Linux Password Manager CLI

From Ever changing code

pass the standard unix password manager

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

pass makes managing these individual password files extremely easy. All passwords live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It's capable of temporarily putting passwords on your clipboard and tracking password changes using git.



The rngd daemon acts as a bridge between a Hardware TRNG (true random number generator) such as the ones in some Intel/AMD/VIA chipsets, and the kernel's PRNG (pseudo-random number generator).

# Install 'rngd' to gain enough entropy for 'gpg' public and secret key creation
$> sudo apt-get install rng-tools

# Check the amount of bytes of entropy currently available
cat /proc/sys/kernel/random/entropy_avail

GnuPGP key

Create a key that will be used by pass to encrypt/decrypt ~/.password-store

$>  $ gpg --gen-key
gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Note: Use "gpg --full-generate-key" for a full featured key generation dialog.

GnuPG needs to construct a user ID to identify your key.

Real name: Bob Smith              # <- input
Email address:     # <- input
You selected this USER-ID:
    "Bob Smith <>"

Change (N)ame, (E)mail, or (O)kay/(Q)uit? O # <- input

│ Please enter the passphrase to                       │
│ protect your new key                                 │
│                                                      │
│ Passphrase: ________________________________________ │ # <- can be
│                                                      │ # left blank
│       <OK>                              <Cancel>     │ # 2x dialog

We need to generate a lot of random bytes. 
(..omitted..) to gain enough entropy.
gpg: /home/vagrant/.gnupg/trustdb.gpg: trustdb created
gpg: key 0046C0CB14D14757 marked as ultimately trusted
gpg: directory '/home/vagrant/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '/home/vagrant/.gnupg/openpgp-revocs.d/B5FCCC7D6BE3B93F0B5569790046C0CB14D14757.rev'
public and secret key created and signed.

pub   rsa3072 2020-02-16 [SC] [expires: 2022-02-15]
uid                      Bob Smith <> # <- gpg key
sub   rsa3072 2020-02-16 [E] [expires: 2022-02-15]

Initialise password store

Initialise password store, by providing gpg key for the store encryption. Identify the key by username or keyID. The file ~/.password-store/.gpg-id will contain the key identifier passed on by pass init <keyIdentifier>

$>  $ pass init                           # option.1 by the uid
$>  $ pass init B5FCCC7D6BE3B93F0B5569790046C0CB14D14757 # option.2 by the key fingerprint

mkdir: created directory '/home/vagrant/.password-store/'
Password store initialized for
$>  $ pass ls
Password Store
$>  $ pass insert user1
Enter password for user1: ***
Retype password for user1: ***
$>  $ pass ls
Password Store
└── user1

$>  $ pass user1

GPG keys manipultaion

# Delete GPG key
gpg2 --delete-secret-keys
gpg2 --delete-key # delete a public key (from your public key ring)

# delete an private key (a key on your private key ring)
# This deletes the secret key from your secret key ring. 
gpg --delete-secret-key "User Name"

# delete a public key (from your public key ring):
gpg --delete-key "User Name"
This removes the public key from your public key ring.
# NOTE! If there is a private key on your private key ring associated with this public key, 
# you will get an error! You must delete your private key for this key pair from your private key ring first.

# To list the keys in your public key ring:
gpg --list-keys

# To list the keys in your secret key ring:
gpg --list-secret-keys