Pass

Created: November 20, 2020

Intro

Pass is a simple little program for storing passwords using public/private cryptography. I would thoroughly recommend it as it’s extremely simple to use and utilizes the tried and tested gpg suite, rather than anything weird and wonderful. The vanilla version is terminal-based.

As pass so simple, it’s easy to extend it to do some useful things.

It’s pretty simple to get started, you simply generate a GPG key. Then do gpg --list-keys, grab the key id, and pass init GPG_IDENTITY_ID. A password store now exists in $HOME/.password-store.

Basic functionality:

pass edit PASSWORD_NAME 	# Create a password in your default text editor
pass PASSWORD_NAME 		# Print the password to stdout
pass -c PASSWORD_NAME 		# Copy the password to the clipboard
pass generate PASSWORD_NAME LENGTH # Generate and store a password
pass 				# List names of passwords

Copying passwords

I use a simple wrapper script to enable me to use pass easily via the ALT+F2 run box on GNOME. It will also probably work fine on the other desktop environments equivalents to the run box.

# cat <<-EOF > /usr/bin/p
#!/usr/bin/env bash

pass -c "$1"
EOF
# chown root:root /usr/bin/p && chmod 755 /usr/bin/p

Now typing p PASSWORD_NAME into the ALT+F2 run box will copy the password to the clipboard.

Storing secret environment variables

These days there’s much less reason to store privileged credentials locally. It’s far better practice to request temporary credentials that can exist as environment variables.

However, if the authentication mechanism you are using does not support temporary credentials, pass can be used to make the situation a bit more palatable.

Do a pass edit SECRET_NAME and type some shell export VAR_NAME=VALUE lines in. Save the file.

Now type:

eval $(pass SECRET_NAME)

Doing a printenv | grep VAR_NAME should show that the secret now exists as an environment variable. The secret can have multiple file can have multiple lines with different exports.

YubiKeys

I highly recommend using pass and gpg together with YubiKeys.

YubiKeys allow you to store the private key, the main point of failure, on a small USB fob, rather than your workstation. From what I gather, it’s extremely hard, to the point that a successful attack is rather improbable, to get a private key off of a YubiKey once it’s there and only there.

If your workstation is stolen or someone manages to gain access to your user*, access to the passwords stored locally is not necessarily a given. Furthermore, as the passwords are encrypted, they could be stored in Git/cloud storage, if you want to risk it. If it’s production credentials, I would advise keeping them locally and making offline back-ups, however.

When I want to access a password, my YubiKey has to be physically plugged into the machine, unlocked (once per plugin) via a PIN, and I physically have to press the button on it. I don’t find this overly tiresome.

These are not the only possible configurations; just my personal choice.

The button lights up when the YubiKey is being prompted for credentials (it can do a lot more than just GPG though**). If a local user was compromised, there’s some chance the lighting of the button may trigger alarm bells.

I also use this set up to push signed commits to Git, and encrypt/sign files. In theory it can also be used to encrypt/sign email but I have never actually known anyone someone to use it.

One of the gpg key slots can also be used to replace ssh key functionality. There’s even a gpg-agent to replace ssh-agent. I haven’t got around to configuring this aspect, however, as I don’t really use personal SSH keys much any more.

* Chances are this would just be a speed bump for a skilled adversary with access to your local user.

** Notably FIDO2/WebAuthn and U2F; aka press the YubiKey to authenticate to a website rather than enter an OTP code or a prompt on a mobile device. Both much more convenient and much more secure.

Resources

I used the following resources to set up my YubiKey: