Cheat sheet/ getting-started guide to pass

pass-getting-started.md

pass cheat sheet/guide

Getting started guide to the unix password manager pass. Manage gpg encripted passwords (files) in a standar directory-like hierarchy. Such files can be copied or stored in a git repository.

Requirements

1. Install pass (standard unix password manager):

Ubuntu/Debian:

$ sudo apt-get install pass

Others platforms.

2. Install pass-otp (pass plugin) to support two-factor-auth logins:

Ubuntu/Debian:

$ sudo apt-get install pass-extension-otp

Other platforms.

Initialization or re-initialization (re-encryption of passwords)

pass expects to find all the password databases under the folder ~/.password-store. So there should be a folder per password database.

This is to first create the password database with your own credentials:

$ pass init -p <passdb-folder> <pkey-id>

Note: Please notice that the <pass-db-folder> is or could be a git repo root folder so you can store the DB in a Git repository.

When adding a new team member the re-encrypting of all the passwords is required. To re-encrypt you must first include the new member's public key id on the file ~/.password-store/<pass-db-folder>/.gpg-id.

Let's assume I want to grant John Doe with access to the passwords database. The contents of the ~/.password-store/pass-infra/.gpg-id should be:

[email protected]
[email protected]

Now we can re-encrypt/re-initialize the password database with the command:

$ pass init -p <passdb-folder> $(cat ~/.password-store/<pass-db-folder>/.gpg-id)

Following the example the command should be:

$ pass init -p pass-infra $(cat ~/.password-store/pass-infra/.gpg-id)

Git repos

pass isn't yet ready to work with multiple password repositories so to push local changes to the corresponding Git repo you must do it manually by going to the password database subfolder and doing a git push.

Following our previous example, we should do:

$ cd ~/.password-store/pass-infra
$ git push

pass cmd reference

Store

Generate

$ pass generate [-n] <pass-path> <length>

To generate a password with a specific length. To not include symbols you can use -n.

Insert

$ pass insert [-m] <pass-path>

To insert a password from standard input. With -m multi-line is enabled so it reads until EOL or Ctrl+D is reached.

Retrieve

List

$ pass [ls] [pass-subpath]

To print a tree-like list of accounts starting from the pass-path (if given).

Fetch

$ pass [show] [-c] <pass-path>

To print fetch/print a specific pass. Use -c to copy it (temporarily) to the clipboard instead of printing it to standard output.

Note: some commmands like ls or show are optional because the is no need to explicitly specifying them to get the same action executed.

Management

Move

$ pass mv <src-pass-path> <dest-pass-path>

Copy

$ pass cp <src-pass-path> <dest-pass-path>

Delete

$ pass rm [-rf] <pass-path>|<pass-subpath>

To delete a specific password or a set of passwords (under the same subfolder).

Edit

$ pass edit <pass-path>

It can be also used to create a password instead of insert.

OTP

$ pass otp [-c] <pass-path>

To fetch the otp.

GPG intro

Creating a pair of keys

$ gpg --full-gen-key

Select the RSA and RSA key with a length of 4096 bits.

Exporting public key

gpg --armor --export <key-id> > mypkey.asc

Importing a public key

gpg --import mypkey.asc

After importing a public key it must be signed (trusted) so it can be used to encrypt passwords:

$ gpg --edit-key <pkey-id>
....
gpg> lsign
....
Really sign? (y/N) y

gpg> save

References

1. Using pass in a team.
2. Creating GPG keys.
3. Pass cheatsheet.