Pass with GPG

pass is a simple password manager that stores passwords in a gpg-encrypted file, not some obscure database. The files can in turn be put on Dropbox, git or any other file management service.

Installing

pass must be installed along gpg. On #NixOS:1

{
    # Must restart computer, otherwise you may hit this bug:
    # https://github.com/NixOS/nixpkgs/issues/35464#issuecomment-383894005
    programs.gnupg = {
      agent = {
        enable = true;
        enableExtraSocket = true;
        pinentryFlavor = "curses";
      };
    };
    environment.systemPackages = with pkgs; [
      pass
    ];
}

Using

Generate a GPG key

gpg --full-gen-key

Initialize the password store, along with git:

pass init <email>
pass git init

Test:

pass insert test/example.org
pass show test/example.org
pass git push

Backup GPG key in Keybase

Since I already use keybase, I store my GPG key securely in kbfs, and then import it on other computers.

gpg --export-secret-keys --armor "Sridhar Ratnakumar" > ~/keybase/private/srid/gpg/me.asc

Import GPG key

To import a GPG key (either from Keybase backup or from the canonical ProtonMail key):

gpg --import ~/keybase/private/srid/gpg/me.asc
gpg --edit-key <email> # and run `trust`

Android support

  • Setup Syncthing (use .git alias with gitdir: /path/to/.git as contents in order to exclude the git index from syncing)
  • Use Android apps: Password Store & OpenKeychain

Discussions

#Blog post created under #Linux

  1. On non-NixOS Linuxes, you may want to use the native package, as home-manager’s shell completion is broken.

    ↩︎