Install Pass

Dec 24, 2019 chromeos pass security
Share on:

Overview

Pass is a commandline tool to manage encrypted passwords.

"Pass makes managing individual password files extremely easy. All passwords live in ~/.password-store, and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It's capable of temporarily putting passwords on your clipboard and tracking password changes using git.

With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities."

Reference: passwordstore.org

Pass has really good documentation available

Ref Link
1 password store
2 definitive guide to password
3 gopass - go version

GPG Configuration

Pass uses GPG, make sure this is installed on your host device

  1. Generate a GPG key for the password

    • Need to remember the password used for GPG as this will be used to access the password-store
    1gpg --full-gen-key

    Note: the following example config:

    • RSA
    • Key Size (3072)
    • Key lifespan (0) i.e. does not expire

Git Configuration

Pass uses Git, make sure this is installed on your host device

  1. Initialise git username

    1git config --global user.name “github username”

  2. Initialise git email address

    Set up the email address

    1git config --global user.email “github email address”

Pass Configuration

  1. Install the package

    1sudo apt install -y pass

  2. Initialise the password-store (use the email address associated with the gpg key i.e. gpg -k)

    1pass init [email address]

  3. Initialise git repo for password-store

    1pass git init

General Usage

Insert a Secret

  1. Insert a password e.g. store a password token with the name github 
    1pass insert github

    NOTE: When prompted for a password - add the password/secret to be stored

Retrieve a Secret to the Terminal

  1. Retrieve a secret from the command line 
    1pass github

Retrieve a Secret to the Clipboard

  1. Retrieve a secret to the clipboard 
    1pass -c github

Delete an existing Secret

  1. Delete an existing secret 
    1pass rm github

Optional: ChromeOS Clipboard

NOTE: ChromeOS v1.29 supports Pass clipboard!! Only do this step if you use ChromeOS the standard clipboard method doesnt work. The following section shows you how to replace this with an alternative method that is compatible with ChromeOS buffer capture.

  1. Edit the bash file /usr/bin/pass On ChromeOS the clipboard wont allow xclip to copy content.

    1sudo vi /usr/bin/pass

  2. Rename the exisiting clip function to clip2()

     1clip2() {
 2     # This base64 business is because bash cannot store binary data in a shell
 3     # variable. Specifically, it cannot store nulls nor (non-trivally) store
 4     # trailing new lines.
 5     local sleep_argv0="password store sleep on display $DISPLAY"
 6     pkill -f "^$sleep_argv0" 2>/dev/null && sleep 0.5 
 7     local before="$(xclip -o -selection "$X_SELECTION" 2>/dev/null | $BASE64)"
 8     echo -n "$1" | xclip -selection "$X_SELECTION" || die "Error: Could not copy data to the clipboard"
 9     (   
10             ( exec -a "$sleep_argv0" bash <<<"trap 'kill %1' TERM; sleep '$CLIP_TIME' & wait" )
11             local now="$(xclip -o -selection "$X_SELECTION" | $BASE64)"
12             [[ $now != $(echo -n "$1" | $BASE64) ]] && before="$now"
13
14             # It might be nice to programatically check to see if klipper exists,
15             # as well as checking for other common clipboard managers. But for now,
16             # this works fine -- if qdbus isn't there or if klipper isn't running,
17             # this essentially becomes a no-op.
18             #   
19             # Clipboard managers frequently write their history out in plaintext,
20             # so we axe it here:
21             qdbus org.kde.klipper /klipper org.kde.klipper.klipper.clearClipboardHistory &>/dev/null
22
23             echo "$before" | $BASE64 -d | xclip -selection "$X_SELECTION"
24     ) >/dev/null 2>&1 & disown
25     echo "Copied $2 to clipboard. Will clear in $CLIP_TIME seconds."
26}

  3. Add the following code as a new clip function

     1clip() {
 2   # input=$( cat "$@" )
 3   input=$( echo "$1" )
 4   input() { printf %s "$input" ;}
 5   known() { command -v "$1" >/dev/null ;}
 6   maybe() { known "$1" && input | "$@" ;}
 7   alive() { known "$1" && "$@" >/dev/null 2>&1 ;}
 8      
 9   # copy to tmux
10   test -n "$TMUX" && maybe tmux load-buffer -
11      
12   # copy via X11
13   test -n "$DISPLAY" && alive xhost && {
14           maybe xsel -i -b || maybe xclip -sel c
15   }
16    
17   # copy via OSC 52
18   printf_escape() {
19     esc=$1
20     # test -n "$TMUX" -o -z "${TERM##screen*}" && esc="\033Ptmux;\033$esc\033\\"
21     test -n "$TMUX" -o -z "${TERM##screen*}" && esc="\033P;\033$esc\033\\"
22     printf "$esc"
23   }
24    
25   len=$( input | wc -c ) 
26   max=74994
27   test $len -gt $max && echo "$0: input is $(( len - max )) bytes too long" >&2
28   printf_escape "\033]52;c;$( input | head -c $max | base64 | tr -d '\r\n' )\a"
29}

  4. Quit Vi Press the Esc key. Then enter

    1wqa