Password Store is a simple UNIX program that uses the GNU Privacy Guard (GPG) and Git to secure and manage passwords for your Linux system. It is simple, lightweight and fast. However, this simplicity means that accessing Password Store’s database to fetch your passwords can be a bit of a pain. However, if you are using Emacs, there is a way to seamlessly automate this process for you.
To help with that, password-store is also an Emacs package that serves as a front end to the Password Store program. Similar to its back end, password-store is simple and light. More importantly, you can easily extend its features by using a number of plugins done by its community.
- How Does Password Store Work?
- Installing Password Store
- Creating Your Password Store
- Creating a GPG Key for Your Store
- Setting Your GPG Key Length and Expiry
- Starting Your Store
- Integrating Emacs with Password Store
- Adding a New Password to Your Store
- Editing Your Store Entry
- Removing a Password in Your Store
- Copying a Password from a Store
How Does Password Store Work?
Password Store is an extremely simple password manager that creates and modifies passwords in pure plain text. It only maintains a text file for every account and password that you provide to it.
While this might seem insecure and archaic, Password Store makes it work by encrypting all of the files that it maintains. This allows you to have the flexibility of plain text while also having the security and encryption of GPG.
Since the program only deals with simple files, it is possible for you to categorize and sort those files under different folders.
Password store also allows you to append additional information for your password files. This is because it only requires you to reserve the first line of the file for your password. For example, this is a password file for one of my forum accounts:
thisismysupersecretpassword ===============INFORMATION============== Username: MySuperCoolName Security Question 1: Yogi Security Question 2: 1992 Toyota Corolla Security Question 3: Smith OTP Key: aabbccddff11223344 ========================================
Password Store does not read any information after the first line. As such, I am able to easily add any additional information about my forum account. With that, the program not only allows you to create a custom password directory but also custom formats for your passwords.
Installing Password Store
Due to its simplicity, Password Store is easy to install. Further, it is also available to almost all Linux distributions. For example, you can install it in Debian and Ubuntu using apt:
sudo apt install pass gnupg
In Fedora, you can use dnf:
sudo dnf install pass gnupg2
For Arch Linux, you can use pacman:
sudo pacman -S pass gnupg
Creating Your Password Store
With that done, creating a password store requires you to do two things:
- First, you need to have a GPG key. This will be the key that will be associated to your Password Store. You can either create a new one specific for this store or use an old one that you already have.
- Secondly, you need to initialize the Password Store itself. This could either be a simple password store maintained through GPG or a version controlled one under GPG and Git. Either way, creating these two versions will only require you to run a single command.
Creating a GPG Key for Your Store
Password Store relies on GPG for all of its encryption. As such, it is necessary for you to create your own GPG key to ensure that password store is both secure and only encrypted to you.
- Creating a GPG key is incredibly simple. To do that, you can run the following command:
- This will run a key creation wizard where you can choose a number of options for your GPG key.
- From here, the wizard will ask you for the kind of encryption algorithm that you want to use for your key. For the most part, the default RSA algorithm will be enough. To select it you can just press Enter.
Setting Your GPG Key Length and Expiry
- From there, the wizard will now ask you for the length of the key that you want to make. In this, the general rule of thumb is that a longer key will be harder to crack than a shorter key. For the purpose of this article I picked 4096 for my key length.
- Once done, the wizard will ask whether you want your key to expire or not. In general, it is considered good practice to use a key that will expire after a certain date. Doing that will allow you to automatically revoke a key that either have been compromised or you have forgotten the password to.
- In my case, I prefer setting short expiration times for my keys so that I do not forget them. As such, I set this option to “6m”.
- Next, you’ll have to enter both a name and an email. This will only be in used as a display information whenever you encrypt or decrypt data.
- Lastly, you have to provide a password for accessing this key. In that, your password has to be both strong and memorable. This is because you will use this password every time you access your Password Store. That includes copying existing passwords and adding new ones.
Starting Your Store
With that done, the next thing that you have to do is to start your Password Store. You can do this in two ways:
- You can start a simple Password Store with the default GPG encryption. This is useful if you only want a simple way of storing and accessing your passwords.
Run the following command in the terminal:
cd /home/$USER/ && pass init "your-gpg-email"
This will create a password store in your home directory under the name “.password-store”.
- You can also start a git-controlled Password Store. This will allow you to finely control your store’s history. As such, you will be able to easily jump back on the changes that you have made. This is highly useful if you constantly change the passwords for your accounts.
If you want to run a git-controlled store, you have to run the following command:
pass git init
Doing so will start the git repository for your store. From here, you can access all of git’s commands for your store by prepending “pass” to git. You can view all of the git remotes for your store by running the following command:
pass git remote get-url --all
Integrating Emacs with Password Store
If you are an Emacs user, you can integrate Password Store to your Emacs client. Start by downloading the “password-store” package from the MELPA repository.
By default, this repository does not come with the standard Emacs installation. As such, you need to explicitly add it first to your Emacs’ configuration.
- To do that, you can write the following command to your “init.el” file:
(add-to-list 'package-archives '("melpa" . "https://melpa.org/packages/")) (package-initialize)
- Once done, reload your Emacs client to apply the changes.
- Press Alt + X and type
package-install. This will load a command buffer where Emacs will ask you for the name of the package that you want to install. Type
- Emacs will then fetch, compile and install the source code for the password-store package. At the end of it, its commands should be accessible by pressing Alt + X and typing
Adding a New Password to Your Store
- With that done, accessing your store is relatively straightforward. For example, you can add a new password by pressing Alt + X and typing
- This will bring up a prompt where the package will ask you for the name of the password that you want to insert.
- Now input the password itself. Similar to other password prompts, the input in here will be masked.
Editing Your Store Entry
One of the key strengths of Password Store is that you can customize your password files. This, in turn, allows you to provide an arbitrary format that can contain just about anything.
- In order to do this, you need to edit your password file. You can do that by pressing Alt + X and typing
- Doing that will also bring up a prompt where the package will ask for the password that you want to edit. In my case, I want to add additional security questions for my “forum-account” entry.
- From here, the package will prompt you to enter your GPG key password. After that, Emacs will then display the contents of the password file in a separate buffer that you can edit.
- Once done, you can save your password file by pressing Ctrl + X, Ctrl + S. From there, you can finalize the edit by pressing Ctrl + X, K. This will close the password buffer and tell Password Store to commit the changes to its file tree.
Removing a Password in Your Store
Similarly, deleting a password in your store is also a simple process. You can remove a password by pressing Alt + X and typing
password-store-remove. Doing this will bring up a prompt asking you for the password that you want to remove.
In my case, I wanted to remove an old password for a site that I do not visit anymore. So I typed “my-old-password” and pressed Enter.
Copying a Password from a Store
Lastly, the package also allows you to copy your passwords directly from Emacs. This is highly useful if you want to quickly access your store whenever you are logging in to a service or an account.
- To do this, you can press Alt + X and type
- This will load a prompt that will ask you for the password that you want to copy to your clipboard.
That’s it! You now have a basic idea of how to use Emacs as your password manager. Further, you also now know how to use a simple, file-driven password manager with Password Store.
Frequently Asked Questions
1. Is it possible for Password Store to create passwords similar to KeepassXC?
Yes! The package can generate passwords for new accounts out of the box. You can access this function by pressing Alt + X and typing
This will tell the package to prompt for a new account. From there, it will then generate a sufficiently random password for that account. You can, then, copy that password by using the
password-store-copy function as described above.
2. Is it possible to integrate one-time password (OTP) support for my store?
Yes! Password store has an excellent plugin that can manage OTP from within the command line. To use it, however, you will need to install an additional package to generate OTPs.
For example, in Debian and Ubuntu you can run the following command to install it:
sudo apt install pass-extension-otp
In Fedora, you can use dnf:
sudo dnf install pass-otp
In Arch Linux, you can use pacman:
sudo pacman -S pass-otp
Once done, you can then run this command to insert an OTP link to a store account:
pass otp insert "account-name"
From there, all you need to do is to run
pass otp "account-name" to generate an OTP code for that account.
3. Is it possible for me to display the passwords as a tree in Emacs?
Sadly no. However, you can display all of your passwords through tab-completion if you are using a minibuffer completion package.
The most common packages that provide this functionality are helm and mct. Both of them are available in the GNU ELPA repository and, as such, can easily be installed through the
Image credit: Unsplash
Our latest tutorials delivered straight to your inbox