pass
Package Install
pass
sudo apt update
sudo apt upgrade
sudo apt install pass pass-extension-tomb pass-extension-otpyubikey
sudo apt install scdaemon yubikey-manager libpam-yubico libpam-u2f libu2f-udevGPG
gpg configuration
Generate PGP keys:
gpg --expert --full-generate-keyIssue sub-keys:
gpg --expert --edit-key key_ID
$ addkeyExport master private key:
gpg --armor --export-secret-keys key_IDCreate revocation certificate:
gpg --gen-revoke key_IDExport public key:
gpg --armor --export key_IDExport private sub-keys:
gpg --armor --export-secret-subkeys key_IDShow fingerprints:
gpg --fingerprint --fingerprint key_IDShow private keys in GPG keyring:
gpg --list-secret-keysShow yubikey status
gpg --card-status
gpg --edit-card
gpg --edit-key key_ID
ykman openpgp set-touch KEY on
gpg-connect-agent "serial number" "learn --force" /byePass
Create aliases in .bashrc for multi pass storage
alias vault='PASSWORD_STORE_ENABLE_EXTENSIONS=true PASSWORD_STORE_TOMB_KEY=/home/pi/.tomb-store/.vault.tomb.key PASSWORD_STORE_TOMB_FILE=/home/pi/.tomb-store/.vault.tomb PASSWORD_STORE_DIR=~/.password-store-vault pass'
alias work='PASSWORD_STORE_ENABLE_EXTENSIONS=true PASSWORD_STORE_TOMB_KEY=/home/pi/.tomb-store/.work.tomb.key PASSWORD_STORE_TOMB_FILE=/home/pi/.tomb-store/.work.tomb PASSWORD_STORE_DIR=~/.password-store-work pass'custom fzf extension
#!/bin/bash
function candidates() {
find "$PREFIX" -name '*.gpg' | sed -e "s:$PREFIX/::gi" -e 's:.gpg$::gi'
}
function candidate_selector_fzf() {
query=$1
candidates | fzf --query "$query" --select-1 \
--prompt="# " \
--ansi \
--extended \
--no-border \
--delimiter "/" \
--layout=reverse-list \
--no-multi \
--cycle \
--header='
Ret: tail, C-s: show, C-t: tail, C-e: edit, C-x: rename, C-d: duplicate,
C-a: add, C-g: generate and copy new password, C-r: remove
C-p: git pull, M-p: git push, C-c/C-q/Esc: clear query or exit' \
--margin='1,2,1,2' \
--color='16,gutter:-1' \
--bind="tab:down" \
--bind="btab:up" \
--bind="ctrl-s:execute(echo 'show' > /tmp/passfzfarg)+accept" \
--bind="ctrl-t:execute(echo 'tail' > /tmp/passfzfarg)+accept" \
--bind="ctrl-e:execute(echo 'edit' > /tmp/passfzfarg)+accept" \
--bind="ctrl-x:execute(echo 'mv' > /tmp/passfzfarg)+accept" \
--bind="ctrl-d:execute(echo 'cp' > /tmp/passfzfarg)+accept" \
--bind="ctrl-a:execute(echo 'add' > /tmp/passfzfarg)+print-query" \
--bind="ctrl-g:execute(echo 'generate' > /tmp/passfzfarg)+print-query" \
--bind="ctrl-r:execute(echo 'rm' > /tmp/passfzfarg)+accept" \
--bind="ctrl-p:abort+execute(echo 'git pull' > /tmp/passfzfarg)" \
--bind="alt-p:abort+execute(echo 'git push -u --all' > /tmp/passfzfarg)" \
--bind="ctrl-c:execute(echo 'quit' > /tmp/passfzfarg)+cancel" \
--bind="ctrl-q:execute(echo 'quit' > /tmp/passfzfarg)+cancel" \
--bind="esc:execute(echo 'quit' > /tmp/passfzfarg)+cancel"
}
query="$@"
res=$(candidate_selector_fzf "$query")
if [[ -f "/tmp/passfzfarg" ]]; then
arg=$(cat /tmp/passfzfarg)
rm /tmp/passfzfarg
else
arg="tail"
fi
if ! [[ -v "$res" ]]; then
case "$arg" in
add)
printf "\033[0;32mNew password Directory/Name:\033[0m ${selection}"
if [[ -n "$selection" ]]; then
printf "\033[0;32m\nPress Return to confirm or type new Directory/Name:\033[0m "
fi
read -r
tmp="${REPLY:=$selection}"
pass ${arg} "${tmp}"
;;
mv | cp)
tmp=${res}
printf "\033[0;32m\nNew Directory/Name to ${arg} '${tmp}' to:\033[0m "
read -r
if [[ -n "$REPLY" ]]; then
pass ${arg} "${tmp}" "${REPLY}"
fi
tmp="${REPLY:=$tmp}"
;;
"generate")
printf "\033[0;32mNew password Directory/Name:\033[0m ${res}"
if [[ -n "$res" ]]; then
printf "\033[0;32m\nPress Return to confirm or type new Directory/Name:\033[0m "
fi
read -r
tmp="${REPLY:=$res}"
printf "\033[0;32mNumber of characters:\033[0m "
read -r
pass ${arg} --in-place "${tmp}" "${REPLY}" \
2> /dev/null || pass ${arg} "${tmp}" "${REPLY}"
;;
quit)
pkill -P $$
exit $?
;;
*)
if [[ -n "$res" ]]; then
pass ${arg} "${res}"
else
pass ${arg}
fi
;;
esac
fiTomb
Create a new password tomb
$ pass tomb <gpg-id>
(*) Your password tomb has been created and opened in ~/.password-store.
(*) Password store initialized for <gpg-id>
. Your tomb is: ~/.password.tomb
. Your tomb key is: ~/.password.key.tomb
. You can now use pass as usual.
. When finished, close the password tomb using 'pass close'.Open a password tomb
$ pass open
(*) Your password tomb has been opened in ~/.password-store.
. You can now use pass as usual.
. When finished, close the password tomb using 'pass close'.Open a password store and set a timer
$ pass open --timer=10min
(*) Your password tomb has been opened in ~/.password-store.
. You can now use pass as usual.
. This password store will be closed in 10minClose a password tomb
$ pass close
(*) Your password tomb has been closed.
. Your passwords remain present in ~/.password.tomb.Import existing password repository
In order to use pass-tomb with your existing password repository you can:
- Move your password repository:
mv ~/.password-store ~/.password-store-backup - Create and open a new password tomb:
pass tomb <gpgid> - Move all the content of your password repository in the new password tomb:
mv ~/.password-store-backup/ ~/.password-store`