GPG is the encryption backend used by pass. You’ll need to install it and create a key in order to use pass. The package name will be something like ‘gpg/gpg2’ or ‘gnupg/gnupg2’ depending on your distro. Once installed set it up with:
gpg --full-gen-key
You can accept all of the default options by pressing enter.
If you want to have your key unlocked at login, then you need to use the same password as your user. In general, I recommend against doing that. In the next step, we’ll see how to make sure our key is unlocked safely whenever we need it.
Whenever a program tries to use your key, it needs to have your private key in memory. Basically, pass will use gpg to either encrypt or read passwords from the password store. If you don’t have your key unlocked, then pass will fail.
Gpg-agent is in charge of storing your key in memory. Once gpg agent is installed, pass can ask it for your key whenever you need to retrieve a password. By default, it will store your key in memory for 600 seconds; you can change this by editing ~/.gnupg/gpg-agent.conf
You still need to install a pinentry program to use gpg-agent. Otherwise, gpg-agent has no way to actually prompt you to insert a password. I use pinentry-dmenu which should exist in most distro’s repos. After installing your pinentry program, you need to point gpg-agent to the program. For example, to use pinentry-dmenu add this to your gpg-agent config:
pinentry-program /usr/bin/pinentry-dmenu
Now restart gpg-agent if it is already running:
gpg-connect-agent reloadagent /bye
Pass is by far the easiest part of the equation. Simply install it, and point it to the email you used to create your gpg key pair.
pass init <youremail@email.com>
You can then start adding passwords with ‘pass insert site.com/username.’ For example:
pass insert protonmail.com/thonkepeasant
You can then get pass to show the password to STDOUT in much the same way.
pass show protonmail.com/thonkpeasant
The nice thing about pass is that all of its parts are easily scriptable. This makes it easy to create a script on a server that lets us retrieve passwords easily.
On the server-side, follow all of the above steps except creating a key. You’ll use the same key on the server as your local machine. You also need to switch out the pinentry program with a cli alternative like pinentry-curses or the vanilla ‘pinentry’ in order to retrieve passwords via ssh.
Now you can copy everything over to your server with a tool like rsync. To sync the gpg key use:
rsync -rtvzP -e 'ssh -p <ssh-port>' .gnupg <serveruser>@<severip>:~/
Now edit the gpg config to use your alternative pinentry program on the server.
You can then safely copy your password store (make sure your ssh connection is secure).
rsync -rtvzP -e 'ssh -p <ssh-port>' .password-store <serveruser>@<severip>:~/
You’ll need to rerun that last command every time you add a password to your password store.
You can manually extract passwords via the command line over ssh, or you can use a script like mine to make things a bit easier. Note: this script requires fzf.