pass
From Gentoo Wiki
pass is a command-line password manager that stores, retrieves, generates, and synchronizes passwords securely. It integrates directly with the user's PGP keys to store password in encrypted format on disk. Pass is written in Bash and was created by Gentoo developer Jason A. Donenfeld (Zx2c4) .
Installation
USE flags
USE flags for app-admin/pass Stores, retrieves, generates, and synchronizes passwords securely
X
|
Use x11-misc/xclip to copy passwords to the clipboard. |
dmenu
|
Add support for x11-misc/dmenu with the 'passmenu' program. |
emacs
|
Add support for GNU Emacs |
git
|
Use dev-vcs/git for password revisions. |
importers
|
Allow importing passwords from other password managers using various contributed scripts. |
wayland
|
Enable dev-libs/wayland backend |
Emerge
root #emerge --ask app-admin/passAdditional software
Plugins
- app-admin/pass-audit::guru - Audit your password repository.
- app-admin/pass-otp - Manage and generate one-time passwords (OTP).
- app-admin/pass-update::guru - Update your passwords.
Browser add-ons
Compatible tools
CLI:
- app-admin/gopass - Go implementation of pass.
GUI:
- app-admin/qtpass - Qt GUI for pass.
- gui-apps/tessen::guru - Interactive menu to autotype and copy pass data.
- kde-misc/plasma-pass - Plasma applet to access passwords from pass.
Configuration
For initial steps and configuration read the pass man pages:
user $man pass
Usage
pass-otp
Adding a pass entry for the user larry:
user $pass edit gentoo/larryExample pass entry generating (OTP) one-time passwords:
user $pass show gentoo/larryotpauth://totp/larry@gentoo?secret=ZBURIWIVW5UQP4F5PYZ75LHTXU======
Generating a (OTP) one-time password using pass otp command:
user $pass otp gentoo/larry076884
ViM
Tip
Users of Vim or Neovim should configure the editor not to write the password to disk when using pass edit command,
Users of Vim or Neovim should configure the editor not to write the password to disk when using pass edit command,
which can inadvertently happen with options such as swapfile and undofile. There is a plugin to set the appropriate options when the editor is editing a password file at https://dev.sanctum.geek.nz/cgit/vim-redact-pass.git. Like other Vim plugins, this can be installed using a plugin manager or by placing the files in an appropriate location manually.
Invocation
user $pass --help============================================
= pass: the standard unix password manager =
= =
= v1.7.4 =
= =
= Jason A. Donenfeld =
= Jason@zx2c4.com =
= =
= http://www.passwordstore.org/ =
============================================
Usage:
pass init [--path=subfolder,-p subfolder] gpg-id...
Initialize new password storage and use gpg-id for encryption.
Selectively reencrypt existing passwords using new gpg-id.
pass [ls] [subfolder]
List passwords.
pass find pass-names...
List passwords that match pass-names.
pass [show] [--clip[=line-number],-c[line-number]] pass-name
Show existing password and optionally put it on the clipboard.
If put on the clipboard, it will be cleared in 45 seconds.
pass grep [GREPOPTIONS] search-string
Search for password files containing search-string when decrypted.
pass insert [--echo,-e | --multiline,-m] [--force,-f] pass-name
Insert new password. Optionally, echo the password back to the console
during entry. Or, optionally, the entry may be multiline. Prompt before
overwriting existing password unless forced.
pass edit pass-name
Insert a new password or edit an existing password using /usr/bin/vim.
pass generate [--no-symbols,-n] [--clip,-c] [--in-place,-i | --force,-f] pass-name [pass-length]
Generate a new password of pass-length (or 25 if unspecified) with optionally no symbols.
Optionally put it on the clipboard and clear board after 45 seconds.
Prompt before overwriting existing password unless forced.
Optionally replace only the first line of an existing file with a new password.
pass rm [--recursive,-r] [--force,-f] pass-name
Remove existing password or directory, optionally forcefully.
pass mv [--force,-f] old-path new-path
Renames or moves old-path to new-path, optionally forcefully, selectively reencrypting.
pass cp [--force,-f] old-path new-path
Copies old-path to new-path, optionally forcefully, selectively reencrypting.
pass git git-command-args...
If the password store is a git repository, execute a git command
specified by git-command-args.
pass help
Show this text.
pass version
Show version information.
More information may be found in the pass(1) man page.
Removal
Unmerge
root #emerge --ask --depclean --verbose app-admin/passSee also
- KeePassXC/cli — a command line interface for the KeePassXC password manager.
- Password management tools — This meta article is dedicated to secure password generation, auditing of generated passwords for security, and management of existing passwords.
- Jason A. Donenfeld (Zx2c4) 's wiki page.
- Google Authenticator — describes an easy way to setup two-factor authentication on Gentoo.
- OATH-Toolkit — toolkit for (OTP) One-Time Password authentication using HOTP/TOTP algorithms.
External resources
- List of integrations on project website.
- https://vitalyparnas.com/guides/pass/ - A blog post covering clever uses of pass.