Table of Contents Link to heading

• Installing pass and Generating a GPG Keypair
• Storing and Managing Passwords
  • Add a Password
  • Retrieve a Password
  • Remove a Password
• Exporting Passwords Securely
  • Install and Run the Script
  • Understand mktemp in the Script
• Using Git for Password Synchronisation
  • Initialise a Git Repository
  • Set Up a Password Store on a New Machine
• Troubleshooting Common Issues
  • GPG “No Secret Key” Error
  • Git Sync Issues
• Conclusion

In today’s digital world, safeguarding sensitive information is more critical than ever. Passwords serve as the first line of defence against unauthorised access, yet managing them securely can be a challenge.

Enter password-store—a powerful command-line tool that encrypts and organises your passwords using GnuPG. By leveraging Git, you can also synchronise your password store across multiple devices seamlessly. This post will guide you through:

1. Setting up password-store with GnuPG
2. Managing passwords securely with encryption
3. Using Git to synchronise your password store
4. Troubleshooting common issues

By the end, you’ll have a streamlined, encrypted password management system that ensures your credentials remain private, yet easily accessible when needed. Let’s dive in!

Installing pass and Generating a GPG Keypair Link to heading

First, install pass, the command-line password manager, and generate a new GPG key for encryption.

sudo apt install pass
gpg --full-generate-key

Once the key is generated, list your private keys using:

gpg --list-secret-keys --keyid-format=long

Example output:

/home/user/.gnupg/pubring.kbx
------------------------------
sec   rsa4096/1A2B3C4D5E6F7G8H 2025-03-15 [SC]
      9X8Y7Z6W5V4U3T2S1R0P1A2B3C4D5E6F7G8H
uid  [ultimate] Duke Mai <dukemai@gmail.com>
ssb   rsa4096/2B3C4D5E6F7G8H9J 2025-03-15 [E]

Use the key fingerprint (e.g., 1A2B3C4D5E6F7G8H) to initialise your password store:

pass init 1A2B3C4D5E6F7G8H

Storing and Managing Passwords Link to heading

With pass initialised, you can start storing passwords securely.

Add a Password Link to heading

To add a password for a service:

pass insert banks/online-banking

You’ll be prompted to enter the password securely.

Retrieve a Password Link to heading

Display a saved password:

pass banks/online-banking

You can copy it directly to the clipboard using:

pass -c banks/online-banking

Remove a Password Link to heading

Delete an entry:

pass rm banks/online-banking

Exporting Passwords Securely Link to heading

If you ever need to export your stored passwords, you can do so safely using a dedicated script. This script retrieves and decrypts all entries from your password store into a secure temporary file.

Install and Run the Script Link to heading

To install and run the password export script, follow these steps:

1. Download the script:

   curl -O https://raw.githubusercontent.com/duke-mai/dotfiles/refs/heads/master/bin/export_password_store
   

2. Make the script executable:

   chmod +x export_password_store
   

3. Run the script:

   ./export_password_store
   

After running the script, it will export all stored passwords into a temporary file, ensuring they are decrypted and accessible for reference.

Understand mktemp in the Script Link to heading

The script uses mktemp to create a secure temporary file for storing the exported passwords.

When running:

mktemp /tmp/example.XXXXXX

You might get a randomly generated filename like:

/tmp/example.a1b2c3

This ensures that no two processes inadvertently overwrite each other’s temporary files. If XXXXXX is missing, mktemp may fail or behave unexpectedly. To learn more, refer to the Linux manual page.

Using Git for Password Synchronisation Link to heading

To ensure access to your passwords across multiple devices, initialise a Git repository for your password store.

Initialise a Git Repository Link to heading

Create a bare repository on your server:

git init --bare "$HOME/.password-store"

Make your local password store a Git repository and add a remote repository:

pass git init
pass git branch -M master
pass git remote add origin https://github.com/duke-mai/password-store
pass git push origin master

Set Up a Password Store on a New Machine Link to heading

On a new device, follow these steps:

1. Import your GPG keys:

   gpg --import pubkey.asc
   gpg --allow-secret-key-import --import privkey.asc
   

2. Clone the repository:

   git clone https://github.com/duke-mai/password-store "$HOME/.password-store"
   

3. Trust your imported keys if necessary:

   gpg --edit-key 1A2B3C4D5E6F7G8H
   

Now you can use pass as usual and synchronise changes with:

pass git push
pass git pull

Troubleshooting Common Issues Link to heading

GPG “No Secret Key” Error Link to heading

If you encounter the following error:

gpg: decryption failed: No secret key

Ensure you have imported both the public and private keys and trusted them:

gpg --list-secret-keys --keyid-format=long

Git Sync Issues Link to heading

If pass git push or pass git pull fail, check your remote repository:

git remote -v
git status

Ensure your SSH key or authentication method is set up correctly.

Conclusion Link to heading

Using password-store with GPG and Git offers a robust way to manage passwords securely while allowing synchronisation across multiple devices. By following these steps, you can maintain a secure and organised password store.