Password management from the command line

Remembrance of Things Pass

Article from Issue 158/2014

The easy-to-use Pass offers password control at the command line. We show you how to set it up and use it.

Password managers have become a standard Linux utility. They are a feature in web browsers, and at least a dozen desktop alternatives are available, ranging from KDE's Wallet [1] to Gringotts [2] and KeePassX [3]. In the past few years, online solutions such as LastPass [4] have also become common solutions.

Unfortunately, most of these alternatives leave users with only the vaguest idea of what they are doing. If you want a password manager that is easy to use and always makes clear what it is doing, you are better off turning to the command line – specifically to Pass [5], a password manager written by Jason A. Donenfeld that uses existing system resources in its operations.

Pass is available in the repositories of most major distributions. As usual, you can also compile from scratch, but, if you do, take note of the dependencies, especially GnuPG (GPG) [6], which creates encryption keys, and Password Generator (pwgen) [7], which generates random passwords that contain random combinations of upper- and lowercase letters, numbers, and special characters. Without GnuPG and pwgen, you will be unable to set up Pass, much less actually use it.

As a command, Pass uses the structure:


If the command is missing, ls is usually assumed, which means that you can see the contents of .password-store by typing only pass. The command also determines the valid options and arguments.

Setting Up Pass

Before you can use Pass, you must set up an encrypted subdirectory in your home directory.

The first step in this process is to create an encryption key to use with the subdirectory. You could, of course, use an existing one, but using a unique one makes for stronger security.

To create the key, enter the command:

gpg --gen-key

The option will begin a wizard to help you create the key (Figure 1). The implications of most of the keys are obvious – for example, the longer the key, the more secure it is likely to be. If you are at a loss, you can safely use the defaults. However, if you want a better sense of the alternatives, you can search for the command online before using it [8].

Figure 1: Pass uses an encryption key created by GnuPG.

At the end of the key creation, GPG summarizes the key with the last eight characters of the key fingerprint. These eight characters are what Pass's man page refers to as the gpg-id, so copy it to the clipboard and make a note of it for later use. You will also need to remember the key's passphrase to use the password stored in Pass.

Once you have the key, you can initialize the encrypted directory with the command:

pass init GPG-ID

This command creates a subdirectory called .password-store in your home directory (Figure 2). Should you ever want to change the encryption key that Pass uses, you can add --reencrypt or -e to the command while specifying a different key.

Figure 2: The storage directory needs to be initialized before you can use Pass.

When .password-store is first initialized, it contains a subdirectory for the encryption key. As you add passwords, you can create additional subdirectories to keep organized. For example, you might have a subdirectory called Social for the passwords to sites like Facebook and Google+, and another called Email for the keys you use when exchanging encrypted email messages with correspondents.

Adding, Using, and Creating Entries

To view the entire contents of .password-store, use the command pass ls, pass show, or simply pass. All three show all the subdirectories, with the lowest entry in the tree being the individual password; there is also a top-level subdirectory for the gpg-id (Figure 3). If you use subdirectories to organize your passwords, you can display just the directory specified using the command pass ls DIRECTORY or pass show DIRECTORY.

Figure 3: Note the tree structure that helps you organize passwords.

To avoid duplication of passwords, you can check on an existing password with pass DIRECTORY/PASSWORD.

Before you add an entry, you might want to create a password for a site that is completely random by calling pwgen (Figure 4) with the command:


If you prefer, you can add --no-symbols or -n so that the password consists only of upper- and lowercase letters and numbers. Add the -g or --force plus the path within .password-store after all the options, and you can change the password of an existing entry.

Figure 4: Pass uses pwgen to create secure passwords.

The most useful options for generate are -c or --clip. Using either one copies the generated password to the clipboard for 45 seconds, which means, after generating the password in a virtual terminal, you can quickly paste it in when you type .password-store with the command:

pass insert PATH

Pass responds to the preceding command by asking the user for the password. Notice, too, that specifying the path creates a subdirectory if necessary, so you can use pass to insert an entry into Social/Tumbler or another networking interface inside .password-store (Figure 5).

Figure 5: As you add a password, you can add parent directories to keep passwords organized.

For added security, unless you add --echo or -e to the insert command, the inserted password is not displayed in the terminal; instead, you are asked to enter it twice. Additionally, if the path already exists, you cannot overwrite unless you add --force or -f. Still another security option, --multiline or -m, creates a password that is more than a single line long, which makes it more difficult to crack.

An alternate method of adding or editing a password is to use the command edit PATH to open the text editor specified in your environment, or, if none is specified, in Vim.

Later, to delete a password, you can use the command structure:


The rm command can be modified with --recursive or -r. The command pass rm --recursive Social/ therefore would remove all the passwords in the Social subdirectory, whereas pass rm Social/Twitter would remove only the password for Twitter. You are prompted to confirm the deletion, unless you add the --force or -f option (Figure 6).

Figure 6: Pass asks for confirmation before you delete a password.

Using an Encrypted Password

Once the password is created and stored, you can display the password with:

pass show PATH

You need to enter the encryption key to display the password, but the disadvantage of this command is that the password is displayed for anyone passing by to see. Also, you need to copy and paste in a separate action to use the password.

A more secure method of using the password is to copy it directly to the clipboard without viewing it directly with the command:

pass -c PATH

In response, GPG opens a dialog window for you to enter the encryption key's passphrase (Figure 7). When the phrase is entered successfully, you have 45 seconds before the password is cleared from the clipboard. During this time, you can navigate to the application that requires the password and paste it into the appropriate field.

Figure 7: You have 45 seconds before the password is cleared from the clipboard.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus