Password management from the command line
Remembrance of Things Pass
The easy-to-use Pass offers password control at the command line. We show you how to set it up and use it.
Password managers have become a standard Linux utility. They are a feature in web browsers, and at least a dozen desktop alternatives are available, ranging from KDE's Wallet [1] to Gringotts [2] and KeePassX [3]. In the past few years, online solutions such as LastPass [4] have also become common solutions.
Unfortunately, most of these alternatives leave users with only the vaguest idea of what they are doing. If you want a password manager that is easy to use and always makes clear what it is doing, you are better off turning to the command line – specifically to Pass [5], a password manager written by Jason A. Donenfeld that uses existing system resources in its operations.
Pass is available in the repositories of most major distributions. As usual, you can also compile from scratch, but, if you do, take note of the dependencies, especially GnuPG (GPG) [6], which creates encryption keys, and Password Generator (pwgen) [7], which generates random passwords that contain random combinations of upper- and lowercase letters, numbers, and special characters. Without GnuPG and pwgen, you will be unable to set up Pass, much less actually use it.
As a command, Pass uses the structure:
pass COMMAND OPTIONS ARGUMENT
If the command is missing, ls
is usually assumed, which means that you can see the contents of .password-store
by typing only pass
. The command also determines the valid options and arguments.
Setting Up Pass
Before you can use Pass, you must set up an encrypted subdirectory in your home directory.
The first step in this process is to create an encryption key to use with the subdirectory. You could, of course, use an existing one, but using a unique one makes for stronger security.
To create the key, enter the command:
gpg --gen-key
The option will begin a wizard to help you create the key (Figure 1). The implications of most of the keys are obvious – for example, the longer the key, the more secure it is likely to be. If you are at a loss, you can safely use the defaults. However, if you want a better sense of the alternatives, you can search for the command online before using it [8].
At the end of the key creation, GPG summarizes the key with the last eight characters of the key fingerprint. These eight characters are what Pass's man page refers to as the gpg-id, so copy it to the clipboard and make a note of it for later use. You will also need to remember the key's passphrase to use the password stored in Pass.
Once you have the key, you can initialize the encrypted directory with the command:
pass init GPG-ID
This command creates a subdirectory called .password-store
in your home directory (Figure 2). Should you ever want to change the encryption key that Pass uses, you can add --reencrypt
or -e
to the command while specifying a different key.
When .password-store
is first initialized, it contains a subdirectory for the encryption key. As you add passwords, you can create additional subdirectories to keep organized. For example, you might have a subdirectory called Social
for the passwords to sites like Facebook and Google+, and another called Email
for the keys you use when exchanging encrypted email messages with correspondents.
Adding, Using, and Creating Entries
To view the entire contents of .password-store
, use the command pass ls
, pass show
, or simply pass
. All three show all the subdirectories, with the lowest entry in the tree being the individual password; there is also a top-level subdirectory for the gpg-id (Figure 3). If you use subdirectories to organize your passwords, you can display just the directory specified using the command pass ls DIRECTORY
or pass show DIRECTORY
.
To avoid duplication of passwords, you can check on an existing password with pass DIRECTORY/PASSWORD
.
Before you add an entry, you might want to create a password for a site that is completely random by calling pwgen (Figure 4) with the command:
pass generate OPTIONS PASSWORD-LENGTH
If you prefer, you can add --no-symbols
or -n
so that the password consists only of upper- and lowercase letters and numbers. Add the -g
or --force
plus the path within .password-store
after all the options, and you can change the password of an existing entry.
The most useful options for generate
are -c
or --clip
. Using either one copies the generated password to the clipboard for 45 seconds, which means, after generating the password in a virtual terminal, you can quickly paste it in when you type .password-store
with the command:
pass insert PATH
Pass responds to the preceding command by asking the user for the password. Notice, too, that specifying the path creates a subdirectory if necessary, so you can use pass to insert an entry into Social/Tumbler or another networking interface inside .password-store
(Figure 5).
For added security, unless you add --echo
or -e
to the insert
command, the inserted password is not displayed in the terminal; instead, you are asked to enter it twice. Additionally, if the path already exists, you cannot overwrite unless you add --force
or -f
. Still another security option, --multiline
or -m
, creates a password that is more than a single line long, which makes it more difficult to crack.
An alternate method of adding or editing a password is to use the command edit PATH
to open the text editor specified in your environment, or, if none is specified, in Vim.
Later, to delete a password, you can use the command structure:
pass rm OPTIONS PATH
The rm
command can be modified with --recursive
or -r
. The command pass rm --recursive Social/
therefore would remove all the passwords in the Social
subdirectory, whereas pass rm Social/Twitter
would remove only the password for Twitter. You are prompted to confirm the deletion, unless you add the --force
or -f
option (Figure 6).
Using an Encrypted Password
Once the password is created and stored, you can display the password with:
pass show PATH
You need to enter the encryption key to display the password, but the disadvantage of this command is that the password is displayed for anyone passing by to see. Also, you need to copy and paste in a separate action to use the password.
A more secure method of using the password is to copy it directly to the clipboard without viewing it directly with the command:
pass -c PATH
In response, GPG opens a dialog window for you to enter the encryption key's passphrase (Figure 7). When the phrase is entered successfully, you have 45 seconds before the password is cleared from the clipboard. During this time, you can navigate to the application that requires the password and paste it into the appropriate field.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Halcyon Creates Anti-Ransomware Protection for Linux
As more Linux systems are targeted by ransomware, Halcyon is stepping up its protection.
-
Valve and Arch Linux Announce Collaboration
Valve and Arch have come together for two projects that will have a serious impact on the Linux distribution.
-
Hacker Successfully Runs Linux on a CPU from the Early ‘70s
From the office of "Look what I can do," Dmitry Grinberg was able to get Linux running on a processor that was created in 1971.
-
OSI and LPI Form Strategic Alliance
With a goal of strengthening Linux and open source communities, this new alliance aims to nurture the growth of more highly skilled professionals.
-
Fedora 41 Beta Available with Some Interesting Additions
If you're a Fedora fan, you'll be excited to hear the beta version of the latest release is now available for testing and includes plenty of updates.
-
AlmaLinux Unveils New Hardware Certification Process
The AlmaLinux Hardware Certification Program run by the Certification Special Interest Group (SIG) aims to ensure seamless compatibility between AlmaLinux and a wide range of hardware configurations.
-
Wind River Introduces eLxr Pro Linux Solution
eLxr Pro offers an end-to-end Linux solution backed by expert commercial support.
-
Juno Tab 3 Launches with Ubuntu 24.04
Anyone looking for a full-blown Linux tablet need look no further. Juno has released the Tab 3.
-
New KDE Slimbook Plasma Available for Preorder
Powered by an AMD Ryzen CPU, the latest KDE Slimbook laptop is powerful enough for local AI tasks.
-
Rhino Linux Announces Latest "Quick Update"
If you prefer your Linux distribution to be of the rolling type, Rhino Linux delivers a beautiful and reliable experience.