Setting up pass on OS X

September 10, 2012

Over the weekend there was a post on Hacker News about Pass, the standard unix password manager now being on Homebrew. I hadn’t heard of pass before, so I did a bit of reading about it. From the announcement post:

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

Basically it is an open source, command line version of 1Password. When I saw it I was pretty excited, as I was thinking of doing something exactly like this the other week. So I tried it out. I checked the source on GitHub and there was a single bash script of a couple of hundred lines, so I was a bit suprised when I installed it:

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>$ brew install pass

==> Installing pass dependency: xz ==> Installing pass dependency: pwgen ==> Installing pass dependency: tree ==> Installing pass dependency: libgpg-error ==> Installing pass dependency: libgcrypt (5 minutes later) ==> Installing pass dependency: libksba ==> Installing pass dependency: libassuan ==> Installing pass dependency: pkg-config ==> Installing pass dependency: pinentry ==> Installing pass dependency: pth ==> Installing pass dependency: gpg-agent ==> Installing pass dependency: dirmngr ==> Installing pass dependency: libusb ==> Installing pass dependency: libusb-compat ==> Installing pass dependency: gnupg2 ==> Installing pass /usr/local/Cellar/pass/1.1.4: 6 files, 52K, built in 2 seconds

Not exactly lightweight… But ok I thought and continued.

To set it up you need to run pass init and pass the ID of a GPG key. I didn’t have GPG setup (brew had only just installed it), but I assumed it would do all the magic for me.

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>$ pass init "Luca Password Key"

Password store initialized for Luca Password Key.

1
2

All good. So I tried generating a key:

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>$ pass generate -c Facebook 16

gpg: directory /Users/luca/.gnupg' created gpg: new configuration file/Users/luca/.gnupg/gpg.conf’ created gpg: WARNING: options in /Users/luca/.gnupg/gpg.conf' are not yet active during this run gpg: keyring/Users/luca/.gnupg/secring.gpg’ created gpg: keyring `/Users/luca/.gnupg/pubring.gpg’ created gpg: Luca Password Key: skipped: No public key gpg: [stdin]: encryption failed: No public key Copied Facebook to clipboard. Will clear in 45 seconds.

Hmm ok, maybe not. Not a very friendly error. I had a rough idea of what GPG does but I had never used it before. So how does gpg work?

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>$ gpg

zsh: command not found: gpg

1
2

Err? Back to the source, it turns out it runs a command gpg2.

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>$ gpg2

gpg: Go ahead and type your message …

1
2

Hmm. I’m guessing that’s not right. To Google!

I found a blog post, OpenPGP for complete beginners which explained it. It is rather indepth, but if you are interested it is worth a read. Here is what you need to set it up for pass.

First you need to generate a key:

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>$ gpg2 --gen-key

gpg (GnuPG) 2.0.19; Copyright © 2012 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection?

As stated by the article, the defaults are fine, so just press enter. It then asks you for the key length.

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>RSA keys may be between 1024 and 4096 bits long.

What keysize do you want? (2048)

1
2

Rather than the default I opted for 4096. There is a warning in the article that it takes longer to generate and encrypt, but as I am only going to be encrypting passwords the trade off is worth it. It then asks how long the key should be valid for:

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>Please specify how long the key should be valid.

0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0)

For just encrypting passwords locally the default is fine, so just hit enter again. It’ll warn you that it will never expire, so type y to confirm and hit enter.

It’ll then ask you for your name and email. This isn’t really needed for local encryption, but heh, do what it says. At the end you’ll see a prompt to continue:

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit?&lt;/span></code></pre>
  </td>
</tr>

Type o and hit enter to confirm. You’ll then get a prompt for a pass phrase. This will be your master password for all other passwords, so ensure it is strong.

After this it needs a lot of entropy to generate a secure key. Go back to whatever you were doing before this, and check back in a few minutes. When it is done you’ll see something like this:

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>gpg: checking the trustdb

gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u pub 4096R/11223344 2009-07-17 Key fingerprint = <36-CHARACTER KEY FINGERPRINT> uid Real Name (http://example.com/) <name@example.com> sub 4096R/55667788 2009-07-17

Success! Next back to pass. You need to pass it the key id to initialise it, in this case it is the 8 character ID after the pub section: 11223344

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>$ pass init 11223344

Password store initialized for 11223344.

1
2

If you then try generating a password again you shouldn’t get any errors:

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>$ pass generate -c Facebook 16

Copied Facebook to clipboard. Will clear in 45 seconds.

1
2

Paste it somewhere, then to double check it is working, ask for the password back. It’ll prompt you for the master passphrase you gave to gpg2 when generating your key.

  <td class='code'>
    <pre><code class=''>&lt;span class='line'>$ pass Facebook

You need a passphrase to unlock the secret key for user: “Real Name (http://example.com/) <name@example.com>“ 4096-bit RSA key, ID 55667788, created 2009-07-17 (main key ID 11223344) Cahri;x2li-f3Zeo

It should match, which means success!

Read more