~gpanders/passage

Password store using age
Re-encrypt all items in store
Update output for remove command
Add uninstall target to Makefile

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~gpanders/passage
read/write
git@git.sr.ht:~gpanders/passage

You can also use your local clone with git send-email.

#passage

passage is a password store utilizing the age encryption library.

Note that age is still considered beta software. Until age comes out of beta, passage should be considered beta software as well.

#Table of Contents

#FAQ

#How is passage different from pass?

passage is a reimplementation of pass that eschews the use of PGP [1, 2] in favor of age.

#Is passage secure?

passage, like all password managers, makes trade-offs between security and convenience. Whether or not passage meets your security qualifications depends on your use case.

passage uses a secret key that is only accessible by you. This means if you are on a single-user system or a multi-user system where only you have root access, no one can access your secret key.

If you are on a multi-user system where other users have root access, then it is possible for those users to read your secret key. You can eliminate this risk by locking your password store (i.e. encrypting your secret key with a passphrase) at the cost of having to re-enter your passphrase each time you wish to retrieve an item from your store.

#Installation

Currently, the only supported method of installation is through Cargo.

$ cargo install --git https://git.sr.ht/~gpanders/passage

This will install passage to $HOME/.cargo/bin.

Or, to build from a locally cloned copy of this repository,

$ git clone https://git.sr.ht/~gpanders/passage
$ cd passage
$ make install

This will install passage to /usr/local/bin. To specify a different install prefix, set the prefix variable in the make command, e.g.:

$ make prefix=/opt/passage install

#Usage

passage is a near drop-in replacement for pass. If you've used pass, you can simply create an alias

$ alias pass=passage

and continue to use pass as normal.

The default directory for the password store is $HOME/.passage. This can be changed by setting the PASSAGE_STORE_DIR environment variable.

#Initialization

Initialize a new password store using

$ passage init

This will create a new age private key at $XDG_DATA_HOME/passage/key.txt and create your password store at $HOME/.passage.

You can add additional recipients to your password store using the -r/--recipients option to init:

$ passage init -r age1294r5jdje2n2jprxj0avqyvmpsujzlmjt5kla728x5eykgd8cc9skkms53

You can also use an existing age secret key instead of generating a new one with the -k/--key option:

$ age-keygen -o key.txt
$ passage init -k key.txt

#Adding and retrieving items

Add a new password to the password store using

$ passage insert ITEM

or

$ passage add ITEM

You can retrieve a saved password from the store using

$ passage show ITEM

or simply

$ passage ITEM

Use the -c/--clip flag to copy the password to your system clipboard:

$ passage -c ITEM
Copied password for ITEM to clipboard.

#View store contents

You can view all items in your store with

$ passage list

or

$ passage show

or just

$ passage

#Locking and unlocking

You can lock your password store using

$ passage lock

This will prompt you for a passphrase, which will be used to encrypt your secret key. When locked, you will need to enter this passphrase anytime you wish to display a password from the store.

Note that locking the password store will only require a passphrase when retrieving a password from the store, not when inserting a new password into the store. This is because only the secret key is encrypted with the passphrase. The public key used to add new items remains unencrypted.

You can unlock a locked password store using

$ passage unlock

#Sharing access

If you wish to share your password store among multiple users, or if you simply wish to use your store across multiple computers each with different keys, you can add new recipients to your store using the -r/--recipients option to the init subcommand. The argument to this option should be an age public key string. You can display the public key for your password store using

$ passage pubkey