Pass - password manager for geeks


1. Intro to pass

This tool provides an amazingly easy-to-use interface. Available for most major Unix-like operating systems (basically every desktop OS except Windows).

Install it how it's shown in the website.

Get started:

Now, there are two approaches:

2. How to sync your passwords with a new user?

2.1 Set up git

  1. Install git
  2. Init repo: pass git init
  3. If you want to use github to sync:
    1. I highly recommend using an SSH key as access token
      1. Set your username: git --global User1
      2. Set your email: git --global
      3. Generate an SSH keypair with ssh-keygen
      4. Copy the content of the public key (e. g. cat ~/.ssh/ | xclip -sel clip)
      5. Go to -> settings -> SSH keys -> new SSH key, copy the key into the text area and save
    2. Create an empty repo
    3. Locally do pass git remote add github (you don't have to name it github, of course)
    4. pass git push github master
  4. If you want to use your local server to sync:
    1. Assuming you access it over ssh
    2. Create a repo on your remote server this way: git init --bare pass-repo
    3. Locally do pass git remote add home ssh://user1@your-ip:your-ssh-port/path/to/pass-repo
    4. pass git push home master

I personally use both. Your passwords can only decrypted using your private keys that you never send to anyone. We can sync your passwords without them. As for now, we set up git, let's proceed by adding another device.

2.2 Add new computer

Let your current computer be A and the new one is B.

  1. Key setup
    1. Generate a new GPG key on computer B with a different key ID (gpg --full-generate-key)
    2. Export public key, e. g. gpg --export "user2" > pub.k and copy to computer A
    3. Export public key of computer A to computer B (like step 2-3, but the other way around)
    4. On computer A, import this key: gpg --import
  2. Reencrypt everthing on computer A: pass init "user1" "user2"
  3. Push
    1. If you sync with github: pass git push github master
    2. If you sync with your local computer: pass git push home master
  4. Init the password store and git repo on computer B (pass init "user1" "user2" && pass git init)
  5. Add remote (same as in 2.1)
    1. For github: pass git remote add github
    2. For local computer: `pass git remote add home ssh://user1@your-ip:your-ssh-port/path/to/pass-repo
  6. Reset to it (pass git reset --hard github/master for github and pass git reset --hard home/master for home server)

Done. You can now retrieve passwords and sync them between two computers, see how simple & user-friendly it all is?

2. How to sync your passwords with your other computer?

Sending private keys is a security thread. That is why the recommended approach is always to generate a new keypair on a new device and add its public key to the list of "trusted" keys.

However, it is of course inconvenient. It is also not very reliable, because you will lose all your encrypted data.

That is why we're taking the middle ground. We do NOT transfer private keys over network, but we generate then deterministically. That means, that all you need to remember is how you generated that key. Then, you will be able to recover access to your data from any device even if all devices you had are lost.

  1. Install passphrase2pgp on both computers, it allows to create deterministic keys
  2. Create keys
    1. Make up some very secret passphrase. It should be long and stored somewhere very secure. This will be a generation seed for your keys
    2. Run passphrase2pgp --subkey --protect=2 --uid "user-d" | gpg --import
      • It will ask you for a passphrase - input the one you made it twice
      • It will then ask you about passphrase [protection] - it's the password you're going to write whenever you access your passwords/gpg files
      • --subkey is needed to encrypt and decrypt. --protect=2 is needed to create a generation passphrase different from the protection one
    3. Same way generate them on the other computer (using the same passphrase, but don't transfer it over network)
  3. Re-init pass using new Key ID (you can keep the old key ID)
    1. pass init "user1" "user-d"
    2. That allows to keep your old key ID just in case, but it's also now encrypted with deterministic key
  4. Push your changes, pull to another computer, test

Push your changes, pull to another computer, test

3. Access & add passwords from your android phone

  1. Install Password Store
  2. Install OpenkeyChain
  3. Open Password Store app, generate SSH and GPG keys (make sure to encrypt both)
  4. Upload your public SSH key to github or whatever your remote server is
  5. Upload your GPG key to your PC and re-encrypt your passwords by adding your newly generated key
    1. E. g. pass init "johny-pc " -> pass init "johny-pc " "johny-phone "
    2. Sync from your PC to remote server
  6. Sync from remote server
  7. You're set