Skip to content

Instantly share code, notes, and snippets.

@jasonm23
Last active September 10, 2022 14:15
Embed
What would you like to do?
Setting up Pass on Mac, Firefox and Android.

Password Store (pass) on Mac, Firefox and Android

A quick word on OPSEC.

Completed the initial setup of pass on Macos Big Sur, this is after BitWarden locked me out half a day because apparently I had "network issues", but that seems highly doubtful.

Anyway that shook my faith in Bitwarden, so I searched for an alternative and I'm pretty happy with pass. It's simple, no-nonsense. In a nutshell it's front end for a git repo + gpg to handle encryption.

Bascially if your client side can reach/interact with a git repo and works with GPG (2.2 for Android/OpenKeyChain, see below.) we're in business.

To install pass and be able to pick the correct GPG version, we have to install it manually, but no worries, it's a shell script.

git clone https://git.zx2c4.com/password-store
cd password-store

To avoid Macos permissions/getting in your way, we just set $PREFIX to /usr/local. (The Makefile will default to PREFIX=/usr)

PREFIX=/usr/local make install 

Once that's done we setup pass...

pass init "GPG KEY ID"

Wait you got a GPG key ID right? No?! Ok... pause, let's install GPG.

brew install gnupg@2.2
brew link gnugpg

If you already have a GnuGPG binary installed, make sure pass is only talking to v2.2 (edit the path, or pass's shell script to make sure it's only using gpg 2.2)

check that...

gpg --version

If it's 2.2x we're good, if not, fix that.

Also install the GPG-tools, make sure you have a GUI Pinentry for GPGKey pass-phrase entry.

Assuming we're ok, create a key.

gpg --full-generate-key

Then we export the key for use with pass.

gpg --armor --export-secret-keys YOUREMAILADDRESS > gpg.pub.key
gpg --armor --symmetric --output key.sec.asc < gpg.pub.key

Now list the keys

gpg --list-keys

Which will output something like...:

/Users/you/.gnupg/pubring.kbx
-------------------------------
sec   ed21519 2022-05-26 [SC]
      E5E395663938FC536482922C223A48BC0D6C6841
uid           [ultimate] Your Name <you@gmail.com>
ssb   cv12319 2022-05-26 [E]

Your key ID will be where E5E395663938FC536482922C223A48BC0D6C6841 is.

so back on track...

pass init E5E395663938FC53648NOTTHISTHOUGHYOURGPGKEYID2922C223A48BC0D6C6841

We have a password store!

pass git init

Now it's a git repo... Assuming you know how to get a new git repo online.

pass git remote add git@host.com:name/repo.git

Now we can manually add things to pass go read the man page... man pass

To import from bitwarden there's pass-import. It was non-obvious to install, so:

cd ~/.password-store
mkdir .extensions
cd .extensions

wget https://github.com/roddhjav/pass-import/releases/download/v3.2/pass-import-3.2.tar.gz
tar xzf pass-import-3.2.tar.gz
cd pass-import-3.2
python3 setup.py install

cd ~

Assuming Python 3.10 and pip are installed, you're fine.

Check the docs for other pw managers at https://github.com/roddhjav/pass-import

For BitWarden we do an export to JSON from there and with the file we do:

pass import bitwarden ~/path-to-bitwarden.json

Ok, let's check they're all in ...

pass list

You should see all the items from BitWarden...

So, let's push that stuff to your PRIVATE git repo, it's obviously encrpyted too, but please.

pass git push

You may have guessed, but anything after pass git is just regular old git commands, so do what you need to.

Firefox

So getting things working with Firefox requires the PassFF extension. Install it through the Firefox extensions store.

We also need to install the passff host so do this...

curl -sSL github.com/passff/passff-host/releases/latest/download/install_host_app.sh | bash -s -- firefox

Restart Firefox and you'll be able to access the passwords. It's an ok extension, I need to use it more to see if there are issues. Passwords can be found, copied, filled in, added, sync'ed, etc.

Mobile

Android.

Next we need to get the key key.sec.asc we made earlier, and an ssh key for access to the git repo, all somewhere onto your phone/device whatever.

First let's install OpenKeyChain-Android

Setup just needs to import the key.sec.asc we generated earlier.

That should be fine, if not refer to the docs.

Now install Android-password-store and set it up. We need to tell it where the git repo is and give it an ssh key.

And We're done.... do a referesh from Android password store... and you should be happy.

Note: New items will need you to git push, if you add them from the command line, but passFF and Android-password-store do that automatically for you.

iOS PassForiOS

This was similar to Android, however the App has solid instructions, so just follow them: PassForiOS Startup Guide. You will need to send keys sent to the device... !!!DO NOT!!! SEND KEYS VIA EMAIL!!!!

Instead, install a Terminal and SSH client on the iOS device (I used Blink) and scp from the machine where the GPG keys are to the iOS device.

Pinentry

You'll need to unlock the password store using the GPG Key passphrase.

brew install pinentry-mac

Should be all you need to do to get GPG key passcode prompts in the Macos GUI. Mind you, I've had to unlock in the terminal a couple of times though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment