After a month or so of using Keepass to manage my passwords, I wanted to set up something even simpler, and I decided to give it a try once and for all.
Pass is an extremely simple tool to manage your passwords by using GPG encryption on plain text files, allowing fairly customizable folder structure.
It follows the Unix philosophy of doing one thing and doing it right. It can be extended with different clients and plugins that expand its functionality and allow features like auto-typing, otp support and filename encryption, which is kinda nice.
Pass functionality
I am going to assume you know how to make and deal with gpg keys. But I will leave some sources if you wanna deal with that.
So, all I did was run
pass init <gpg-id>
Where you use the id of a preexisting gpg key you have. After that, to save a password you use
> pass insert personal/example.com/account-name
Enter password for account-name: account-password
If you’re creating a new account, you can use: pass generate <account-name>
which will make a random password and save it automatically.
Pass uses the first line of a file as password, and you can add extra lines
to it if you so wish. Therefore you can use the -m flag to continue
adding lines when creating a new entry.
I set up my files like this:
password
url: example.com
login: account@example.com
otpauth: otp_url_thing
autotype: login :tab pass :enter :delay :otp :enter
comment: whatever
I already explained enough of Pass itself, but this is not an in-depth tutorial, so if you wanna know more about pass itself you can visit its website
My personal setup
Coming from Keepass, I used pass-import and the following command
pass import keepass keepass_file.kdbx
This means I dont need to risk a plain text file such as CSV, which is kinda cool.
But, how do I actually use it?, well, on Linux I use rofi-pass, a great
utility that makes use of rofi and has support for a lot of features,
including auto-typing and otp support if you have the extension pass-otp installed. These
tools read the lines I showcased before, which is pretty practical.
I am quite a fan of how simple it is to configure and extend pass, and the
amount of existing tools that make use of it is great.
There are some browser extensions. I tried PassFF , but in the end I decided to only depend on rofi, since its simpler and safer than a plugin in my opinion.
Pass on Android
On my android device I decided to install Password Store which is a great client that supports auto-fill and other things.
However, how do I sync everything up?. The answer is pretty simple. Syncthing, a program that need no presentation.
I just shared my password-store folder to android and called it a day.
Password store needs OpenKeychain to gain access to your gpg keys. To export your private key you have to run this command from your terminal:
# In my case is gpg2, your distro might just use gpg
gpg2 --output secret_key.gpg --armor --export-secret-key <gpg-id>
Just copy it to your device and import it from the OpenKeychain app. it should prompt you to input your passphrase and now you can use it on Password Store.
The app works surprisingly well on browsers, compared to other password managers for Android, although its not as good on some apps, of course your mileage may vary, most of them should work just fine.
Pass on Windows
I again used Syncthing to keep everything up to date. I installed gpg4win to get everything gpg needs to work and I imported my key using Kleopatra, which gets installed automatically. You could also use the command line but I didn’t know it was available when I did it.
I was unable to find a working solution similar to rofi-pass, I am a fan
of Wox launcher, but it didn’t have a
plugin for pass, and it hasn’t been updated in a while so I decided to go for
browser-pass which
is a browser plugin. I would have preferred a native program to do it but it
is what it is.
There is actually a native program, QtPass. But it doesn’t have some pop-up shortcut and I didn’t feel like finding out how to do keyboard shortcuts on Windows.
Browserpass is wonderful though, and it is still being updated, so I will still use it, and I will use QtPass for native applications.
Some Troubleshooting
During my experimentation, I faced many problems. Sometimes saving new
passwords or edited changes on existing entries would not work. This
happened because the .gpg-id file used by pass was trying to encrypt the files with
a non existent key, since, Password Storeoverwrote it (I assume
that it is a subkey that only existed on android and the rest of my devices
are not aware of it).
Another problem is getting the password-store folder location to be found by
both of these programs. The plugin settings provide a way to set a custom
folder, and so does QtPass, I placed my folder in
C:\Users\my-user\password-store and managed to use it quite easily.
Final thoughts
I am really liking this setup, pass supports using git to manage branches
and that kinda stuff. But I decided to keep it simple and just use Syncthing as
mentioned before, I dont really have a secure git instance or somthing like
that, and since the filenames are not encrypted this can be a bit of leaked
metadata, but that isnt really a problem locally, and its probably no big deal
if I make a private repo on Codeberg or something like that.
I kinda wanted to make this blog a bit longer, but its honestly not that difficult to do the switch and I just provided a few sources across this post that could can be helpful if you need something more.
This is day 37 of #100DaystoOffload
