Pass - password manager for geeks

Why?

• ✅ CLI interface only, no need for GUI
• ✅ Works natively on Unix-like systems
• ✅ Has many clients for mainstream OS
• ✅ Only famous FOSS tools (used utils: git, pass, gpg, openssh, passphrase2pgp)
• ✅ No Google/Facebook account or other BS integration, your credentials are yours and stored by you on your computer
• ✅ Knowing your primary password is not enough to access your passwords
• ✅ Still can sync among devices
• ✅ You control where your backup stored (and it's encrypted too)
• ❌ That's 100x more complicated to set up than most crappy password managers you'd find on the internet

1. Intro to pass

This tool provides an amazingly easy-to-use interface. Available for most major Unix-like operating systems (basically every desktop OS except Windows).

Install it how it's shown in the website.

Get started:

• gpg --full-generate-key to generate key using GPG. In the end it will return something like myname , remember this, it's your Key ID. Let it be user1 for now (assuming you skipped mail). You will be asked to input a passphrase - that's what your private key will be decrypted with, make sure to remember it!
• pass init user1 inits your password store (input the key ID from the previous step).
• pass insert website/username creates a prompt where you input your password.
• pass website/username retrieves it. pass -c website/username retrives it into clipboard.

Now, there are two approaches:

• Syncing with another user
• Syncing with another computer

2. How to sync your passwords with a new user?

2.1 Set up git

1. Install git
2. Init repo: pass git init
3. If you want to use github to sync:
   1. I highly recommend using an SSH key as access token
      1. Set your username: git --global user.name User1
      2. Set your email: git --global user.email user@quack.org
      3. Generate an SSH keypair with ssh-keygen
      4. Copy the content of the public key (e. g. cat ~/.ssh/id_rsa.pub | xclip -sel clip)
      5. Go to github.com -> settings -> SSH keys -> new SSH key, copy the key into the text area and save
   2. Create an empty repo
   3. Locally do pass git remote add github git@github.com:user1/myrepo.git (you don't have to name it github, of course)
   4. pass git push github master
4. If you want to use your local server to sync:
   1. Assuming you access it over ssh
   2. Create a repo on your remote server this way: git init --bare pass-repo
   3. Locally do pass git remote add home ssh://user1@your-ip:your-ssh-port/path/to/pass-repo
   4. pass git push home master

I personally use both. Your passwords can only decrypted using your private keys that you never send to anyone. We can sync your passwords without them. As for now, we set up git, let's proceed by adding another device.

2.2 Add new computer

Let your current computer be A and the new one is B.

1. Key setup
   1. Generate a new GPG key on computer B with a different key ID (gpg --full-generate-key)
   2. Export public key, e. g. gpg --export "user2" > pub.k and copy user2.pub to computer A
   3. Export public key of computer A to computer B (like step 2-3, but the other way around)
   4. On computer A, import this key: gpg --import user2.pub
2. Reencrypt everthing on computer A: pass init "user1" "user2"
3. Push
   1. If you sync with github: pass git push github master
   2. If you sync with your local computer: pass git push home master
4. Init the password store and git repo on computer B (pass init "user1" "user2" && pass git init)
5. Add remote (same as in 2.1)
   1. For github: pass git remote add github https://github.com/user1/myrepo
   2. For local computer: `pass git remote add home ssh://user1@your-ip:your-ssh-port/path/to/pass-repo
6. Reset to it (pass git reset --hard github/master for github and pass git reset --hard home/master for home server)

Done. You can now retrieve passwords and sync them between two computers, see how simple & user-friendly it all is?

2. How to sync your passwords with your other computer?

Sending private keys is a security thread. That is why the recommended approach is always to generate a new keypair on a new device and add its public key to the list of "trusted" keys.

However, it is of course inconvenient. It is also not very reliable, because you will lose all your encrypted data.

That is why we're taking the middle ground. We do NOT transfer private keys over network, but we generate then deterministically. That means, that all you need to remember is how you generated that key. Then, you will be able to recover access to your data from any device even if all devices you had are lost.

1. Install passphrase2pgp on both computers, it allows to create deterministic keys
2. Create keys
   1. Make up some very secret passphrase. It should be long and stored somewhere very secure. This will be a generation seed for your keys
   2. Run passphrase2pgp --subkey --protect=2 --uid "user-d" | gpg --import
      • It will ask you for a passphrase - input the one you made it twice
      • It will then ask you about passphrase [protection] - it's the password you're going to write whenever you access your passwords/gpg files
      • --subkey is needed to encrypt and decrypt. --protect=2 is needed to create a generation passphrase different from the protection one
   3. Same way generate them on the other computer (using the same passphrase, but don't transfer it over network)
3. Re-init pass using new Key ID (you can keep the old key ID)
   1. pass init "user1" "user-d"
   2. That allows to keep your old key ID just in case, but it's also now encrypted with deterministic key
4. Push your changes, pull to another computer, test

Push your changes, pull to another computer, test

3. Access & add passwords from your android phone

1. Install Password Store
2. Install OpenkeyChain
3. Open Password Store app, generate SSH and GPG keys (make sure to encrypt both)
4. Upload your public SSH key to github or whatever your remote server is
5. Upload your GPG key to your PC and re-encrypt your passwords by adding your newly generated key
   1. E. g. pass init "johny-pc " -> pass init "johny-pc " "johny-phone "
   2. Sync from your PC to remote server
6. Sync from remote server
7. You're set

FAQ

• Q: But wait, what if the hacker somehow stole one of my devices with this private key. Then he will access to the most important key that I deterministically generated, and thus, all data!

  A: Yes. But even if you generate the key randomly on every new device, the hacker will access the data the same way. It is important to encrypt the private key itself, but if the hacker somehow got access to private key, encryption passphrase, and the repo with passwords - it's over. At least, in my setup.

• Q: Why not KeePassXc, BitWarden, and alike?

  A: First of all I should say, that these are great options. They both are free and self-hosted. But I prefer pass.

  pass follows Unix philosophy, as it is entirely modular. It is originally just a small bash script, which utilizes GnuPG, tree, and git. That means, you're entirely free to replace those "dependencies" with whatever you like. It also means that you're not really dependent on pass, because the generated "key database" is literally a folder with .gpg files and a file with Key IDs listed. So you can decrypt your passwords without pass. Thanks to its modularity, it is very easy to write a pass client for any OS. As a result, we got clients for all OS, even iOS.

• Q: What are advantages over other password managers in terms of security?

  A: Assymetric encryption. Unlike most if not all other password managers, this one allows you to encrypt files assymetrically - it means, that even having both your primary password and the folder with encrypted passwords, nobody will be able to access them. So unlike regular pw managers, there are three components in your password workflow: folder with passwords, private key, password from the key. It is necessary to have all three components to unlock a password.