Abstract

Password managers are all but required software for working on a computer in today’s age. While many major organizations recognize the problems with password based authentication and are actively trying to improve the landscape with things like multifactor authentication or even passkeys, which are an extension of MFA designed to be passwordless and phishing resistant.

However, until there is a more widely adopted standard for authentication, most people will continue to rely on username and password based authentication. This causes a big problem with having to remember usernames and passwords; Nothing up to this point should be a surprise, and there are many products, both proprietary and open, to solve this problem:

Keepass is the password manager I have been using for my personal passwords, however, I have an issue of forgetting to sync the password file into my cloud storage to be used on other devices when needed. This is a problem that is easy enough to solve by having a client automatically mount my Nextcloud somewhere on my local computer rather than having to login and upload it manually, but that is not something I am particularly interested in doing just for my passwords as most of my other important files can be managed with something like Git, SCP, or Rsync. Thankfully, gnu pass exists and works well with that workflow, while following the Unix philosophy and working in a terminal.

How does it work?

GNU Pass encrypts your data with a PGP key that you create with GNU Privacy Guard, from there you can access the stored passwords by unlocking the PGP key. Pass also includes commands to interact with git to make it easier to backup the files; then simply transfer the GPG keys and the pass vault can be unlocked and used on another device.

Getting Started

For this post, I am doing with Linux Mint Debian Edition since they had a release semi-recently, on top of I haven’t used Linux Mint in a while. After a standard install and update cycle on the machine, GNU Pass can be installed via the following command:

# -y will prevent asking for confirmation
sudo apt install -y pass

Then we can initialize the password vault by:

# First generate GPG key if you do not have one
gpg --full-generate-key

# Replace 'john.smith@example.com' with
# the email address associated with your key
pass init john.smith@example.com

# Alternatively, you can just use the key-id found by running this:
gpg --list-secret-keys

# then insert in the command
pass init ${KEY-ID}

Now let’s start adding some keys:

pass add example.com
Enter password for example.com
Retype password for example.com

While this is a great way to store the password, categorization of the passwords would be nice, as well as being able to store the usernames. Luckily, the developer has already thought of this. We can specify a directory to separate logins that we can use to categorize things, then we can also add usernames to store those as well:

# This would create an entry in the 'cat1' category for a user called 'user'
pass insert cat1/docs.example.com/user
mkdir: created directory '/home/user/.password-store/cat1'
mkdir: created directory '/home/user/.password-store/cat1/docs.example.com'
Enter password for docs.example.com
Retype password for docs.example.com

Now that we have that password, we can show the various passwords in our vault with:

pass show
Password Store
└── cat1
    └── git.example.com
        └── user

Then to retrieve the password, we can either list it or copy it to the clipboard. Commands for each of those below:

# To show the password in the terminal
pass show cat1/docs.example.com/user
password

# To copy the password to clipboard
pass -c cat1/docs.example.com/user
Copied cat1/docs.example.com/user to clipboard. Will clear in 45 seconds.

Pass is also capable of generating strong random passwords by using the generate command:

[master (root-commit) abfb5eb] Add generated password for cat2/media.example.com/user.
 4 files changed, 2 insertions(+)
 create mode 100644 .gitattributes
 create mode 100644 .gpg-id
 create mode 100644 cat2/media.example.com/user.gpg
The generated password for cat2/media.example.com/user is:
&zm>CnQ98+^e(oyz]^]sA+SN1

Finally, we can then use Git to version control the password files and store them securely (since it’s encrypted with GPG) in Git. We simply initialize the git repo by running pass git init, then when pass creates a new password, a commit will automatically be generated; from there run pass git push (assuming the origin has already been set for the repo) to send it up to your forge of choice.

Switching and Considerations

If you are wanting to try or use GNU Pass, check out the website and the Arch Wiki, the website specifically shows a lot of extensions and add-ons that can be used to interact with other systems, such as web browsers, to make this tool a bit easier to use. In addition, it also shows some tools to automatically export your passwords from another system to GNU pass rather than having to manually enter them.

The main consideration for me with GNU Pass is whether to trust storing the passwords on something like Github or Codeberg. I don’t have enough knowledge to give any legitimate criticism to GPG or PGP overall, there are certainly people online that do take issue with PGP. However, much like anything else on the Internet, there are people that have opposing positions. GPG has been a trusted mechanism for thousands of people online in various more dangerous situations than I am in right now, however, before using this software, you should come to terms with how much you do or do not trust GPG. That brings the next question though, if you do not trust GPG or PGP in general, what system do you trust for guarding your passwords?