Skip to content

Instantly share code, notes, and snippets.

@orymate
Created April 22, 2015 11:24
Show Gist options
  • Save orymate/a6bd9d2417fa5af70962 to your computer and use it in GitHub Desktop.
Save orymate/a6bd9d2417fa5af70962 to your computer and use it in GitHub Desktop.
Password-store (pass)

This repository contains the database of password-store used by our Team to store passwords (mostly to be used in emergencies).

The database is encrypted for the PGP keys of all members, and can be read and written by any standard PGP implementation.

pass

The preferred tool to manage these passwords is password-store a.k.a. pass.

Getting started

To install it on any current POSIX-compatible system, run the following commands:

sudo apt-get install pwgen gnupg tree git xclip
wget http://git.zx2c4.com/password-store/snapshot/password-store-1.6.5.tar.xz
tar xvf password-store-*.tar.xz
cd password-store-*
sudo make install

Don't use the apt package for Ubuntu, it's outdated (at least until 14.04), and doesn't support multiple PGP keys.

Now clone the repository: git clone ...password-store.git ~/.password-store

Key management

Now you can use the tool, but if you are a new user, you will need someone to reencrypt the store for your public key.

You will need a PGP key pair for that. If you don't have any, use seahorse (GUI) or gpg --gen-key to generate one. The defaults parameters will be fine (but I would choose a >2Kb key and set an expiration date of 10 or 20 years). The key generation takes very long time, be patient (seahorse doesn't give you feedback about the process; it's time to do an apt-get upgrade to gain some entropy).

Then figure out the generated public key's ID from the gen-key output or like bellow (C869E69F in the example):

$ gpg --list-key|grep ^pub
pub   2048R/C869E69F 2015-04-21

And push it to a public keyserver (with your key ID):

$ gpg --send-keys C869E69F

You will also need to import the keys of the colleagues:

$ gpg --recv-keys $(cat ~/.password-store/.gpg-id)

Now ask someone to reencrypt the repo with your key (substitute the ID):

$ gpg --recv-keys C869E69F
# You may need to poll for some time until the key servers get in sync
$ pass init $(cat ~/.password-store/.gpg-id) C869E6GF
$ pass git push

After that you will be able to reach the keys. Update the repo (pass git pull) and try pass keep-this-please.

Please keep your private key private, make encrypted backups, choose a proper passphrase, and save a revocation cert.

Using pass

You won't need many commands for everyday use, but here are some examples:

$ pass keep-this-please       # show key named keep-this-please
$ pass show keep-this-please  # ditto
$ pass -c keep-this-please    # copy named pw to keyboard
$ pass                        # list all passwords
$ pass search keep            # search passwords by name
$ pass generate foobar 10     # generate a 10 chars long password and save
$ pass git push               # push recent changes (pass autocommits, but
                              # never pushes/pulls magically)
$ pass git pull               # update the password store

Windows

Read-only access is easy to gain on Windows, but pass is only supposed to work with cygwin (like on Linux).

  • Install Git and gpg4win.
  • Generate and publish a key.
  • Ask someone to reencrypt the repo with it.
  • Clone the yourname@git.balabit:/var/scm/git/backoffice/password-store.git git repository.
  • Decrypt the needed file in the repository.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment