. While you should include symbols for strength, if you want to create a password with no symbols you can always strip them out with the --no-symbols flag.

To access your password data in a secure way, execute the following command:

pass -c website/facebook.com

The above command will prompt you for your GPG passphrase and if correct, it will securely copy your password to the clipboard rather than exposing it in the Terminal.

If you’d like to edit your password, you can execute the following command:

pass edit website/facebook.com

After entering your GPG passphrase, the password will be loaded into whatever text editor you have configured. For example I’m using VIM when working with the Terminal. When editing the password you’ll notice that there is only a single line of data. The first line of this file is the line picked up from the -c flag. Every line that follows will be accessible, just not from the copy. For example, your password file might look like the following:

s98khlkjasdfkljaf
username: nraboy@example.com
website: facebook.com

All data in this file is protected with GPG.

When using the pass application, if you have a prior existing password and you’d rather not generate a new one, you can always insert a new password manually. For example, you could do the following:

pass insert website/linkedin.com

After entering the command above, you’ll be prompted to enter your password. You can then later add any other information such as notes, a username, or anything else you can think of.

The pass documentation is great, but you can also get quick help by executing the pass --help command in your Terminal.

Conclusion

You just saw how to use the pass application for storing your password information in a self-managed fashion without the need of subscriptions or remotely hosted solutions. The pass application encrypts your password information with GPG which is a seasoned cryptography software. These encrypted passwords can be managed with Git or if you really wanted to you could sync them to a personal cloud such as OwnCloud or Resilio Sync.

If you’re not comfortable with the command line, there are third party extensions and software with user interfaces that work with the pass application. However, given how few commands there are, the command line is not too complicated.

Nic Raboy

Nic Raboy is an advocate of modern web and mobile development technologies. He has experience in C#, JavaScript, Golang and a variety of frameworks such as Angular, NativeScript, and Unity. Nic writes about his development experiences related to making web and mobile development easier to understand.