With the recent LastPass leak where entire (encrypted) user vaults were stolen, I began to reconsider online "cloud" password managers. Coupled with my ongoing effort to own my data and to be less reliant on online services and the internet overall, I decided to stop using an online based password manager entirely. I was using Bitwarden, and although Bitwarden has been nothing short of fantastic, I decided that I'd rather not store my passwords anywhere online regardless if they're encrypted. And that's when I discovered pass.
pass is a locally installed password manager. What differentiates it from other local password managers like KeePassXC is that pass can be used entirely from the terminal. It follows the unix philosophy with each password existing in a gpg encrypted file. I started transitioning to pass a few weeks ago and use it with the passff firefox extension. I also use it to store OTPs with the passotp extension.
| Command | Description |
|---|---|
| pass init [gpg-id] | To start/initialize the password store run |
| pass insert archlinux.org/[username] | Create username |
| pass generate archlinux.org/[username] n | Generate a new password |
| pass archlinux.org/[username] | Retrieve the password |
| pass -c archlinux.org/[username] | Copy password to clipboard (must have xclip installed), clears after 45 seconds |
| pass ls | lists entries |
| pass mv [entry] [location] | Moves entry to a new location |
| pass rm [entry] | Removes entry |
| pass edit [pass_name] | Edit password (will open in default text editor) |
| pass otp add [name] | To add an otp, run this command, then enter the URI |
| pass otp [name] | Displays the otp |
| pass otp -c [name] | Copy password to clipboard, clears after 45 seconds |
pass-otp is an extension for pass that supports one-time password tokens, and was the original reason I started using pass. To obtain the URI, I had to export my OTPs to an uncrepted backup and open each file in a text-editor. The URI looks something like this: otpauth://totp/Example:chuck@example.com?secret=JBSWY3DPEHPK3PXP&issuer=Example.
passff is the browser extension I use with Librewolf (Firefox) so I don't have to keep switching to a terminal window when I'm in the browser. To get passff to work with my setup, I had to set pinentry to pinentry-qt, otherwise I'd receive an error message and have to authenticate in a terminal separately. This can be done by adding pinentry-program /usr/bin/pinentry-qt to the file .gnupg/gpg-agent.conf. If the file doesn't exist you can create it. There are also other options like pinentry-gtk3, pinentry-gnome, etc. I just needed it set to a GUI variable so I'd be prompted for the description password from passff.
To backup and restore to a different computer is as easy as copy and pasting the .password-store folder and exporting/importing your gpg keys. I also had to change ownership of the folder to the current user on the new machine. Backing up and restoring gpg keys is as follows.
| Command | Description |
|---|---|
| gpg --list-secret-keys [user] | List keys of user (old machine) |
| gpg --export -a [user] > public.gpg | Export user public key |
| gpg --export-secret-keys -a [user] > private.gpg | Export user private key |
| gpg --import public.gpg | Imports user public key (new machine) |
| gpg --import private.gpg | Imports user private key (new machine) |
| pass init [imported gpg-id] | Initializes new pass password storage and use gpg-id for encryption/decryption of imported passwords. |
One thing that should be emphasized with having an offline password manager is the importance of keeping good backups, including your PGP keys. Although I only use my password manager on my laptop, I have four redundant encrypted back-ups in addition to them being stored on my laptop.
Another limitation, I think, is that it can be annoying to setup if you're not familiar with PGP or the terminal, in which case KeePassXC is far easier offline password manager to use. It took several hours to learn how to import/export, pinentry, and GPG in general.
There have also been some criticisms with pass. Some are fair, but most don't really apply to me since I don't store any of them online like Github, Dropbox, etc. If I'm stored my passwords on these cloud services, it seems like it would make far more sense to just use a traditional password manager like Bitwarden.
What I specifically like about pass is that I am personally responsible for locally managing my passwords - and I like the fact that it's a minimal program that can be used in the terminal. What I liked about transitioning to pass, and this is really a benefit to using any password manager really, is the ability to keep track of what online accounts I have open so that I can later delete them if I so choose. I didn't use an import tool when I switched to pass, so I took it as an opportunity to do some account clean up.
Thanks for reading. Feel free to send comments, questions, or recommendations to hey@chuck.is.