Pass – A perfect shell based password manager

920839987_135ba34fffPass is a tool to store and manage passwords and other data securely and on command line – even with built in support for Git and remote Git repositories. Thus it is a welcomed alternative for existing password managers which often require a GUI, or do not provide repository support.

What it is

Pass is a shell based password manager to store passwords and login data – or anything you want, actually. The name “the standard unix password manager” however is pretty misleading: the author wanted to stress that it only uses standard Unix tools, but failed to highlight that with a catchy name and instead just created confusion.

But the author is right with his main point: pass is in fact just gluing together already well known and tested Unix tools: the encryption of all information is ensured by GPG, passwords are queried using gpg-agent, the version control and remote repository support is done by Git, and the tool itself is written in shell code. Thus you have features you can rely on – in fact, if you want you can directly access the Git repository and the Gnupg files, you do not have to use Pass at all.

Pass stores information in simple files, which can be grouped in folders. While the main idea of Pass is to store one password in one file you can actually access each file with editors to store as many information in it as you want. Each file is encrypted with the gpg key which was defined during the initial setup of Pass. As a result the Pass database is nothing else but a folder full of other folders and gpg encrypted files:

$ ls -1 $HOME/.password-store
$ ls -1 $HOME/.password-store/business/

Pass is included in all major distributions like Fedora, Ubuntu, Debian, and so on, and thus can be installed with the usual package management tools.

How it works

If you call Pass without any further options, it just outputs the content of its password store:

$ pass
Password Store
|-- business
|   |--
|   |--
|   `--
|-- commerce
|   `-- amazon
|-- financial
|   |--
|   `--

The file type ending “gpg” is not shown here to not confuse users (I guess).

Showing the content of a file is straight forward:

$ pass business/
login:  example
pass:   password

Adding new entries can be done with the command pass insert $FOLDER/$FILENAME. But it might be more convenient to just use the default editor to edit a new file: pass edit $FOLDER/$FILENAME. That way multi line information can be added more easily.

However, the real strength of Pass is that after each change – like adding a new password – git-add and git-commit are called: the new file is automatically committed to a local git repository:

$ pass edit business/
[master 4c09c76] Added password for business/ using /usr/bin/vim.
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 business/

As a result all changes are automatically under version control and can be reverted. But it gets better: Pass forwards arbitrary options and commands to Git itself. Thus it is possible to access the full functionality of Git – and to push the files to an online repository:

$ pass git push
Counting objects: 6, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 823 bytes, done.
Total 4 (delta 1), reused 0 (delta 0)
   aa2aff7..2011296  master -> master

That way the password store can be shared with any remote Git repository – and thus can be re-used by other clients, given that they have the proper GPG key.

Missing pieces

As shown above Pass is almost perfect if you need a way to manage passwords (or any other data at all) on command line level, including repository and encryption support.

But while Pass replaced all my other password managers literally in a few minutes there is still one big feature I miss: the support for GUI tools! It would be nice if Pass support could be included in the major Desktop Environments and major GUI programs used in the Linux desktop world:

  • KDE’s Kwallet
  • Gnome’s Keyring
  • Android
  • Firefox
  • Chrome/Chromium

To summarize it: Pass is great, but would be even better if it could server as a backend for the usual GUI tools and desktop environments. There is already an experimental iOS client, so there is at least hope for an Android client…


17 thoughts on “Pass – A perfect shell based password manager”

  1. Not bad, though I think I’ll still stick with Dropbox+KeePassX. That just works on all platforms, including mobile ones, which means I can keep my passwords with me at work and on the go.

    1. Can you elaborate on that? In your example you were saving password for websites, which is what lastpass does.

    2. There are mutliple reasons: I would not save my passwords on a service I do not host myelf. I would not like to use a web page to access them (XSS, iFrame, ads from 3rd party servers). A central storage for passwords of thousands of users is an attractive aim for criminals. The encryption routines and the exact implementation of them lastpass uses are not open source afaik, thus I do not trust them at all.
      And, last but not least: I just feel better when I know that the encryption and decryption of the passwords is done locally, not on a distant server.

      But ymmv. =)

    3. That is not how lastpass actually works. It has been externally audited and is regularly audited by external parties. Lastpass has been designed so that companies using Lastpass can exactly control that it does what it says without having to trust Lastpass. Their design is actually pretty cool.

      If yu want detailed information on how it works, I’d recommend listening to the Security Now episode featuring lastpass [1].

      A company I worked for wanted to use Lastpass and their security people did an audit. That audit was pretty easy to do because the sourcecode they needed was actually available. It is all in the bookmarklet which is plain text javascript. They compared the operation of the bookmarklet to the browser plugins and also monitored the network traffic. They do this for every new release of Lastpass. Simply speaking Lastpass encrypts everything on your computer and only the encrypted blob is sent to the server. And on the server the blob is not saved under your email address but rather a hash of that (a bit oversimplified) so that there is no connection between your email and the encrypted data.

      The Lastpass servers only serve to sync that blob between computers. Everything is fully operational offline (browser plugins, bookmarklets, mobile apps and desktop applications).

      Anyway. No matter whether you’re ever going to use lastpass, I’d still check out how it works because it is interesting nonetheless.


  2. There’s some nice features in terms of user interface, but I think it’s quite a bad idea to store one password per file. It reveals which site, service or whatever you have a password for. Very bad design IMHO. Of course you can use only one or a couple of files to keep you passwords, but it defeats the purpose of using pass, because you loose all pass specific features. So it’s simpler to use the gpg plugin for vim…

    Also, when you edit passwords using ‘pass edit foobar’, it doesn’t disable viminfo, so any mark, yanked lined and so on are unencrypted in your .viminfo file.

    The pass website proclaim itself ‘The Standard Unix Password Manager’. Where does that comes from?

    For now, the vim gnupg plugin is more suited for password management.

    1. Hej Simon,
      the name is actually detailed explained in the article above. It is a quite bad chosen name, the author wanted to stress that pass uses mainly unix standard tools (cli, git, bash, etc.).

      About revealing the name via the single password file: which other way do you use using vim gpg plugin? If you just use one single file there, the argument is pretty much invalid: you can do the same with pass as well.

      However, the viminfo is pretty interesting, I will dig deeper into that.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: