Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Setting up pass on git with a gpg key

The following shell transcript shows how to:

  • Create a GPG key
  • Create a pass database
  • Add git support to the pass database
  • Create a remote git repository
  • Push the pass database to the remote git repository
  • Fetch and display your passwords from another host

It is assumed that the pass package has been installed on both the first and second computers.

Create a GPG key

user@host:~$ gpg --gen-key
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: First Middle Last Suffix
Email address: first.last@host.tld
Comment: 
You selected this USER-ID:
    "First Middle Last Suffix <first.last@host.tld>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 172 more bytes)
............+++++

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 198 more bytes)
..............+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 250 more bytes)
..........+++++

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 249 more bytes)
......+++++
gpg: key 68214821 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   4096R/68214821 2015-06-24
      Key fingerprint = A5C2 96E8 AC41 0889 60D9  2D1F 0F6D B722 6821 4821
uid                  First Middle Last Suffix <first.last@host.tld>
sub   4096R/36A6F06D 2015-06-24

Create a pass database

user@host:~$ gpg --list-keys
/home/user/.gnupg/pubring.gpg
------------------------------
pub   4096R/68214821 2015-06-24
uid                  First Middle Last Suffix <first.last@host.tld>
sub   4096R/36A6F06D 2015-06-24

user@host:~$ pass init 68214821
mkdir: created directory ‘/home/user/.password-store/’
Password store initialized for 68214821

Add git support to the pass database

user@host:~$ pass git init
Initialized empty Git repository in /home/user/.password-store/.git/
[master (root-commit) c343a0c] Add current contents of password store.
 1 file changed, 1 insertion(+)
 create mode 100644 .gpg-id
[master edaf464] Configure git repository for gpg file diff.
 1 file changed, 1 insertion(+)
 create mode 100644 .gitattributes

user@host:~$ pass generate serviceprovider/account.name@service.tld 21
mkdir: created directory ‘/home/user/.password-store/gmail’
[master e6a1974] Add generated password for serviceprovider/account.name@service.tld.
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 serviceprovider/account.name@service.tld.gpg
The generated password for serviceprovider/account.name@service.tld is:
;J&E_2A55<%=<KxoEDZuL

Create a remote git repository

user@host:~$ ssh user@gitrepo.org -p gitport \
    "git init --bare /path/to/git/user-password/"
user@gitrepo.org's password: 
Initialized empty Git repository in /path/to/version_systems/git/user-password/

Push the pass database to the remote git repository

user@host:~$ pass git remote add origin \
    ssh://user@gitrepo.org:gitport/path/to/git/user-password/

user@host:~$ pass git push -u --all
user@gitrepo.org's password: 
Counting objects: 10, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (10/10), 1.38 KiB | 0 bytes/s, done.
Total 10 (delta 1), reused 0 (delta 0)
To ssh://user@gitrepo.org:gitport/path/to/git/user-password/
 * [new branch]      master -> master
Branch master set up to track remote branch master from origin.

Fetch and display passwords from another computer

It is assumed here that your GPG key has been migrated to the second computer.

user@host:~$ gpg --list-keys
/home/user/.gnupg/pubring.gpg
------------------------------
pub   4096R/68214821 2015-06-24
uid                  First Middle Last Suffix <first.last@host.tld>
sub   4096R/36A6F06D 2015-06-24

user@host:~$ pass init 68214821
mkdir: created directory ‘/home/user/.password-store/’
Password store initialized for 68214821

user@host:~$ pass git init
Initialized empty Git repository in /home/user/.password-store/.git/
[master (root-commit) c343a0c] Add current contents of password store.
 1 file changed, 1 insertion(+)
 create mode 100644 .gpg-id
[master edaf464] Configure git repository for gpg file diff.
 1 file changed, 1 insertion(+)
 create mode 100644 .gitattributes

user@host:~$ pass git remote add origin \
    ssh://user@gitrepo.org:gitport/path/to/git/user-password/

user@host:~$ git reset origin/master

user@host:~$ pass git fetch
user@gitrepo.org's password: 
warning: no common commits
remote: Counting objects: 10, done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 10 (delta 1), reused 0 (delta 0)
Unpacking objects: 100% (10/10), done.
From ssh://user@gitrepo.org:gitport/path/to/git/user-password/
 * [new branch]      master     -> origin/master

user@host:~$ pass git rebase origin/master
First, rewinding head to replay your work on top of it...

user@host:~$ pass show serviceprovider/account.name@service.tld
gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent.
gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!
;J&E_2A55<%=<KxoEDZuL
@bgalvao

This comment has been minimized.

Copy link

@bgalvao bgalvao commented May 2, 2018

nice!

@fg91

This comment has been minimized.

Copy link

@fg91 fg91 commented Feb 18, 2019

This is awesome, thank you!

@jesperp

This comment has been minimized.

Copy link

@jesperp jesperp commented May 30, 2019

On a new computer I think you can just clone the repo directly into .password-store in your home dir (after you have imported GPG keys):

cd
git clone <git-repo> .password-store
@komali2

This comment has been minimized.

Copy link

@komali2 komali2 commented Apr 27, 2020

very very helpful, thank you

Maybe the gpg program has changed a bit, or my version is different on Ubuntu 18.04, but my initial steps were slightly different than these ones. It was still pretty self-explanatory though.

@adegoodyer

This comment has been minimized.

Copy link

@adegoodyer adegoodyer commented May 2, 2021

Awesome, thanks for spending the time creating this 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment