Power Up Your Passwords with pass: A Guide for Command-Line Security

If you’re one to live in the terminal, you know it’s not just about code – it’s about safeguarding your work as well. Enter pass, the command-line password manager that’s both secure and refreshingly no-nonsense. Unlike many cloud-based tools, pass doesn’t need flashy GUIs or sync services – it’s all local, encrypted, and entirely under your control. Perfect for the terminal-minded DevOps professional, pass leverages GPG encryption to keep your data safe, without so much as a whiff of cloud storage unless you say so. Sound like your cup of tea?

Why pass?

Think of pass as the strong and silent type – all substance, no frills. This nifty little tool is ideal if you prefer your passwords under lock and key on your own machine. And, for the security-conscious, pass’s Git integration means you can still sync between devices, but only on your terms.

Getting Started with pass

1. Installation

Start by checking if pass is already installed:

pass --version        

No luck? Here’s the magic for installing it:

Debian/Ubuntu:

sudo apt install pass        

2. Setting Up GPG Keys

For secure password management, pass uses GPG encryption. Don’t have a GPG key pair yet? Let’s create one:

gpg --full-generate-key        

When prompted, select RSA (a standard choice), pick your preferred key size, and decide if you’d like an expiration date. After adding a strong passphrase, GPG will craft your new key pair.

To find your new GPG key ID, run:

gpg --list-secret-keys --keyid-format LONG        

The key ID will look something like ABCDEF1234567890.

3. Initialising pass with GPG

Once your GPG key is ready, initialise pass:

pass init "your-gpg-key-id"        

Replace "your-gpg-key-id" with your GPG key ID, and voilà! Your password manager is ready to start storing secrets.

Essential Commands in pass

Adding a Password

Add a password with:

pass insert foldername/passwordname        

You’ll be prompted to type in the password, which will then be securely stored.

Viewing a Password

Retrieve a password with:

pass foldername/passwordname        

This command decrypts and displays it in your terminal – best avoid peeking in public places!

Editing a Password

Change a stored password with:

pass edit foldername/passwordname        

Copying to Clipboard

Quickly copy a password to your clipboard with:

pass -c foldername/passwordname        

This stores the password in your clipboard for a handy 45 seconds.

Listing All Passwords

Need an overview? Run:

pass ls        

Removing a Password

Delete a password with:

pass rm foldername/passwordname        

Syncing with Git

If you’d like to keep your passwords accessible across devices, pass’s Git integration is a treat. Here’s how to set it up:

Navigate to the password storage folder (~/.password-store by default):

cd ~/.password-store
git init
git remote add origin <your-git-repository-url>        

To save and sync your passwords, commit and push changes:

git add .
git commit -m "Initial commit of password store"
git push -u origin main         

To pull any updates from the remote repository:

git pull origin main        

Advanced Tips and Tricks

Folder Organisation

Group related passwords into folders for easy navigation:

pass insert work/email
pass insert personal/banking        

Sharing Passwords

Need to share a password with a trusted colleague? Add their GPG key first:

gpg --import /path/to/their-public-key-file        

Then, re-encrypt the relevant passwords with both keys:

pass init "your-gpg-key-id" "their-gpg-key-id"        

Handy Aliases

Save time by setting up aliases in your .zshrc or .bashrc file:

alias p="pass"
alias pi="pass insert"
alias pe="pass edit"
alias pr="pass rm"        

Pros and Cons of Using pass

Pros:

• Top-notch Security: Leveraging trusted GPG encryption keeps everything on lockdown.
• Git-Friendly: Versioning and syncing without the need for the cloud.
• Lightweight and Free: No unnecessary extras, just the essentials for password management.
• Open Source: Trusted by the community and free from big-corp lock-in.

Cons:

• Learning Curve: It’s all CLI, which may feel a bit rustic to newcomers.
• GPG Dependent: Understanding GPG is a must.
• Manual Syncing: You’ll need to use Git or another custom sync method.
• No Autofill: While browser extensions exist, pass doesn’t natively support autofill.

Other Password Management Tools to Consider (I haven't tried them out)

1. Bitwarden

Pros: Offers cloud-based syncing, browser autofill, and mobile app support.

Cons: Relies on Bitwarden’s servers for syncing unless self-hosted.

2. KeePass / KeePassXC

Pros: Local encryption, cross-platform compatibility, and flexible plugins.

Cons: No built-in sync – you’ll need third-party tools for that.

3. 1Password

Pros: Polished and feature-rich, with excellent autofill and sharing options.

Cons: Requires a subscription, and it’s not open source.

4. LastPass

Pros: Reliable autofill and syncing options for both free and paid users.

Cons: Past security breaches may concern some users.

Wrapping Up

If you’re after a secure, no-nonsense password manager that stays local by default, pass could be the perfect fit. It may lack the slick features of commercial options like 1Password or Bitwarden, but for a terminal-focused user who values control, it’s hard to beat.

Yes, there’s a bit of a learning curve, especially if GPG and Git are new to you. But with the right setup, pass offers a tidy, customisable solution that doesn’t rely on a third-party cloud. Perfect for DevOps pros, developers, or anyone who wants their passwords kept strictly under wraps.

Now, off you go – give pass a try, and take command of your terminal (and your passwords) like the power user you are!