There are many Password applications out there, most require a fee. But what about self-hosting? There are many self-hosted Password managers and a few of those require a fee. But what about a password manager that is command-line based? Let's install and try Password Store.
Use Brew on a Mac
brew update && brew upgrade && brew install pass pass-otpOn Debian/Ubuntu
apt install pass pass-extension-otpOn Redhat/CentOS
dnf install pass pass-otpIn most cases, bash, zsh and fsh completion will be setup.
Notes from:
Create a new GPG Key
gpg --gen-keyAnswer a few questions and you will have a new key to encrypt and decrypt your password files. (You can use your real name or make something up.) After a bit you will have a Key ID -- a long alphanumeric string. Keep that and if you need to see it again, just run
gpg -KOne thing you will see is the expiration date. If you want it to never expire, run
gpg --edit-keyand invoke the expire command.
Create the store using the Key ID
pass init 2B2BF3...3A0E8CLet's also make it a git repo so we can sync
pass git initWith a couple to steps, we now have a password store on our local machine.
The pass command allows you to insert a password, generate a password, and delete. It uses a name for the password that is stored in plaintext on the disk so make sure you are careful you don't leak credentials by using an email address.
# insert a password for github
pass insert github
# Generate a password
pass generate gitlab
# Generate a password in a folder for organization
pass generate gitlab/workTo delete, it is just as easy
pass rm github/work# Search based on the name
pass find githubBut how do you search for an email or a note? (Again don't use email as name - you can leak credentials as the filename is not encrypted.) You can add metadata or other fields to the file.
pass edit github/work
##
5n6h23n5
email: your@email.comYou can then grep for fields or emails
pass grep "email:"To show the passwords use
pass show github
# copy the password to your clipboard
pass show -c githubSuppose you accidentally delete a password. You can, using git, restore from the repo.
pass git revert HEAD(I am using a service called rsync.net which is a ssh-based filesystem. My exmaples will use that, but you can also use a GitHub or GitLab repo.)
Here I'll create a fresh repo
ssh de5309@de5309.rsync.net git init --bare Git/passwordstoreThen I'll add it as the origin, set the upstream and push
pass git remote add origin de5309@de5309.rsync.net:~/Git/passwordstore
pass git push --set-upstream origin mainTo use this on a different host, you'll need to export your keys and copy them to a new host.
gpg --output public.gpg --armor --export your@email.net
gpg --output private.gpg --armor --export-secret-key your@email.netCopy the keys and then import
gpg --import private.gpg
# also this if it tried to open a dialog window
gpg --import --pinentry-mode loopback private.gpg
gpg --import public.gpg
# edit the trust so you can encrypt passwords on this machine
gpg edit 2B2BF3...3A0E8C
trustpass init 2B2BF3...3A0E8C
pass git init
pass git clone--single-branch --branch main de5309@de5309.rsync.net:~/Git/passwordstoreYou can view and copy and paste, but with variables and functions, you can pull secrets out of the store.
export GITHUB_TOKEN=$(pass show github/api/mytoken)
echo $GITHUB_TOKEN
alias aws="AWS_ACCESS_KEY_ID=$(pass show aws/access_id) AWS_SECRET_ACCESS_KEY=$(pass show aws/access_key) aws"Pass has other plugins and apps available. Check the Pass Webpage and look at Extensions and Clients.
This tutorial won't go into this, but using .gpg-id you can encrypt items for others. You will just need the public.key.
From the man page:
~/.password-store/.gpg-id
Contains the default gpg key identification used for encryption and decryption. Multiple gpg keys may be specified in this file, one per line. If this file exists in any sub directories, passwords inside those sub directories are encrypted using those keys. This should be set using the init command.