Pass with GPG

pass is a simple password manager that stores passwords in a gpg-encrypted file, not some obscure database. The files can in turn be put on Dropbox, git or any other file management service.

Installing

pass must be installed along gpg. On NixOS: 1 

{
    # Must restart computer, otherwise you may hit this bug:
    # https://github.com/NixOS/nixpkgs/issues/35464#issuecomment-383894005
    programs.gnupg = {
      agent = {
        enable = true;
        enableExtraSocket = true;
        pinentryFlavor = "curses";
      };
    };
    environment.systemPackages = with pkgs; [
      pass
    ];
}

Using

Generate a GPG key 

gpg --full-gen-key

Initialize the password store, along with git: 

pass init <email>
pass git init

Test: 

pass insert test/example.org
pass show test/example.org
pass git push

Backup GPG key in Keybase

As of summer 2021, I no longer use Keybase. Re-using ProtonMail email keys is another option.

Since I already use keybase, I store my GPG key securely in kbfs, and then import it on other computers. 

gpg --export-secret-keys --armor "Sridhar Ratnakumar" > ~/keybase/private/srid/gpg/me.asc

Import GPG key

To import a GPG key (either from Keybase backup or from the canonical ProtonMail key): 

gpg --import ~/keybase/private/srid/gpg/me.asc
gpg --edit-key <email> # and run `trust`

Android support

  • Setup Syncthing (use .git alias with gitdir: /path/to/.git as contents in order to exclude the git index from syncing)
  • Use Android apps: Password Store & OpenKeychain

Discussions

Footnotes
1.
On non-NixOS Linuxes, you may want to use the native package, as home-manager’s shell completion is broken.
Links to this page
#blog