Pass, the password storage manager on FreeBSD
=============================================

> The "standard UNIX password manager"

Pass is a password storage manager that works on the command line.
It advertises itself as the "standard UNIX password manager".

The passwords are encrypted with GnuPG and saved in a directory
structure. Pass uses Git for the version control of this directory.

A sub directory tree inside this directory provides a structure. Each
password is stored in a separate file, encrypted using GnuPG.

Actions that affect passwords, like creation, editing, and deleting,
are automatically committed to Git. Add a remote repository to share
and synchronize the password store with your other machines.

You start by adding existing passwords to the storage. For new
accounts you let pass generate the password. Pass generates unique,
strong passwords using /dev/urandom.

Retrieved passwords can be shown on the command line, copied to the
clipboard, or exported as a QR-code. The clipboard will be restored
after 45 seconds.

Pass is available for the most current operating systems. It support
the use of multiple GnuPG keys.

Convenience utilities
---------------------
Pass comes with several convenience utilities.

* completion is available for several shells
* passmenu uses dmenu to let you select an account
* pass-import imports several formats, used by some popular password
 managers
* a Emacs mode to use pass from within Emacs
* and more

Directory structure
-------------------
At initialization, pass creates a directory at the default location
$HOME/.password-store.

Set the environment variable `PASSWORD_STORE_DIR' to override the
default location,

By adding entries to pass, you create a structure within this
directory. To add a new entry the name of the sub directory must be
provided.

Entries are grouped together in a sub directory, for example all a sub
directory for your Fediverse accounts, a sub directory for news outlet
accounts, and so on. Sub directories can be nested, you can add as
many layers as you want.

Install package
---------------
On FreeBSD, install the packages "password-store" and "git".

   pkg install git password-store

The package "password-store" provides "pass", our cli tool.

Create a GnuPG key
------------------
You can use pass with an existing GnuPG key, or create a dedicated
key.

As an example we choose to create a new, dedicated key.
Here's how to create an elliptic curve key:

   gpg2 --full-gen-key
   gpg (GnuPG) 2.4.3; Copyright (C) 2023 g10 Code GmbH
   This is free software: you are free to change and redistribute it.
   There is NO WARRANTY, to the extent permitted by law.

   Please select what kind of key you want:
      (1) RSA and RSA
      (2) DSA and Elgamal
      (3) DSA (sign only)
      (4) RSA (sign only)
      (9) ECC (sign and encrypt) *default*
     (10) ECC (sign only)
     (14) Existing key from card
   Your selection? 9
   Please select which elliptic curve you want:
      (1) Curve 25519 *default*
      (4) NIST P-384
      (6) Brainpool P-256
   Your selection? 1
   Please specify how long the key should be valid.
            0 = key does not expire
         <n>  = key expires in n days
         <n>w = key expires in n weeks
         <n>m = key expires in n months
         <n>y = key expires in n years
   Key is valid for? (0)
   Key does not expire at all
   Is this correct? (y/N) y

Here, we did choose 0 - key does not expire. Depending on your
thread model, you might prefer a different choice.

    GnuPG needs to construct a user ID to identify your key.

    Real name: <name, for example: pass-store-key>
    Email address: <email, for example [email protected]>
    Comment: <leave blank or enter a some comment>

The next step is to enter a password or passphrase (very long
password). Choose a strong password, this is the protection of your
data when your system, the Git repo or a backup from the repo gets
compromised. Make sure you save the password in a safe place, without
the password you won't be able to decrypt your data.

Make a backup of your key:

    gpg -a --export-secret-key <keyid> > backup-of-key.asc

Here `backup-of-key.asc' is the name of the file. Choose any name
you like. It is customary to use the .asc extension for ascii-armored
keys.

For <keyid> you can use the email address with which you created the key
(in our example: [email protected]), or the long hexidecimal string
shown when you request a list of your secret keys with `gpg -K' (that is
an uppercase k).

Keep the backup file separated from your passwords. Don't put the
exported key (the backup file) in the same Git repository as your
passwords.

Initialize password storage manager
-----------------------------------
Next, we initialize the storage directory.

   pass init <gpg-key>
   pass git init

The first command create a new directory, $HOME/.password-store
The second command initializes Git in this directory.

Initialize a remote repository
------------------------------
It's best to immediately create a remote repository, so your passwords
live at least on two locations.

   ssh <othermachine> mkdir password-store
   ssh <othermachine> "cd password-store && git init --bare"

Add the remote:

   pass git remote add origin <othermachine>:password-store

Add an existing password
------------------------
Add the password:

   pass insert Yahoo/<account>

You will be prompted for the password twice.
Use `-e' to echo back your input to the console.

This password will be saved in the encrypted file
`$HOME/.password-store/Yahoo/[email protected]'

Create a new, strong password
-----------------------------
Random generated passwords are stronger than the passwords you
can come up with. Pass generates passwords with any length.

It shows the generated password on the command line, or copies it
to the clipboard, or creates a QR-code.

   pass generate Yahoo/<other-account>

This will generate a password with the default length (25 chars).

To generate a password with the length of 35 chars:

   pass generate Yahoo/<other-account> 35

With the flag `-c' the password will be copied to the clipboard:

   pass generate -c Yahoo/<other-account>

Set the environment variable `PASSWORD_STORE_GENERATED_LENGTH' to override
the default length without having to provide a length at the command line.

Push the Git repository to the remote
-------------------------------------
Pass has automatically committed any changes to the local Git
repository.

You have to push these manually to the remote repository:

    pass git push -u --all

If you started with a Git clone, `pass git push' will be enough.

Likewise, you can pull the changes from the remote with:

   pass git pull

By pushing the changes to a remote repo, the keys are stored at least
at two different places, lowering the chance of total loss.

List the available passwords
----------------------------
To get a list of the available passwords, simply issue the command;

   pass

Pass creates a tree view of the directory structure and the files with the
passwords.

Retrieve the password
---------------------
Retrieval of the password is easy:

   pass Yahoo/<account>

This requires the password for your GnuPG key. The gpg-agent will make
sure you don't have to type your password too often.

Change the password
-------------------
To change the password, use the `pass edit' command.

   pass edit Yahoo/<account>

This will fire up your editor and let you edit the password. Which
editor is used depends on the environment variable EDITOR, or using vi
as a fallback.

Use this not only for changing the password but also for adding
multi-line entries (see below).

Delete the password
-------------------

   pass rm Yahoo/<account>

Usernames and passwords
-----------------------
Suppose you have two different usernames or accounts at the same
organization, just use the sub directory structure:

  pass insert Fediverse/Lemmy/<username-1>
  pass insert Fediverse/Lemmy/<username-2>

This will result in:

   .password-store/
   `-- Fediverse
       `-- Lemmy
           |-- username-1
           `-- username-2

Multiline entries
-----------------
To enter a multi-line entry, add the `-m' switch to the pass insert
command:

   pass insert -m Group/account

Enter as much info as you like, and finish with Ctrl-d.

Another option to enter multi-line entries is to use the edit command,
and create the multi-line entry in vi. This method is less
error-prone, because it allows you to correct mistakes.

When you retrieve a password with -c, pass copies only the first line
of a multi-line entry to the clipboard. The first line in multi-line
entries should therefor contain the password, and nothing else.

This is useful when you also want to store the security questions and
the answers you gave. This is also useful for websites where you are
identified by both a username and an email address. Or if you need to
store any other additional information. The information that you add
below the first line doesn't harm the normal pass workflow and still
enjoys the protection from the encryption.

Organize the information in the lines below the password using the
format

   fieldname: value

This way, e.g., additional tools like the Emacs mode are able to
fetch specific fields from it.

Accessing the passwords on a different machine
----------------------------------------------
Two steps are needed to access the passwords on a different machine:

* clone the Git repository
* import the GnuPG key

Clone the repostiroty from the remote
....................................
To clone the repository from the remote:

   git clone <othermachine>:password-store .password-store

Where <othermachine> is the machine where you pushed the remote.

Test that you see the tree when you issue the command `pass'.

Importing the GnuPG key
......................
Copy the file `backup-of-key.asc' (or whatever file name you entered)
to the machines where you also want to use your password store and
import it in GnuPg with:

   gpg --import backup-of-key.asc

After that, you must set the trust. Edit the key with gpg --edit-key
and issue the command `trust'.

   gpg --edit-key <keyid>
   ...
   trust
   Please decide how far you trust this user to correctly verify other users' keys
  (by looking at passports, checking fingerprints from different sources, etc.)

    1 = I don't know or won't say
    2 = I do NOT trust
    3 = I trust marginally
    4 = I trust fully
    5 = I trust ultimately
    m = back to the main menu

Choose 5 - trust ultimately.

Retrieve a password to check that GnuPG can decrypt the file with the
password.

After this, you can open, change and add passwords with the imported
key.

The good, the bad and the ugly
------------------------------
The good:
* pass is easy to use
* GnuPG provides secure encryption
* pass supports multi-line entries for additional information
* pass generates strong passwords
* pass commits your changes to Git
* the package comes with an Emacs mode

The bad:
* pass uses the name of the account as file name

 Somebody who reads the directory tree --which doesn't require a
 GnuPG key-- sees which accounts are in the tree.
 This requires either access to your machine or to the Git repo
 or a backup from the Git repo.

The ugly:
* When using multiple machines you have to keep the tree in sync

 This is probably the hardest part when using pass on multiple
 machines.
 - Whenever you make changes, make it a habit to immediately push
   your changes to the remote (`pass git push').
 - Start your session with `pass git pull' to make sure you have the
   latest version.

Emacs mode
----------
Of course there is an Emacs mode for pass!

The FreeBSD package `password-store' installs a few files in
`/usr/local/share/password-store/emacs/', among others the file
`password-store.el' and `README.md'.

After loading the `password-store.el' in Emacs, you can run commands
like:

* M-x password-store-insert
* M-x password-store-copy
* M-x password-store-copy-field

The last option is useful for multi-line entries, where each line
(except the first line, which contains the password) starts with
`fieldname: '.

There are more options than shown here, see the password-store.el file.

The commands like password-store-copy will give you a list of the
available passwords in the mini buffer, where you can pick the right
one using completion.

Much more
---------
Pass can do much more, and there is a small ecosystem around it,
with tools, clients, GUIs, and so on.

See the friendly manual with `man pass', and also the website
https://www.passwordstore.org/



Last edited: $Date: 2024/04/07 16:33:32 $

You are viewing proxied material from box.matto.nl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.