Using pass to Manage Your Passwords on Fedora

At this point, I have more usernames and passwords to juggle than any person should ever have to deal with. I know I’m not alone, either. We have a surfeit of passwords to manage, and we need a good way to manage them so we have easy access without doing something silly like writing them down where others might find them. Being a fan of simple apps, I prefer using

pass

, a command line password manager.

It’s never been a good idea to use the same username and password with multiple services, but in today’s world? It’s potentially disasterous. So I don’t. At the moment, I’m juggling something like 90 to 100 passwords for all of the services I use. Multiple Twitter accounts, my server credentials, OpenShift applications, my FAS credentials, sign-in for Rdio, and lots more.

As you might imagine, trying to memorize all of those passwords is an exercise in futility. I remember my system password, and a handful of others. Beyond that? I’d rather save some of my brain’s limited storage for more important things.

What’s

pass

, and What’s it Require?

So what is

pass

? It’s basically a simple command-line utility that helps you manage passwords. It uses GnuPG-encrypted files to save and manage user passwords. It will even keep them in a git repository, if you choose to set it up that way. That means you’ll need the

pass

package installed, along with its dependencies like

git

,

gnupg2

, and

pwgen

(a utility for generating passwords).

Yes, there are other options, but I settled on

pass

a while back as the best fit for my needs. Here’s how you can give it a shot and see if it works for you!

Installation and Setup

Installing pass is simple, it’s conveniently packaged for Fedora. Just open a terminal and run

yum install -y pass

and it should grab all the dependencies you need.

The first thing you need to do is create a GPG Key. See the Fedora wiki for detailed instructions, or just use

gpg --gen-key

and walk through the series of prompts. When in doubt, accept the defaults.

Now, you just need to initialize your password store with

pass init GPG-ID

. Replace “GPG-ID” with the email address you used for your GPG key.

Using

pass

: Adding and Creating Passwords

Now that you have a password store set up, it’s time to start creating or inserting passwords. If you already have a password you want to store, use

pass edit passwordname

. For example, if you were going to store your Fedora Account System (FAS) password, you might use

pass edit FAS/user

with “user” being your username in FAS.

This will create a directory (FAS) and the file (user) in Git, and encrypt the file so that no one can read it without your GPG passphrase. If you look under

~/.password-store/FAS/

you’ll see a file like

user.gpg

. The directory part is optional, but I find it useful to help keep track of passwords.

If you want to create a new password, just use

pass generate FAS/user 12

where “FAS/user” would be the username, and the password length (generated by

pwgen

) would be 12 characters. The auto-generated passwords will include upper- and lower-case letters, numbers, and special characters.

Creating a git Repository

One of the biggest selling points to me for

pass

is its integration with git. But it’s not automatic, you do need to tell it to initialize the git repo and use it. First, make sure you’ve set your git globals:


git config --global user.email "your@email.com"
git config --global user.name "Awesome User"

Then run

pass git init

and it will intialize a git repository in your password store. From then on, it will automatically add new passwords and such to the git repo. If you want to manage passwords on multiple machines, this makes it dead easy: Just clone the repository elsewhere and keep them in sync as you would a normal git repo.

Using

pass

: Reading Passwords

To recall a password, all you need to do is run

pass user

, so

pass FAS/user

would print out the password to the terminal. But what if you don’t want it to be seen by someone looking over your shoulder?

Here’s a nifty workaround for that, just use

pass -c FAS/user

and it will simply copy your password to the clipboard for 45 seconds. All you have to do is run the command, move over to the application where you’d like to enter your password, and then hit Enter.

If you’ve forgotten what passwords you have stored with

pass

, just use

pass ls

and you’ll get a complete listing.

Deleting Passwords

Sometimes you need to get rid of a password. Just use

pass rm user

and

pass

will ask if you’re sure, then delete the password file.

If you delete something by accident, you can simply go back and revert the commit!

Stay Safe!

So that’s the basics of using

pass

. You can get even more examples by running

man pass

, and I highly recommend skimming the man page at least once.

I have been using

pass

for some time now, and it’s been a life-saver. I hope it serves you as well as it has me!

Fedora Project community

12 Comments

  1. This is awesome!

    Are you aware of any GUIs in Fedora that will let me do something similar?

    • There is a firefox extension for this but it is still in beta afaik

    • toma

      Yes, it’s called gnome keystore.

      • What is gnome-keystore? i can’t find a gnome-keystore package in the repos, or much mention of it in an internet search. Are you referring to seahorse and the GNOME Keyring?

        • Tom

          Hi Ryan

          Yes, I belive it’s called Seahorse.

          Tom

    • We have at least KeePassX and Revelation packaged. Lastpass is a pretty popular hosted service (that only stores the passwords encrypted and does the encryption on the client end, so they never have access to your passwords) that does a nice job and has a Firefox extension and apps for iOS and Android – it’s what I use (I used to use revelation and copy password files all over the place and convert them to keepass format through a stupid script to use with a lastpass app on my phone, but that sucked).

      You can use Seahorse for this sort of thing, but it’s not really streamlined for that kind of use.

  2. malik

    How does this differ from something like Lasspass?

    • It’s just a much more geekish way of doing it. It also doesn’t involve any level of trust of a hosted service, which is important to some folks, while still offering a plausible way of keeping the password store in sync between many systems (git).

  3. Hmm, today try using GNOME Keyring as pass storage. One problem – I can’t export pass (-:

  4. jan

    I use keepass2, because it works on Windows and Linux. That way, I can access my password at work as well as at home.

    • I use KeePassX for the same reason. I store the file to my ownCloud so I can access and sync it from anywhere with any device.

  5. Leslie Satenstein

    I need a facility that is comon to Fedora, Centos, Mint17, and Microsoft Windows 7. Is there one that is universal. (I occasionally use an AIX system).

Comments are Closed

The opinions expressed on this website are those of each author, not of the author's employer or of Red Hat. Fedora Magazine aspires to publish all content under a Creative Commons license but may not be able to do so in all cases. You are responsible for ensuring that you have the necessary permission to reuse any work on this site. The Fedora logo is a trademark of Red Hat, Inc. Terms and Conditions

%d bloggers like this: