Linux: GPG-keys, Pass – passwords manager, and passwords import from the KeePass database

By | 04/25/2019
 

pass – a password manager for Linux/UNIX.

Stores data in tree-based directories/files structure and encrypts files with a GPG-key.

In Arch Linux present by default, in Debian can be installed using apt from default repositories:

sudo apt install pass

For macOS can be installed with Homebrew:

brew install pass

The pass itself is just a bash-script:

head /usr/bin/pass
!/usr/bin/env bash
Copyright (C) 2012 - 2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
This file is licensed under the GPLv2+. Please see COPYING for more information.
umask "${PASSWORD_STORE_UMASK:-077}"
set -o pipefail
GPG_OPTS=( $PASSWORD_STORE_GPG_OPTS "--quiet" "--yes" "--compress-algo=none" "--no-encrypt-to" )
GPG="gpg"

GPG keys management

Creating GPG key

The pass require a GPG-key to encrypt and decrypt files so let’s create it first:

gpg --full-gen-key
...
Please select what kind of key you want:
(1) RSA and RSA (default) // leave default RSA and RSA
(2) DSA and Elgamal
(3) DSA (sign only)
(4) RSA (sign only)
Your selection?
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)  // leave default  2048
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
<n>  = key expires in n days
<n>w = key expires in n weeks
<n>m = key expires in n months
<n>y = key expires in n years
Key is valid for? (0)  // leave default  0 - valide forever
Key does not expire at all
Is this correct? (y/N) y
GnuPG needs to construct a user ID to identify your key.
Real name: example
Email address: example@example.com
Comment:
You selected this USER-ID:
"example <example@example.com>"
Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
...

Then a window will appear asking to set up a password for your GPG-key:

Enter the desired password and finish the key generation:

...
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key 714F9CBFDA191430 marked as ultimately trusted
gpg: revocation certificate stored as '/home/setevoy/.gnupg/openpgp-revocs.d/E130BB49AAA234F2BE2A7F96714F9CBFDA191430.rev'
public and secret key created and signed.
pub   rsa2048 2019-04-25 [SC]
E130BB49AAA234F2BE2A7F96714F9CBFDA191430
uid                      example <example@example.com>
sub   rsa2048 2019-04-25 [E]

Check public keys in your storage:

gpg --list-keys
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
/home/setevoy/.gnupg/pubring.kbx
--------------------------------
pub   rsa2048 2010-02-11 [SC]
1C61A2656FB57B7E4DE0F4C1FC918B335044912E
uid           [ unknown] Dropbox Automatic Signing Key <linux@dropbox.com>
pub   rsa2048 2011-04-26 [SC]
FCF986EA15E6E293A5644F10B4322F04D67658D8
uid           [ unknown] FFmpeg release signing key <ffmpeg-devel@ffmpeg.org>
sub   rsa2048 2011-04-26 [E]
pub   rsa4096 2018-04-02 [SC]
ABBAD1CB484F53024CF5868B69332F9203F21F5C
uid           [ unknown] Andrew Richards (cancel) <cancel@cancel.fm>
sub   rsa2048 2019-01-28 [S]
sub   rsa4096 2018-04-02 [E]
pub   rsa2048 2019-04-25 [SC]
DEB0D4AD41CC2612B1944D448D22D6610B2F6067
uid           [ultimate] setevoy (my main) <reg@domain.kiev.ua>
sub   rsa2048 2019-04-25 [E]
pub   rsa2048 2019-04-25 [SC]
E130BB49AAA234F2BE2A7F96714F9CBFDA191430
uid           [ultimate] example <example@example.com>
sub   rsa2048 2019-04-25 [E]

And your private keys:

gpg --list-secret-keys
/home/setevoy/.gnupg/pubring.kbx
--------------------------------
sec   rsa2048 2019-04-25 [SC]
DEB0D4AD41CC2612B1944D448D22D6610B2F6067
uid           [ultimate] setevoy (my main) <reg@domain.kiev.ua>
ssb   rsa2048 2019-04-25 [E]

Deleting key

To delete a key first need to delete its private part, and after then – its public part.

Remove the private key:

gpg --delete-secret-key E130BB49AAA234F2BE2A7F96714F9CBFDA191430
gpg (GnuPG) 2.2.15; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
sec  rsa2048/714F9CBFDA191430 2019-04-25 example <example@example.com>
Delete this key from the keyring? (y/N) y
This is a secret key! - really delete? (y/N) y

As an argument to the --delete-secret-key option a key’s fingerprint or ID (name) can be passed, here it is the “example“.

Now the public key can be removed using the --delete-key option:

gpg --delete-key E130BB49AAA234F2BE2A7F96714F9CBFDA191430
gpg (GnuPG) 2.2.15; Copyright (C) 2019 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub  rsa2048/714F9CBFDA191430 2019-04-25 example <example@example.com>
Delete this key from the keyring? (y/N) y

Backuping GPG-keys

As this key(s) will be used to decrypt data – we don’t want to lose it.

You can create a backup just by copying the whole ~/.gnupg directory (in case if GnuPG package is used):

ll .gnupg/
total 52
drwx------ 2 setevoy setevoy  4096 Jan 22 12:44 crls.d
drwx------ 2 setevoy setevoy  4096 Apr 25 10:04 openpgp-revocs.d
drwx------ 2 setevoy setevoy  4096 Apr 25 10:11 private-keys-v1.d
-rw-r--r-- 1 setevoy setevoy 13732 Apr 25 10:14 pubring.kbx
-rw-r--r-- 1 setevoy setevoy 12317 Apr 25 09:58 pubring.kbx~
-rw-r----- 1 setevoy setevoy   676 Apr 25 09:54 sshcontrol
-rw------- 1 setevoy setevoy  1440 Apr 25 10:14 trustdb.gpg

Or by exporting private keys to a dedicated storage:

gpg --export-secret-keys > ~/Dropbox/Backups/gpg-setevoy-arch-work-secret-backup.gpg

During the export operation – a password will be asked:

Later you can restore keys using the --import option.

Remove an existing key:

gpg --delete-secret-key setevoy

And restore it from the backup:

gpg --import ~/Dropbox/Backups/gpg-setevoy-arch-work-secret-backup.gpg
gpg: key 8D22D6610B2F6067: "setevoy (my main) <reg@domain.kiev.ua>" not changed
gpg: key 8D22D6610B2F6067: secret key imported
gpg: Total number processed: 1
gpg:              unchanged: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1

Check now:

gpg --list-secret-keys
/home/setevoy/.gnupg/pubring.kbx
--------------------------------
sec   rsa2048 2019-04-25 [SC]
DEB0D4AD41CC2612B1944D448D22D6610B2F6067
uid           [ultimate] setevoy (my main) <reg@domain.kiev.ua>
ssb   rsa2048 2019-04-25 [E]

pass

A database initialization

Initialize new storage using an ID (name) or an email used during GPG-key creation:

pass init setevoy
Password store initialized for setevoy

pass will create an identity file ~/.password-store/.gpg-id:

cat .password-store/.gpg-id
setevoy

pass Git and Github

Besides a usual local storage  pass can keep it as a git-repository with all changes history.

If you didn’t make global Git settings – add them now:

git config --global user.email reg@domain.kiev.ua
git config --global user.name "setevoy"

And create local git-repository in your existing pass‘s storage:

pass git init
Initialized empty Git repository in /home/setevoy/.password-store/.git/
[master (root-commit) 7e19ab0] Add current contents of password store.
1 file changed, 1 insertion(+)
create mode 100644 .gpg-id
[master 19aaf2c] Configure git repository for gpg file diff.
1 file changed, 1 insertion(+)
create mode 100644 .gitattributes

Now you can check history as in a common Git:

cd .password-store/
git log
commit d8f791453fd1e8be7cf6126cde7f32df3bd351cc (HEAD -> master)
Author: setevoy <reg@domain.kiev.ua>
Date:   Thu Apr 25 11:08:19 2019 +0300
Configure git repository for gpg file diff.
commit d49c886510221f31268f22cd74d0859965bafb7b
Author: setevoy <reg@domain.kiev.ua>
Date:   Thu Apr 25 11:08:19 2019 +0300
Add current contents of password store.

Then you can create a private repository in Github or Bitbucket and import your pass‘s database there to synchronize it between multitype computers.

Although the idea to keep all your passwords in an even private repository, even in a GPG-encrypted file maybe not too good.

Another solution could be to create own git-server and use it.

Still, just for example – let’s create a private Github repository:

Copy its address, here it is the git@github.com:setevoy2/pass-example.git:

Go to your local directory:

cd ~/.password-store/

Update its repository settings – add remote:

git remote add origin git@github.com:setevoy2/pass-example.git

Check it:

cat .git/config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[diff "gpg"]
binary = true
textconv = gpg2 -d --quiet --yes --compress-algo=none --no-encrypt-to --batch --use-agent
[remote "origin"]
url = git@github.com:setevoy2/pass-example.git
fetch = +refs/heads/*:refs/remotes/origin/*

And push to the Github:

git push origin master
...
To github.com:setevoy2/pass-example.git
* [new branch]      master -> master

Check:

Adding passwords

To add a new password use insert with a path to dirs/file:

For example, a password for the RTFM could be added like this:

pass insert rtfm.co.ua/admin/setevoy
mkdir: created directory '/home/setevoy/.password-store/rtfm.co.ua'
mkdir: created directory '/home/setevoy/.password-store/rtfm.co.ua/admin'
Enter password for rtfm.co.ua/admin/setevoy:
Retype password for rtfm.co.ua/admin/setevoy:
[master 7ae47c9] Add given password for rtfm.co.ua/admin/setevoy to store.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 rtfm.co.ua/admin/setevoy.gpg

Retrieve secrets

Now the storage’s structure is like next:

pass
Password Store
└── rtfm.co.ua
└── admin
└── setevoy

To retrieve a password – specify a pass to its file and enter your GPG-key password:

pass rtfm.co.ua/admin/setevoy
p@ssw0rd

It can be copied to the clipboard using the -c option:

pass -c rtfm.co.ua/admin/setevoy
Copied rtfm.co.ua/admin/setevoy to clipboard. Will clear in 45 seconds.

And git history now:

git log
commit 7ae47c9535eabddc64c89df39c7db720a2cd5244 (HEAD -> master)
Author: setevoy <reg@domain.kiev.ua>
Date:   Thu Apr 25 11:12:16 2019 +0300
Add given password for rtfm.co.ua/admin/setevoy to store.
...

Multiline records

Instead of adding just a password you can specify some additional fields.

To add multitype lines to your password’s file use-m. Set a password itself in the first line: -c will use it to copy a password  to the buffer:

pass insert -m rtfm.co.ua/admin/setevoy
An entry already exists for rtfm.co.ua/admin/setevoy. Overwrite it? [y/N] y
Enter contents of rtfm.co.ua/admin/setevoy and press Ctrl+D when finished:
p@ssw0rd
Username: setevoy
URL: rtfm.co.ua
[master fc43a4c] Add given password for rtfm.co.ua/admin/setevoy to store.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 rtfm.co.ua/admin/setevoy.gpg

Check:

pass show rtfm.co.ua/admin/setevoy
p@ssw0rd
Username: setevoy
URL: rtfm.co.ua

Looking for records and passwords

For search pass has two options – find, and grep.

find will do fast search by a directories/files names:

pass find setevoy
Search Terms: setevoy
├── rtfm.co.ua
└── admin
└── setevoy

And grep will search over all files text:

pass grep rtfm.
rtfm.co.ua/admin/setevoy:
URL: rtfm.co.ua
...

Removing passwords

Call the pass with the rm option:

pass rm rtfm.co.ua/admin/setevoy
Are you sure you would like to delete rtfm.co.ua/admin/setevoy? [y/N] y
removed '/home/setevoy/.password-store/rtfm.co.ua/admin/setevoy.gpg'
[master 7a23ede] Remove rtfm.co.ua/admin/setevoy from store.
1 file changed, 0 insertions(+), 0 deletions(-)
delete mode 100644 rtfm.co.ua/admin/setevoy.gpg

To delete a directory – use rm -r:

pass rm -r Main
Are you sure you would like to delete Main? [y/N] y
removed '/home/setevoy/.password-store/Main/Work/blabla.com.gpg'
...

Import from a KeePass database

Actually, I’m using pass as a backup storage.

In general, I’m using KeePass (KeePassXC), its database is stored in a Dropbox account and synchronize KeePass’s instances between multiple computers.

In case if this database will break somewhen – I want to have its backup, so let’s import it to the pass.

Here the pass-import utility can be used which can import data from various managers and a KeePass’s XML-file.

it can be installed on Arch Linux from AUR:

yaourt -S pass-import

Now create a database’s copy (using KeePass – KeePassXC can’t import to XML):

And run an import to the pass‘s storage passing a source type (here – keepass) and a path to the file:

pass import keepass ~/Backups/KeePassBKP/KeePass-Main-25-04-2019-bkp.xml
(*) Importing passwords from keepass
.  File: /home/setevoy/Backups/KeePassBKP/KeePass-Main-25-04-2019-bkp.xml
.  Number of password imported: 294
.  Passwords imported:
Main/AWS/AWS root user
Main/AWS/AWS setevoy
Main/Cards/Aval Credit
...

Check the pass‘s database now:

pass
Password Store
├── Main
│   ├── AWS
│   │   ├── AWS root user
│   │   └── AWS setevoy
│   ├── Cards
│   │   ├── Aval Credit
│   │   ├── OtherCards
│   │   │   ├── Masha
│   │   │   ├── Stromenko etabak
...

QtPass

The terminal is awesome but can be better to work using some UI.

For the pass there is the QtPass utility.

In Arch Linux can be installed from the common repository:

sudo pacman -S qtpass

Run it:

Done.



Also published on Medium.