How to Use Password Store to Manage Your Passwords in Linux

Emacs Password 00 Featured Image

Password Store is a simple UNIX program that uses the GNU Privacy Guard (GPG) and Git to secure and manage passwords for your Linux system. It is simple, lightweight and fast. However, this simplicity means that accessing Password Store’s database to fetch your passwords can be a bit of a pain. However, if you are using Emacs, there is a way to seamlessly automate this process for you.

To help with that, password-store is also an Emacs package that serves as a front end to the Password Store program. Similar to its back end, password-store is simple and light. More importantly, you can easily extend its features by using a number of plugins done by its community.

How Does Password Store Work?

Password Store is an extremely simple password manager that creates and modifies passwords in pure plain text. It only maintains a text file for every account and password that you provide to it.

While this might seem insecure and archaic, Password Store makes it work by encrypting all of the files that it maintains. This allows you to have the flexibility of plain text while also having the security and encryption of GPG.

Emacs Password 02 Pass Diagram
Image source:

Since the program only deals with simple files, it is possible for you to categorize and sort those files under different folders.

Emacs Password 03 Pass Tree

Password store also allows you to append additional information for your password files. This is because it only requires you to reserve the first line of the file for your password. For example, this is a password file for one of my forum accounts:

  Username: MySuperCoolName
  Security Question 1: Yogi
  Security Question 2: 1992 Toyota Corolla
  Security Question 3: Smith
  OTP Key: aabbccddff11223344

Password Store does not read any information after the first line. As such, I am able to easily add any additional information about my forum account. With that, the program not only allows you to create a custom password directory but also custom formats for your passwords.

Installing Password Store

Due to its simplicity, Password Store is easy to install. Further, it is also available to almost all Linux distributions. For example, you can install it in Debian and Ubuntu using apt:

sudo apt install pass gnupg

In Fedora, you can use dnf:

sudo dnf install pass gnupg2

For Arch Linux, you can use pacman:

sudo pacman -S pass gnupg

Creating Your Password Store

With that done, creating a password store requires you to do two things:

  • First, you need to have a GPG key. This will be the key that will be associated to your Password Store. You can either create a new one specific for this store or use an old one that you already have.
  • Secondly, you need to initialize the Password Store itself. This could either be a simple password store maintained through GPG or a version controlled one under GPG and Git. Either way, creating these two versions will only require you to run a single command.

Creating a GPG Key for Your Store

Password Store relies on GPG for all of its encryption. As such, it is necessary for you to create your own GPG key to ensure that password store is both secure and only encrypted to you.

  1. Creating a GPG key is incredibly simple. To do that, you can run the following command:
gpg --full-generate-key
  1. This will run a key creation wizard where you can choose a number of options for your GPG key.
  2. From here, the wizard will ask you for the kind of encryption algorithm that you want to use for your key. For the most part, the default RSA algorithm will be enough. To select it you can just press Enter.
Emacs Password 05 Gpg Generate Key

Setting Your GPG Key Length and Expiry

  1. From there, the wizard will now ask you for the length of the key that you want to make. In this, the general rule of thumb is that a longer key will be harder to crack than a shorter key. For the purpose of this article I picked 4096 for my key length.
Emacs Password 06 Key Length
  1. Once done, the wizard will ask whether you want your key to expire or not. In general, it is considered good practice to use a key that will expire after a certain date. Doing that will allow you to automatically revoke a key that either have been compromised or you have forgotten the password to.
  2. In my case, I prefer setting short expiration times for my keys so that I do not forget them. As such, I set this option to “6m”.
Emacs Password 07 Key Expiry
  1. Next, you’ll have to enter both a name and an email. This will only be in used as a display information whenever you encrypt or decrypt data.
Emacs Password 08 Personal Details
  1. Lastly, you have to provide a password for accessing this key. In that, your password has to be both strong and memorable. This is because you will use this password every time you access your Password Store. That includes copying existing passwords and adding new ones.

Starting Your Store

With that done, the next thing that you have to do is to start your Password Store. You can do this in two ways:

  • You can start a simple Password Store with the default GPG encryption. This is useful if you only want a simple way of storing and accessing your passwords.

Run the following command in the terminal:

cd /home/$USER/ && pass init "your-gpg-email"
Emacs Password 09 Pass Store Init

This will create a password store in your home directory under the name “.password-store”.

  • You can also start a git-controlled Password Store. This will allow you to finely control your store’s history. As such, you will be able to easily jump back on the changes that you have made. This is highly useful if you constantly change the passwords for your accounts.

If you want to run a git-controlled store, you have to run the following command:

pass git init
Emacs Password 10 Pass Git Init

Doing so will start the git repository for your store. From here, you can access all of git’s commands for your store by prepending “pass” to git. You can view all of the git remotes for your store by running the following command:

pass git remote get-url --all

Integrating Emacs with Password Store

If you are an Emacs user, you can integrate Password Store to your Emacs client. Start by downloading the “password-store” package from the MELPA repository.

Emacs Password 11 Password Store Package

By default, this repository does not come with the standard Emacs installation. As such, you need to explicitly add it first to your Emacs’ configuration.

  1. To do that, you can write the following command to your “init.el” file:
(add-to-list 'package-archives
    '("melpa" . ""))
  1. Once done, reload your Emacs client to apply the changes.
  2. Press Alt + X and type package-install. This will load a command buffer where Emacs will ask you for the name of the package that you want to install. Type password-store.
Emacs Password 12 Package Install
  1. Emacs will then fetch, compile and install the source code for the password-store package. At the end of it, its commands should be accessible by pressing Alt + X and typing password-store-version.

Adding a New Password to Your Store

  1. With that done, accessing your store is relatively straightforward. For example, you can add a new password by pressing Alt + X and typing password-store-insert.
  2. This will bring up a prompt where the package will ask you for the name of the password that you want to insert.
Emacs Password 13 Insert Password
  1. Now input the password itself. Similar to other password prompts, the input in here will be masked.
Emacs Password 14 Input Password

Editing Your Store Entry

One of the key strengths of Password Store is that you can customize your password files. This, in turn, allows you to provide an arbitrary format that can contain just about anything.

  1. In order to do this, you need to edit your password file. You can do that by pressing Alt + X and typing password-store-edit.
  2. Doing that will also bring up a prompt where the package will ask for the password that you want to edit. In my case, I want to add additional security questions for my “forum-account” entry.
Emacs Password 15 Edit Password
  1. From here, the package will prompt you to enter your GPG key password. After that, Emacs will then display the contents of the password file in a separate buffer that you can edit.
Emacs Password 16 Additional Info
  1. Once done, you can save your password file by pressing Ctrl + X, Ctrl + S. From there, you can finalize the edit by pressing Ctrl + X, K. This will close the password buffer and tell Password Store to commit the changes to its file tree.

Removing a Password in Your Store

Similarly, deleting a password in your store is also a simple process. You can remove a password by pressing Alt + X and typing password-store-remove. Doing this will bring up a prompt asking you for the password that you want to remove.

In my case, I wanted to remove an old password for a site that I do not visit anymore. So I typed “my-old-password” and pressed Enter.

Emacs Password 17 Delete Password
Emacs Password 19 Deleted Password

Copying a Password from a Store

Lastly, the package also allows you to copy your passwords directly from Emacs. This is highly useful if you want to quickly access your store whenever you are logging in to a service or an account.

  1. To do this, you can press Alt + X and type password-store-copy.
  2. This will load a prompt that will ask you for the password that you want to copy to your clipboard.
Emacs Password 18 Copy Password

That’s it! You now have a basic idea of how to use Emacs as your password manager. Further, you also now know how to use a simple, file-driven password manager with Password Store.

Frequently Asked Questions

1. Is it possible for Password Store to create passwords similar to KeepassXC?

Yes! The package can generate passwords for new accounts out of the box. You can access this function by pressing Alt + X and typing password-store-generate.

This will tell the package to prompt for a new account. From there, it will then generate a sufficiently random password for that account. You can, then, copy that password by using the password-store-copy function as described above.

2. Is it possible to integrate one-time password (OTP) support for my store?

Yes! Password store has an excellent plugin that can manage OTP from within the command line. To use it, however, you will need to install an additional package to generate OTPs.

For example, in Debian and Ubuntu you can run the following command to install it:

sudo apt install pass-extension-otp

In Fedora, you can use dnf:

sudo dnf install pass-otp

In Arch Linux, you can use pacman:

sudo pacman -S pass-otp

Once done, you can then run this command to insert an OTP link to a store account:

pass otp insert "account-name"

From there, all you need to do is to run pass otp "account-name" to generate an OTP code for that account.

3. Is it possible for me to display the passwords as a tree in Emacs?

Sadly no. However, you can display all of your passwords through tab-completion if you are using a minibuffer completion package.

The most common packages that provide this functionality are helm and mct. Both of them are available in the GNU ELPA repository and, as such, can easily be installed through the package-install function.

Image credit: Unsplash

Ramces Red
Ramces Red

Ramces is a technology writer that lived with computers all his life. A prolific reader and a student of Anthropology, he is an eccentric character that writes articles about Linux and anything *nix.

Subscribe to our newsletter!

Our latest tutorials delivered straight to your inbox