I have recently migrated my passwords to pass and so far I've been really happy about it. The previous system was to have them all in a huge text file, which wasn't especially convenient or secure1, and wasn't shared between my various machines. Here is some info about pass.
pass has been packaged for Debian since Jessie, so installing it is as simple
sudo apt-get install pass. However, it's just a shell script just over 600
lines, so really easy to review, and install manually if you need to.
The way pass manages passwords is dead simple: a hierarchy of gpg-encrypted
files. The assumption is that each file corresponds to a website, or machine, or
other authentication realm, and contains the password. The use of gpg provides a
layer of security, so that your gpg key and passphrase serve as a master
password. Of course, it is nice to have a properly configured
avoid having to enter the passphrase multiple times.
The basic commands of pass are
pass init KEYID which sets up the store for gpg
key KEYID (by default in
pass FILE which decrypts and
shows FILE, and
pass edit FILE, which decrypts FILE to a secure temporary
/dev/shm, edits it, and encrypts it back. You can also use
ls (which shows a nice output using
pass find to search
for files using
pass grep to search in the decrypted password files
pass cp. Of course, you can also mess
around in the password store by hand.
As pass has this very nice CLI interface, migrating my passwords from my custom system was very easy, although it seems like the Debian package also installs a bunch of script to migrate from other password managers.
Beyond the generic commands I have presented, pass obviously offers commands
tailored for password management. You have
pass insert FILE which creates FILE
with the password you provide (and turns off echo and makes you enter it twice
for confirmation). You have
pass -c FILE which copies the password in FILE to
the clipboard, so you can input the password where you need it, and
automatically clears it after 45 seconds (which is a reasonable thing to do).
pass generate FILE LENGTH which generates a password of LENGTH chars
in FILE and displays it (or copies it to the clipboard with
-c); what is very
nice is that
pass itself does not include password generation logic, but entrusts
pwgen(1) with the task.
Icing on the cake:
pass is designed to be used with git, and provides
git to call git commands. If you use git, all the
pass commands will
git commit what's needed. This makes it very easy to share
passwords between different machines. Of course, as the files are encrypted, git
cannot be expected to solve conflicts within files, but it can nicely merge
changes across various files. You can also use this setup to share passwords
between different people, as pass supports encrypting for multiple keys.
For once, I find it hard to find something to dislike about pass. Eventually I
may want to tweak password generation so that it generates passwords the way I'm
used to, but this would be easy to do. I'm also missing support for usernames,
as I use different usernames on different websites, but
pass allows you to
store anything in the password file (and only the first line is taken into
pass -c and others), so I can just add the username as the second
line if needed, it's just that I will have to retrieve it by hand, or script
something that does what I want. Other than that, I'm very happy to have a
convenient, lightweight, and secure way to manage my passwords and share them
across machines using git.
My home partition is encrypted, but there was no security whatsoever if the machine was ever compromised. ↩