Skip to main content

Unix Pass Password Manager - Complete Setup Guide

Comprehensive guide to using the Unix Pass password manager with GPG encryption, hierarchical organization, and cross-platform access

Unix Pass Password Manager - Complete Setup Guide

Unix Pass Password Manager: A Comprehensive Guide

Introduction

Unix Pass is the standard Unix password manager that follows Unix philosophy: each password is stored in a GPG-encrypted file, organized in a hierarchical directory structure. It's simple, secure, and integrates well with tools like Git for version control. This guide covers setting up Pass with separate domains for personal, tech, and business use, each with its own GPG key, along with usage on desktop (including dmenu/rofi integration) and mobile Android.

Installation

Install Pass on Linux:

  • Arch Linux: sudo pacman -S pass
  • Ubuntu/Debian: sudo apt install pass
  • Fedora: sudo dnf install pass
  • Gentoo: emerge -av pass
  • macOS: brew install pass
  • FreeBSD: pkg install password-store
  • From source: Clone from https://git.zx2c4.com/password-store/ and follow the README.

Ensure GPG is installed: gpg --version. If not, install gnupg.

Basic Setup with GPG

  1. Generate a GPG key if you don't have one:

    		gpg --gen-key

    Follow prompts to create a key (e.g., RSA 4096, real name, email).

  2. Initialize the password store:

    		pass init "Your GPG Key ID"

    Find your key ID with gpg --list-keys.

  3. (Optional) Initialize as a Git repository for syncing:

    		pass git init
pass git remote add origin <remote-repo-url>

Setting Up Separate Domains with Separate GPG Keys

Pass supports encrypting different subdirectories with different GPG keys. This allows compartmentalization: personal passwords separate from tech/business.

  1. Create separate GPG keys for each domain:

    		gpg --gen-key  # For personal
gpg --gen-key  # For tech
gpg --gen-key  # For business

    Use distinct emails or names, e.g., "Personal Key personal@example.com".

  2. Initialize sub-stores with specific keys:

    		pass init -p personal "Personal GPG Key ID"
pass init -p tech "Tech GPG Key ID"
pass init -p business "Business GPG Key ID"

  3. Structure your store:

    		~/.password-store/
├── personal/
├── tech/
├── business/

    Now, commands like pass insert personal/email will use the personal key.

For multi-user/team sharing, specify multiple keys: pass init -p business "Your Key" "Colleague Key".

Basic Usage

  • List passwords: pass
  • Show a password: pass personal/email
  • Copy to clipboard: pass -c personal/email (clears after 45 seconds)
  • Insert new: pass insert personal/new-site (prompts for password)
  • Generate random: pass generate personal/new-site 12
  • Edit: pass edit personal/site (opens in editor)
  • Remove: pass rm personal/site

For multiline entries (password + metadata):

		pass insert -m personal/amazon
# Enter:
mypassword123
URL: https://amazon.com
Username: myuser

pass -c amazon copies only the first line (password).

Integration with dmenu and rofi

Pass includes passmenu, a dmenu-based interface for selecting passwords.

  • Install dmenu or rofi.
  • Run passmenu to fuzzy-search and copy passwords.

To use rofi instead:

  • Install rofi-pass: git clone https://github.com/carnager/rofi-pass && cd rofi-pass && sudo make install
  • Or symlink rofi as dmenu: ln -s /usr/bin/rofi /usr/local/bin/dmenu (may need adjustments).

rofi-pass provides a rofi frontend with features like:

  • Fuzzy search
  • Type username/password
  • Autofill
  • OTP support (with pass-otp extension)

Bind to a hotkey, e.g., Super+P, for quick access.

Using Pass on Mobile Android

Use the "Password Store" app from F-Droid or Google Play (dev.msfjarvis.aps).

  1. Install the app.
  2. Clone your Git repository (if using Git sync).
  3. Import GPG keys: Use OpenKeychain to manage keys, export from desktop with gpg --export-secret-keys -a "Key ID" > key.asc, transfer to phone, import.
  4. Open the app, point to ~/.password-store (or custom path).
  5. Decrypt and view passwords; supports autofill via Accessibility Service or Autofill Framework (Android 8+).
  6. Supports OTP with pass-otp.

Alternatively, use Termux:

  • Install Termux, then pkg install pass gnupg git
  • Clone repo, import GPG keys.
  • Use pass commands as on desktop.

Additional Features and Best Practices

Extensions

  • pass-otp: OTP tokens. pass otp insert -e totp site (install from https://github.com/tadfisher/pass-otp)
  • pass-import: Import from other managers (KeePass, LastPass, etc.)
  • pass-update: Bulk password updates
  • pass-tomb: Encrypt store in a Tomb container
  • browserpass: Browser extension for autofill (Chrome/Firefox)

Best Practices

  • Use strong, unique GPG passphrases.
  • Regularly back up your ~/.password-store and GPG keys.
  • Sync via Git: pass git push/pull.
  • Revoke compromised keys and re-encrypt affected passwords.
  • For shared access, use multiple keys per sub-store.
  • Avoid storing passwords in plain text; always encrypt.
  • Test recovery: Export GPG keys and store offline.

Advanced Tips

  • Environment variables: Set PASSWORD_STORE_DIR for custom path.
  • Batch operations: Use scripts for bulk inserts.
  • Integration with scripts: pass show site | head -1 for password extraction.
  • Audit: pass find <term> to search.

Pass is minimalist yet powerful, emphasizing security and simplicity. Start small, then explore extensions as needed.

For more, see https://www.passwordstore.org/.