Secret Pass

If you are like many Linux users today, you have dozens of online accounts for different services and websites. If you care about security, you are really not supposed to give those accounts the same password; nor is it considered safe to write all your passwords down on paper and store it in your desk drawer. Password managers evolved as a means for letting users store their passwords safely. Password managers differ in form and functionality, but the basic idea is that the password manager stores your passwords in a safe, encrypted format, and you provide one password to gain access to the password store. Instead of having to memorize all your passwords, you just have to memorize one.

Pass [1] is a lean password manager that relies on some classic Linux tools to help you generate and manage your passwords.

What Is Pass?

Pass is basically just a shell script that bundles various tasks involved in managing passwords into functions that are easy to use. The Pass script integrates a number of other tools that make it possible to back up data using strong cryptography, to copy passwords directly to the clipboard, or to manage the entire database using a version control system.

Pass uses GnuPG to encrypt files, Git to manage the files, and xclip to copy them to the clipboard. When installing Pass, most package managers automatically update the existing GnuPG files. In addition to xclip, the program usually requires a tool for displaying directory hierarchies (tree) (Listing 1).

$ pacman -Si pass
Repositorium              : community
Name                      : pass
Version                   : 1.7.1-1
Description               : Stores, retrieves, generates, and synchronizes passwords securely
Architecture              : any
URL                       : https://www.passwordstore.org/
Licences                  : GPL2
Groups                    : None
Provides                  : passmenu
Depends on                : xclip  bash  gnupg  tree
Optional dependencies     : git: for Git support
                            dmenu: for passmenu
                            qrencode: for QR code support
Conflicts with            : passmenu
Replaces                  : passmenu
Download size             : 18.33 KB
Installation size         : 45.00 KB
Packer                    : Lukas Fleischer <lfleischer@archlinux.org>
Created on                : Fr 14 Apr 2017 10:31:38 CEST
Verified by               : MD5 sum  SHA-256 sum Signature

GnuPG lets you create a key suitable for signing or encrypting data, and Pass takes advantage of this function. It is still a somewhat complicated matter to create a key correctly and then keep it safe. However, various pages on the web can help you get started with the subject [2].

Initializing

If you call the tool with the init parameter, it also requires the ID of the GnuPG key that you will be using to encrypt the files. Use the -p <directory> option to specify that the key only applies to a subtree of the password collection. You can separate business passwords from private passwords in this way.

All the files you manage with Pass are located below .password-store/ in your home directory. If you want to use a different directory, set the environment variable PASSWORD_STORE_DIR accordingly (see Table 1).

If you already use a password management program, the Pass website is well worth a visit: You will find a whole range of tools and scripts that help you export data from other programs, such as Revelation or KeePass. In our lab, exporting from Revelation worked without any problems. In each of the files, the additional entries were located in one line.

Pass only evaluates the first line of the file in which it writes the password for the respective access case. Further information is only used to note down usernames or URLs and other data.

If you are starting from scratch, call Pass with the generate parameter, a name for the access case, and a number for the desired password length:

$ pass generate test/access 23

In the example, the password would be 23 characters long, and the corresponding file would end up in the access file below the test/ password directory subfolder. If you call Pass for this access case, the software prompts you for the password to access the GnuPG key. If you enter this correctly, Pass opens the file and outputs the content to your standard output.

The -c option copies the content directly to the clipboard, from where you can paste it again with Ctrl+V. The XSel program is used for this step. If you enter a number as the option parameter, the program tries to read the corresponding line and copy it to the clipboard. In this way, a username could also be read from the corresponding file.

Over time, a volume of access data will tend to accumulate in this way. To organize the data, simply create subfolders in the root folder (.password-store) and move the files with the data accordingly. If you call Pass without parameters in the terminal, it shows exactly this tree structure (Figure 1). The names of the files and directories correspond to the entries for the nodes. However, the tool does not include the .gpg extension, thus making it easier to read.

Figure 1: Once you have accumulated various access datasets, you can easily organize them in a folder structure that Pass displays as a tree when called without parameters.

Properly Managed

If you use more than one computer, you might not always store the access data on the same computer. It is also easy to imagine circumstances in which a new account becomes necessary while you are traveling. The data you need is then on your laptop's hard disk, but you might want to continue working on your home PC later on.

A whole series of approaches are now available to help you keep a synchronous set of data across all systems; after all, Pass works with simple files. Tools like rsync work this way: In a single step, you copy either from the mobile computer to the stationary PC or vice versa. Synchronizing in the opposite direction always requires a second step, which could be done in one go with Unison [3], but it can be done even more elegantly.

At this point, the Git [4] version control system (VCS) enters the game. Git's real purpose is to manage source code and, often additionally, the documentation and other files that come with programs. However, the software is designed in such a way that it does not really matter what kind of data you manage with it.

Pass allows you to use Git to set up your own commands. You can synchronize files and, if desired, even store the files on a central host.

Central Collection Point

To store the access data with the use of Git on a central host on the local network, the VCS must be installed there. If you use a preconfigured network-attached storage (NAS), look for the software in the NAS's package manager. One alternative is the use of an energy-saving Raspberry Pi for this task. With a minimal system, for example based on Raspbian Lite, you have an ideal computer as a remote station.

The host should preferably support login via Secure Shell. A separate article in this issue explains how to set up such a login and then configure SSH so that it suits your daily work schedule as effectively as possible.

In the following example, I assume you are running a Raspberry Pi as a NAS on the local network with hostname storage. Now create the repository in the home directory of user pi. To do this, switch to the host (e.g., by SSH) and create a new repository first. The first command from Listing 2 creates a simple directory, and the second then initializes the repository.

$ mkdir -p repos/password-store
$ git --bare init repos/password-store

Use the --bare option to tell Git that this is not a working directory, but one where you can add commits or retrieve changes. This setup has the practical effect that the files that Git needs for administration are located directly in the folder, instead of in a hidden .git directory below it.

To use the new central repository in the password manager, first make sure that the data in .password-store/ is under Git's control. You do this by typing pass git init in a terminal. The VCS outputs the typical status messages.

The structure of the commands is basically always the same: You use Git's regular syntax but always prefix it with the program name pass. This allows you to take full advantage of Git's features without much more configuration (see the "Tip" box).

Once you have initialized the local repository, add a remote repository with which you can exchange data. You do this with the commands from Listing 3.

$ pass git init
$ pass git remote add origin pi@storage:repos/password-store
$ pass git push

When adding an external repository, first assign a name (origin in the example) and append the appropriate URL to it. You can freely assign the name; origin has just established itself as a convention. Finally, use the last command from Listing 3 to synchronize the remote target with the dataset from the local repository.

If you have also placed the local files on other computers under Git's control, you just need to configure the central computer as a host to integrate the respective files, as well.

If you want to retrieve the data from the central computer, simply type pass git pull. You will then find the same encrypted files on the host in question as on the central computer. In other words, if you want to work with files from different computers, this system makes synchronization easy. However, it remains your responsibility to keep the GnuPG keys consistent across all hosts.

Conclusions

The Pass password manager lets you store as many different passwords as you like for different accounts, and you'll still only need one password to decrypt them all. Although the technology behind Pass is relatively simple – after all, it's just a shell script – the combination of mature components adds to the overall effect.

Git lets you synchronize different hosts via a shared repository: It should go without saying that a public repository is not suitable for storing passwords.