pass

pass

Install

sudo pacman -S pass pass-otp

Initialize

Create a GPG key.

gpg --full-generate-key

Get the key ID. In this case is AA21250888469FBC.

gpg --list-secret-keys --keyid-format LONG
------------------------------------------
sec   rsa4096/AA21250888469FBC 2019-08-15 [SC]
      69215DC44E8303C83090F2F1AA21250888469FBC
uid                 [ultimate] Yuri Alek (Example keys)
ssb   rsa4096/118727056C98BE57 2019-08-15 [E]

Initialize the repo with the key.

pass init "AA21250888469FBC"

Initialize a git repo.

pass git init

Manually decrypt a file.

gpg --decrypt .password-store/internet/gitlab.gpg

Export the keys.

gpg --output gpg_pub.gpg --armor --export AA21250888469FBC
gpg --output gpg_sec.gpg --armor --export-secret-key AA21250888469FBC

Importing keys.

gpg --import gpg_pub.gpg
gpg --allow-secret-key-import --import gpg_sec.gpg

Basic commands

Oficial documentation

Add password

pass insert internet/gitlab

Add multi line password

pass insert --multiline internet/gitlab

Edit a password

pass edit internet/gitlab

Generate password

pass generate internet/gitlab

Remove password

pass rm internet/gitlab

Copy password to clipboard

pass -c internet/gitlab

Add an otp code

The key has the format otpauth://totp/totp-key?secret=511fa83c3493a7009f1ab5d7502cc2&digits=8.

The key must be in Base32. If you need to transform it use oathtool -v -d6 511fa83c3493a7009f1ab5d7502cc2 or oathtool --verbose --totp 511fa83c3493a7009f1ab5d7502cc2 --digits=8 -w 1 | grep Base32 | cut -d ' ' -f 3

pass otp insert totp-key
pass otp insert -e totp-key ## Will show what you type

Backup

Export/backup the keys (public and private). The used key id is in ~/.password-store/.gpg-id.

gpg --output gpg_sec.gpg --armor --export-secret-key AA21250888469FBC
gpg --output gpg_sec.gpg --armor --export-secret-key `cat ~/.password-store/.gpg-id`

Backup ~/.password-store.

To restore import the keys.

gpg --allow-secret-key-import --import gpg_sec.gpg

And trust the key again to encrypt new passwords

gpg --edit-key AA21250888469FBC
gpg> trust
  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
gpg> quit

Re-encrypt every password with another key

pass init "8271F30B83C51C44"

where "8271F30B83C51C44" is the GPG ID of the new key.

You have to input the password for the old key.

Custom pinentry program

In Arch Linux edit /usr/bin/pinentry.

#!/bin/sh

test -e /usr/lib/libgtk-x11-2.0.so.0 &&
exec /usr/bin/pinentry-curses "$@"

#exec /usr/bin/pinentry-gtk-2  "$@"

Other

• passmenu: dmenu.
• gpg-agent: Will keep the password for your key.
• pinentry: Will pop a window to introduce your password.

Links

• https://github.com/tadfisher/pass-otp#readme
• https://github.com/id0827502/dotfiles/blob/master/prod/scripts/quickpass.sh