pass - the standard Unix password manager in Action

devop |

I’ve seen a lot of approaches to share passwords in a group of developers. Today I want to share a command line based and secure setup using pass with you.

pass - the standard unix password manager

Update (2019-11-22): A while ago Markus introduced me to Gopass a fully compatible tool with some nice team add-ons.

If the keys expire - check Renew GPP key in case you cannot recall the gpg commands by heart.

gopass - the team password manager

Grab the Gopass Cheat Sheet for a nice overview of the team features...😎

Preparations

This walk-through is done on a Mac. But it’s easily reproducible on Ubuntu, Fedora, …, FreeBSD and others. Please check the Download section on the homepage of pass.

Install pass on Mac

With Homebrew installed this is as simple as:

$ brew install pass
…
==> Summary
🍺  /usr/local/Cellar/pass/1.7.2: 34 files, 147.5KB

Check the installation with:

$ pass --version
============================================
= pass: the standard unix password manager =
=                                          =
=                  v1.7.2                  =
=                                          =
=             Jason A. Donenfeld           =
=               Jason@zx2c4.com            =
=                                          =
=      http://www.passwordstore.org/       =
============================================

Fine.

Create a gpg key

$ gpg --gen-key
…
Real name: planets
Email address: planets@datenkollektiv.de
You selected this USER-ID:
    "planets <planets@datenkollektiv.de>"

Setup a shared password store

This has to be done by one developer, only.

First. Initialise a Git repository backed password store. (Basically, I followed the Extended Git Example).

$ pass init planets@datenkollektiv.de
Password store initialized for planets@datenkollektiv.de
$ pass git init
Initialized empty Git repository in …
$ pass git remote add origin <put_your_remote_here>

Use the shared password store on a developer machine

Clone the created password store from your Git repository…

$ git clone <put_your_remote_here> .password-store
Cloning into ‘.password-store’…
…

then check the password store with:

$ pass
Password Store

Export / Import the shared gpg key

The developer who created the shared gpg key needs to export the private key:

gpg --export-secret-key -a "planets" > planets-password-store.key

The exported key should look something like:

-----BEGIN PGP PRIVATE KEY BLOCK-----
…1qYBSA2anbK2FjbxU…
-----END PGP PRIVATE KEY BLOCK-----

On the other developer machines, you’ll need the shared private gpg key to access the password store. Needless to say that the private key has to be transferred in a secure way…

gpg --allow-secret-key-import --import planets-password-store.key

Ready for rumble

Let’s assume a developer creates a new test project account foo and generates a password locally. He wants to share this password with his colleagues via pass.

He has to insert and push the password:

$ pass insert test/foo
Enter password for test/foo:
Retype password for test/foo:
[master d1910d2] Add given password for test/foo to store.
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 test/foo.gpg

$ pass git push -u --all
Counting objects: 6, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (3/3), done.
…
 * [new branch]      master -> master
Branch 'master' set up to track remote branch 'master' from 'origin'.

All other developers will have to pull the new password.

$ pass git pull
remote: Counting objects: 4, done.
…

With the password store up-to-date they can access the shared password easily:

$ pass test/foo
bar

Congratulations! You successfully used your first shared password with pass.

Cheat Sheet

Password generation

Most probably you’ll need to generate passwords, too.

pass generate test/baz 15

There are more options available. Please check the pass homepage for more details.

Store Metadata

Store other (meta)data along with the password. The preferred way of the author of pass is to use a combination of the options --multiline and --clip.

When storing the password use the option --multiline add provide the additional data and press <Ctrl> + D when finished:

$ pass insert --multiline test/multiline
Enter contents of test/multiline and press Ctrl+D when finished:

s3cr3t
URL: https://example.com

You can grab the password only when necessary with the option --clip as mentioned above.

$ pass --clip test/multiline
Copied test/multiline to clipboard. Will clear in 45 seconds.

This command will only copy the first line of the multiline entry.

Pro-Tip: Grab the URL with a slightly more complex bash command from the password store:

pass test/multiline | grep URL | cut -d ':' -f 2,3 | awk '{$1=$1;print}'

With explainshell.com for the rescue 🤔...