How to manage passwords using pass cli utility
Here in this article we will use a very lightweight password manager tool “pass”. We will installing this tool and setup gpg key for the user id who is going to manage these passwords and encrypt and store these passwords using the gpg key.
Test Environment
Fedora 37 workstation
What is pass
pass is a very lightweight password manager tool using the standard unix tools. It can be used to generate secure password stores and store the passwords in a secure manner (ie. gpg key encrypted). It can also be used to retrieve, generate and synchronize passwords securely using gpg key.
If you are interested in watching the video. Here is the YouTube video on the same step by step procedure outlined below.
Procedure
Step1: Generate GPG key
As a first step let’s try to generate a GPG key using the “gpg” utility as shown below. Please provide the required details and generate the key.
$ gpg --full-generate-key
gpg (GnuPG) 2.3.8; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Please select what kind of key you want:
(1) RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
(9) ECC (sign and encrypt) *default*
(10) ECC (sign only)
(14) Existing key from card
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (3072)
Requested keysize is 3072 bits
Please specify how long the key should be valid.
0 = key does not expire
<n> = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0) 0
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: xxx
Email address: xxx@gmail.com
Comment: fedora_gpg_key
You selected this USER-ID:
"xxx (fedora_gpg_key) <xxx@gmail.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: directory '/home/admin/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/admin/.gnupg/openpgp-revocs.d/AA3F4B024736789931C74FB522D3DDE6A49ACC5C.rev'
public and secret key created and signed.
pub rsa3072 2023-10-13 [SC]
AA3F4B024736789931C74FB522D3DDE6A49ACC5C
uid xxx (fedora_gpg_key) <xxx@gmail.com>
sub rsa3072 2023-10-13 [E]
We can list the gpg keys that are installed and available on the system using the below command as shown below.
$ gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u
/home/admin/.gnupg/pubring.kbx
------------------------------
pub rsa4096 2015-02-16 [SC]
8B1220FC564E9583200205FF7514F77D8366B0D9
uid [ unknown] Red Hat, Inc. (tools key) <secalert@redhat.com>
pub rsa3072 2023-10-13 [SC]
AA3F4B024736789931C74FB522D3DDE6A49ACC5C
uid [ultimate] xxx (fedora_gpg_key) <xxx@gmail.com>
sub rsa3072 2023-10-13 [E]
Step2: Install pass
Now let’s try to install the “pass” utility which is the password manager tool that we would like to explore.
$ sudo dnf install pass
...
Installed:
pass-1$ sudo dnf install pass.7.4-6.fc37.noarch qrencode-4.1.1-3.fc37.x86_64 wl-clipboard-2.0.0-7.fc37.x86_64
Complete!
Step3: Initiaize password store with gpg key
In this step we first need to initialize the password store which we will use to store the gpg encrypted passwords as shown below. We need to pass the gpg key user id to initialize the password store.
$ pass init "xxx (fedora_gpg_key) <xxx@gmail.com>"
mkdir: created directory '/home/admin/.password-store/'
Password store initialized for xxx (fedora_gpg_key) <xxx@gmail.com>
Step4: Store a new password
Now its time to store the passwords into this password store using the below command which will encrypt the passwords using the gpg key and store in a file with the same name as shown below.
$ pass insert stack/admin
mkdir: created directory '/home/admin/.password-store/stack'
Enter password for stack/admin:
Retype password for stack/admin:
$ pass insert stack/dev
Enter password for stack/dev:
Retype password for stack/dev:
We can list the password in the folder “stack” as shown below.
$ pass stack
stack
├── admin
└── dev
Step5: Retrieve password to clipboard
We can retrieve the password and store it in a clipboard as shown below instead of exposing it directly on the shell. It will ask the passphrase for your gpg key that was initially created before the password is decrypted.
$ pass -c stack/dev
Copied stack/dev to clipboard. Will clear in 45 seconds.
$ pass -c stack/admin
Copied stack/admin to clipboard. Will clear in 45 seconds.
Step6: Retrive password to console
Now let’s extract the encrypted password and directly output it to the console.
$ pass stack/admin
Step7: Delete Entry
If the secret is not used anymore we can remove it as shown below.
$ pass rm stack/admin
Are you sure you would like to delete stack/admin? [y/N] y
removed '/home/admin/.password-store/stack/admin.gpg'
“pass” is a very lightweight and easy to use cli tool if your usage is limited to storing the passwords. But if you want to store secrets and keys than you can explore “seahorse” GNOME application which caters for those needs.
Step8: GNOME seahorse gui
Seahorse is a graphical interface for managing and using encryption keys. It also integrates with nautilus, gedit and other places for encryption operations. It is a keyring manager. You can install it as shown below.
$ sudo dnf install seahorse
Hope you enjoyed reading this article. Thank you..
Leave a Reply
You must be logged in to post a comment.