Been using this for years, even implemented it at the office, we have several password stores for different trust levels within the business. As well as promote technical staff to manage their own personal password-store. One thing to note, is that a single password-store can be setup with multiple GPG keys, password-store then uses multi-key encryption which allows any of the included parties to read data (as long as you have one of the private keys loaded in GPG), and write data (as long as you have all the public keys loaded in GPG). Combined with git, you can't ask for a better in-house solution in my opinion. EDIT: And I've just noticed others have mentioned this, oh well :)
@@dreamsofcode That is true, but setup and management of keys can also be done by a technical user - and then non-technical users simply need to know the basic commands. Usually non-technical users forget to `pass git push` or `pass git pull` but after some gentle reminders, most I've dealt with have had no issues in the long run. Either way, it's great to see password-store getting some love - highly underrated password manager!
The fact, that this can be used in bash scripts is amazing. I have a bunch of of scripts, to connect to various databases quickly and I was never compfortable with having the plain credentials directly in them. Thank you so so much. 🙏❤
how can this be used in a script safely? If I put I assign it to a variable it can be echo'd out. Trying to pass auth token in a curl request but I want to save the auth token to this password manager. Thanks in advance
I have used this for years with smartcard for secret key storage with physical confirmation on the device. This is just an incredibly efficient solution. Thanks for the tutorial!
@Dreams of Code that would be excellent .. I'm currently using a password manager but sadly it's closed source and probably spying on me .. I'd much prefer this and I also prefer the terminal.. Once again .. thank you for showing us this
If you are gonna use a password manager, always fork the project and read the code before using it. FOSS communities are normally audited by the contributors, and they are unlikely to be dangerous. But you wanna be extra sure about the place you are writing all your passwords.
Luckily pass is literally only a 700 line bash script making reading the entire source code really easy. You don't even need to fork the source, but can read /usr/bin/pass. (Or where ever else it might be installed.)
I understand the sentiment, but when using something like Bitwarden there’s no way someone like me will ever be able to audit the source better than the numerous people already doing it. So I take others’ word for it then.
5:11 Important security note! Disable the editor's backup system if it has one. For example, use `export EDITOR=rnano` instead of `export EDITOR=nano`. Just noticed this mistake recently -- all my edited password files in plain text!
Awesome trick using an alias to override the AWS CLI command. One trick I use is a 'pass-fzf' wrapper script so I can fuzzy search a password and pipe it to the clipboard to search and copy passwords quickly.
Thank you for reintroducing me to this tool. I'd installed it, but seemingly never used it, so I'm remedying that deficit. It's a little different take than the tool I initially developed to read passwords from a store, but seems to work in much the same manner, only it's much more complete. In addition, it's a bash script, my favourite kind of tool!
So glad I ran into this video. I was about ready to build my own password manager. This looks really promising. None of the others caught my attention.
Bitwarden has a CLI (aside from a desktop app and browser plugins), it's source is fully available and it allows you to run your own server (setup time 1 minute) if you don't trust them, so passwords not only never leave your computer unencrypted, they also never get store anywhere but in your own backend. All of that is available already with the free plan.
I'm the same as you, I moved over to yubikeys for managing my encryption keys and feel very safe and comfortable. The only thing I have to do is rotate my derived keys periodically.
I've been using pass for about 3 years now. Wish I had such an amazing video back when I started, would have helped with almost any issue I encountered (the only other one being NixOS specific). Your other videos seem interesting too, you definetly deserve the bell!
KeePassXC + SyncThing = ✊ I started the transition from Bitwarden to my new setup about a couple of months ago: no MEGA, no Dropbox anti-privacy bullshit - my vaults never leave my devices. Data sovereignty. Working wonderfully integrating with all the devices where I might need to access passwords and sensible data in general: my laptop, my battle-station, my pocket-computer-stupidly-referred-as-smartphone, and my tablet.
@@somerandomchannel382 Sorry I just saw your question. Correct, on Android you can use an app that work seamlessly. On iOS is a little bit trickier, the best choice being the paid version of Möbius (about four American dollars last time I checked). A third option and the one I use on my iOS tablet is KeePassium, which allows me to connect to a KeePassXC server I host on my home lab within my home network using WebCAL.
5:18 Does 'pass' takes care of disabling the '.viminfo' feature when entering vim (I've just read the source and it doesn't seem so)? I hope it does, otherwise a single register operation may momentarily leak credentials to the '.viminfo' file without encryption.
for aws cli (and possibly a bunch of others) it's actually possible to make aws ask passwordstore directly, no need to export credentials as environment variables, no need to alias etc.
Small correction: Bitwarden can't be hacked. Like literally. They don't store any actual passwords. All the passwords are encrypted by your degice and the entire blob is sent to the server to sync. You can verify this, because the protocol is open source.
Yes finally someone stated gnu-pass. Been using it for 6 years never had an issue with it. Synchronised passwords across multi devices just using a git account. No need to worry since key doesn't belong in the application itself.
Please consider cover some practical situations like syncing different git local repositories stored in different machines, so they may evolve adding or deleting keys, but they may need to be "synced".
This is great, but doesn't seem very convenient compared to having a browser add-on that will automatically list matching sites based on the domain (thus preventing phishing), show you a prompt to add/update the password in your vault, automatically sync all changes, and is available on mobile.
Thanks for your videos! After trying neovim every couple of years and just bouncing hard, your vim setup + tmux videos finally got me going with something that sticks. I was considering some terminal-based thing myself. I'm very much a 1Password user, I've found their quick-fill UI is great to just pop up for fetching PWs or other info in an entry without needing my hands to leave the keyboard, so I haven't really needed it yet. I was extremely happy when I found that 1Password Connect is available even for my personal Family-tier account, so I've been experimenting with that on my homelab, and deploying credentials as code with 1Password's Terraform provider has been like a dream. It sits in its own vault so it only has access to that and not my personal stuff. Never have to bother with the credentials, Terraform and the provider sorts it out for me. Not trying to shill 1Password, just a very happy user. :-P
I'm glad you're happy with it! I think password store is beyond the needs of most people and you should definitely stay with 1password if it works for you!
Great video. Thank you so much. A couple of questions. 1) how do you copy the username/email/other metadata to the clipboard without exposing the password? 2) how can this be used on mobile devices?
Thank you! To answer your qs: 1. There's an extension called pass-extension-tail that does what you're looking for easily. It's on the password store website under extensions. 2. There are mobile apps for both iOS and Android. I use it easily on my iPad and my Android phone. It does take a little bit to set it up, but works perfectly once that's done.
@@dreamsofcode I've been playing around with this all afternoon and I have to say, this is it! I've been using KeePassXC but always longed for a CLI solution and this is perfect. I have no idea how this has escaped my radar, but thank you for presenting it.
Love this, I’ve been using a proprietary pwd manager for some time and I just don’t enjoy it…. But have been too lazy to look into a self managed version like this. Another great vid, thanks for sharing!
Another option to think about, is self hosted bitwarden, you can host as a docker image, and it gives you a nice UI, plus the bitwarden extension is pretty good.
at @8:49 , are you sure the gpg flag for exporting secret key is "--export-secret-key" and not "--export-secret-keys" ? because i'm getting --export-secret-keyS on autocompletion.. man pages for gpg also show there is a keyS option, plural. my shell: bash. OS: ubuntu 23.04 x86_64
My notebook is the best password manager, it has never been compromised, I can always get back in and the transfer from once device to another is easy as well.
What a manual and slow way to enter passwords. I rather like BitWarden, you just click and done. Takes less than a nano-second compared to your slow way.
Been using pass for years (with the "passmenu" dmenu script on a keyboard shortcut) and love it. A side note for teams, or cases where you might want to share your passwords, it is possible to encrypt passwords with multiple keys! pass init shared/BlueTeam/ Now both key1 and key2 can decrypt the passwords stored in the BlueTeam subdirectory (and all subdirectories of BlueTeam so be aware). As pass was used at work the root of my password directory was split into two (~/.password-store/personal and /shared). Setting the personal directory to be ignored via the git ignore file. Backed that up using rsync to a separate solution, and this way my passwords didn't make the shared dir more chaotic for others. Though if you use QtPass (which works on Linux, Mac and Windows) you can define multiple password stores with separate git repositories so you don't have to be quite as terminal-goblin-y to get the same effect. One last thing: if you use Thunderbird with PGP, you may want to get a separate password PGP key. Otherwise your passwords can be decrypted using a left-open Thunderbird client (I know, physical access etc so only if this fits in your threat model). Actually used this to re-encrypt some passwords one time.
This is some great advice, you can also get people to encrypt passwords for you using your public key and submitting a PR to your password store repo! I do think pass is maybe too high of a technical barrier for enterprise or business, which is a shame. But it's certainly possible to do so. Honestly, a product built off of pass would be incredibly useful I think.
Aweome! Recently I am learning from your videos a lot. Would be great if you release at a video how to make ArchLinux looks so beautiful. A complete series on managing local environment, dotfiles (with scalability and interoperability in mind) and system setup would be a great help for us. I watched your videos about Tmux, NvChad as well. Those also were a great help for me. Thanks a lot.
I use Davinci Resolve on Arch. Which is pretty great. The only thing I can't do is After Effects, but a lot of my animations are done with Fusion. Thank you!
i was wondering about something, how do you organize your passwords? Do you do it by category? E.g. entertainment, social, development, and so on, or do you do it by website domain, or a third option? I'm currently using the first one, but I've found myself using a "misc" folder far too frequently for my liking, what'd you recommend?
@@bastiana3611 if you're putting a lot of entries into your Misc folder, I would suggest either your other categories are too specific, or you lack categories. I had the same issue, but taking some time to think about new categories or reorganizing your vault is worth :)
Yeh but the alias at 10:27 has some problems. First of all, the quoting stores the password in the alias… Secondly, this leaves nasty characters in the command invoked by the shell.
What's a recommended process for also keeping user names? User name in xclip primary (middle mouse button) and password in xclip clipboard would be nice. Is there anything like that in Pass.
Because it's gpg you could probably build out an extension that takes the second line and adds it to your other clipboard. I don't think pass supports this out of the box though unfortunately. The browser extensions work similar to this, however!
Thanks for video, have question - Is there any way to safely store a backup of the GPG private key in public repositories such as google-disk, or GitHub etc?
what i'm having trouble understanding is how is this different from using a combination of gnupg + git ? Both password store and gnupg will create encrypted files where you can store passwords. and then you can use git to keep history and upload encrypted files
can it also encrypt and keep other file formats for example I want to store my ID card image, or bank statement pdf so that I can keep it uploaded on github and at the same time they are encrypted
@@dreamsofcode right. I'll never use arch because it's become something of a pretentious meme distro. But, I'll leave another comment to increase engagement. +1 :)
So we store entire log of all edits in GitHub, each password encrypted individually, so any reuse is obvious without the key. And unencrypted passwords are in terminal memory until we close the terminal. Does it at least support yubikey?
I believe it's the default pinentry program that's installed with password store. pinentry-curses. You can also adjust it to a different peogram if you like as well
@@dreamsofcode today i setup ur vim config, in process of configuring tmux truly amazing. Would work on setting up java, learning basics of vim since im a vim noob. If u have an ongoing project would love to help😁
I usually keep a copy on my store on my phone as well so if I need a password I can pull it from there and type it in (tedious). I also have my gpg key on a yubikey which I can plug into other another computer easily to decrypt it. So you could clone the repo and use the key. Otherwise you can keep the key in a remote drive that's accessible, although yubikey is much more secure.
@@dreamsofcode so then all your keys are accessible to all who have access to that other computer? Even if you deleted the key and the repo, we can assume the other computer made a copy already.
@@abuk95 With the Yubikey, no. and as long as you're using a password for the GPG key, then also no. Although I wouldn't want to put my private key on other machines, personally. Probably better to just copy from your phone.
Clear and concise. Noice video! When you went over to macOS the rounded icons in statusline for tmux didn't look funky, whereas with any terminal emulator I tried, they look... weird. Back when I still used p10k, those looked kind of horrible as well. Did you find a way to fix it, or is that just another less popular terminal emulator?
Correct. You can go completely offline. I have my main password store backed up on to my NAS, so it's only in my local network. (Except my encrypted backups)
@@norielgames4765 a NAS is a network attached storage. If you have an old computer or a raspberry pi with some external Hard drives you can easily set this up!
I was really satisfied with pass and had been using it for years, but I switched to keepassxc recently for cross-compatibility and integration with yubikey. It seems like gpg supports yubikey and the application is indeed cross-compatible, so I'm migrating back!
does anybody know if password-store is usable with windows? i'm not the most tech proficient person, but this video did get me to use password-store as my main password manager whilst using ubuntu, and now i would like to use it with windows, but i don't see a rather simple way to install it. am i missing something or do i simply have to find another option?
Bitwarden is pretty great. Definitely less technical know how needed as well. As with anything self hosted, you'll need to make sure you take care of backups securly!
That is my Linux box, which I have set it's hostname in the /etc/hostname file. MacBooks automatically set their hostname to be Name-MacBook-Pro usually. You can change the local hostname of a MacBook pro as well though in your system preferences.
On gn*me or KDE or GTK QT you have themes that give you that, on a tiling wm you usually don't want that but you can still use something like lxapparance for apps that force a bar on you
Been using this for years, even implemented it at the office, we have several password stores for different trust levels within the business. As well as promote technical staff to manage their own personal password-store.
One thing to note, is that a single password-store can be setup with multiple GPG keys, password-store then uses multi-key encryption which allows any of the included parties to read data (as long as you have one of the private keys loaded in GPG), and write data (as long as you have all the public keys loaded in GPG). Combined with git, you can't ask for a better in-house solution in my opinion.
EDIT: And I've just noticed others have mentioned this, oh well :)
The multi key usage is really awesome, but it does require users to be rather technically proficient.
@@dreamsofcode That is true, but setup and management of keys can also be done by a technical user - and then non-technical users simply need to know the basic commands.
Usually non-technical users forget to `pass git push` or `pass git pull` but after some gentle reminders, most I've dealt with have had no issues in the long run.
Either way, it's great to see password-store getting some love - highly underrated password manager!
The fact, that this can be used in bash scripts is amazing.
I have a bunch of of scripts, to connect to various databases quickly and I was never compfortable with having the plain credentials directly in them. Thank you so so much. 🙏❤
I agree! It really makes working with credentials feel much more secure.
Glad you enjoyed this video!!
Bitwarden can also be used in bash scripts. They offer a command line interface for all major operation systems.
I also love Bitwarden and especially it's cli client
since years.
how can this be used in a script safely? If I put I assign it to a variable it can be echo'd out. Trying to pass auth token in a curl request but I want to save the auth token to this password manager. Thanks in advance
I have used this for years with smartcard for secret key storage with physical confirmation on the device. This is just an incredibly efficient solution. Thanks for the tutorial!
Same! I use it with Yubikeys which works really nice.
How to use it with yubikey, maybe you can make a video about it?
@Dreams of Code can we please have a demo of how to set this up? I also have a yubikey and would love to implement this
@@macktheripper7454 I can add a video to the backlog!
@Dreams of Code that would be excellent .. I'm currently using a password manager but sadly it's closed source and probably spying on me .. I'd much prefer this and I also prefer the terminal.. Once again .. thank you for showing us this
If you are gonna use a password manager, always fork the project and read the code before using it.
FOSS communities are normally audited by the contributors, and they are unlikely to be dangerous. But you wanna be extra sure about the place you are writing all your passwords.
Luckily pass is literally only a 700 line bash script making reading the entire source code really easy. You don't even need to fork the source, but can read /usr/bin/pass. (Or where ever else it might be installed.)
Yep. One thing I like the most about pass is that you can read the source code. This isn't even possible with proprietary password managers.
I understand the sentiment, but when using something like Bitwarden there’s no way someone like me will ever be able to audit the source better than the numerous people already doing it. So I take others’ word for it then.
@@thescroogemcduck Don't verify, Trust xD
i use keepass
I've been using pass for a few years now and I learned lots watching this. Thanks so much!!
This seems like exactly what I wished to have for password manager, but I'm too lazy to migrate from my current password manager
😆 ikr..
if it had a easy syncing solution, i would have started using this....
They have a number of plugins to import from existing managers btw :)
There's some tools to import from existing managers on the password store site :)
what are you currently using btw?
@@pali122 bitwarden
What a great presentation of a great tool, using pass more than 4 years, love it.
It's the best!
5:11 Important security note! Disable the editor's backup system if it has one. For example, use `export EDITOR=rnano` instead of `export EDITOR=nano`.
Just noticed this mistake recently -- all my edited password files in plain text!
Very good note! You should be able to add an exclusion as well for you tmp directory
Awesome trick using an alias to override the AWS CLI command.
One trick I use is a 'pass-fzf' wrapper script so I can fuzzy search a password and pipe it to the clipboard to search and copy passwords quickly.
Oh that's a cool trick! I'm going to give that a go!
8:25 one thing terminal enthusiasts will never stop doing is mixing up GPG and PGP
🤣 You got me. Gnu Privacy Guard and Pretty Good Privacy are a dyslexics nightmare.
Thank you for reintroducing me to this tool. I'd installed it, but seemingly never used it, so I'm remedying that deficit. It's a little different take than the tool I initially developed to read passwords from a store, but seems to work in much the same manner, only it's much more complete. In addition, it's a bash script, my favourite kind of tool!
So glad I ran into this video. I was about ready to build my own password manager. This looks really promising. None of the others caught my attention.
Bitwarden has a CLI (aside from a desktop app and browser plugins), it's source is fully available and it allows you to run your own server (setup time 1 minute) if you don't trust them, so passwords not only never leave your computer unencrypted, they also never get store anywhere but in your own backend. All of that is available already with the free plan.
@@xcoder1122 Bitwarden is unattractive. Its alternative, vaultwarden, I found unattractive as well.
Nice to see such a detailed explanation of a fantastic tool. I have not looked at anything else since I started using pass a few years ago.
I'm the same as you, I moved over to yubikeys for managing my encryption keys and feel very safe and comfortable. The only thing I have to do is rotate my derived keys periodically.
I've been using pass for about 3 years now. Wish I had such an amazing video back when I started, would have helped with almost any issue I encountered (the only other one being NixOS specific).
Your other videos seem interesting too, you definetly deserve the bell!
Thank you very much!
KeePassXC + SyncThing = ✊ I started the transition from Bitwarden to my new setup about a couple of months ago: no MEGA, no Dropbox anti-privacy bullshit - my vaults never leave my devices. Data sovereignty. Working wonderfully integrating with all the devices where I might need to access passwords and sensible data in general: my laptop, my battle-station, my pocket-computer-stupidly-referred-as-smartphone, and my tablet.
I may have to take a look at this! I'm a huge fan of data sovereignty and this sounds pretty dope.
how does it sync with your phone? :)
@@somerandomchannel382search for syncthing in f-droid
@@somerandomchannel382 Sorry I just saw your question. Correct, on Android you can use an app that work seamlessly. On iOS is a little bit trickier, the best choice being the paid version of Möbius (about four American dollars last time I checked). A third option and the one I use on my iOS tablet is KeePassium, which allows me to connect to a KeePassXC server I host on my home lab within my home network using WebCAL.
Why leave Bitwarden?
5:18 Does 'pass' takes care of disabling the '.viminfo' feature when entering vim (I've just read the source and it doesn't seem so)? I hope it does, otherwise a single register operation may momentarily leak credentials to the '.viminfo' file without encryption.
i've been using pass with passmenu for almost 2 years now. such a great tool
I use rofi pass which is almost the same and it's incredible ! No browser extension but still very smooth UX, it is just perfect !
for aws cli (and possibly a bunch of others) it's actually possible to make aws ask passwordstore directly, no need to export credentials as environment variables, no need to alias etc.
Small correction: Bitwarden can't be hacked. Like literally. They don't store any actual passwords. All the passwords are encrypted by your degice and the entire blob is sent to the server to sync. You can verify this, because the protocol is open source.
I use Bitwarden and like it, but there are some issues around how easy it is to delete your vault. Make sure you have some backups.
thank you, great content, and the graphics and quality of the video is just too great :)
Thank you! I appreciate that.
Yes finally someone stated gnu-pass. Been using it for 6 years never had an issue with it. Synchronised passwords across multi devices just using a git account. No need to worry since key doesn't belong in the application itself.
Please consider cover some practical situations like syncing different git local repositories stored in different machines, so they may evolve adding or deleting keys, but they may need to be "synced".
This is great, but doesn't seem very convenient compared to having a browser add-on that will automatically list matching sites based on the domain (thus preventing phishing), show you a prompt to add/update the password in your vault, automatically sync all changes, and is available on mobile.
Pass has a browser add on, he mentions it in the video itself.
@@botondhetyey159now we just need a mobile app
And a android sync, also mentioned in the video
Thanks for your videos! After trying neovim every couple of years and just bouncing hard, your vim setup + tmux videos finally got me going with something that sticks.
I was considering some terminal-based thing myself. I'm very much a 1Password user, I've found their quick-fill UI is great to just pop up for fetching PWs or other info in an entry without needing my hands to leave the keyboard, so I haven't really needed it yet.
I was extremely happy when I found that 1Password Connect is available even for my personal Family-tier account, so I've been experimenting with that on my homelab, and deploying credentials as code with 1Password's Terraform provider has been like a dream. It sits in its own vault so it only has access to that and not my personal stuff. Never have to bother with the credentials, Terraform and the provider sorts it out for me.
Not trying to shill 1Password, just a very happy user. :-P
I'm glad you're happy with it! I think password store is beyond the needs of most people and you should definitely stay with 1password if it works for you!
To add to that, 1Password can connect as a backend to your terminal based password prompts. I use this all the time
Great video. Thank you so much.
A couple of questions. 1) how do you copy the username/email/other metadata to the clipboard without exposing the password? 2) how can this be used on mobile devices?
Thank you! To answer your qs:
1. There's an extension called pass-extension-tail that does what you're looking for easily. It's on the password store website under extensions.
2. There are mobile apps for both iOS and Android. I use it easily on my iPad and my Android phone. It does take a little bit to set it up, but works perfectly once that's done.
@@dreamsofcode I've been playing around with this all afternoon and I have to say, this is it! I've been using KeePassXC but always longed for a CLI solution and this is perfect. I have no idea how this has escaped my radar, but thank you for presenting it.
@@MalachiMarvin keepassxc has a cli that can be easily used to put passwords in the clipboard or export them as environment variables
Could you suggest techniques to save these private keys?
Also If you could expand more on its usages in your workflow!
Bravo! Best pass tutorial on the internet.
Hey, I've seen your terminal and fell in love, have you made a video covering your setup, if not would you be willing to upload the configs?
I like the idea of setting this up, perhaps I will someday......someday.
I kinda like bitwarden. They had cli too and if you're a bit paranoid you can always self-host them
Bitwarden is a great option!
Love this, I’ve been using a proprietary pwd manager for some time and I just don’t enjoy it…. But have been too lazy to look into a self managed version like this. Another great vid, thanks for sharing!
I'm glad you enjoyed it!
Another option to think about, is self hosted bitwarden, you can host as a docker image, and it gives you a nice UI, plus the bitwarden extension is pretty good.
at @8:49 , are you sure the gpg flag for exporting secret key is "--export-secret-key" and not "--export-secret-keys" ? because i'm getting --export-secret-keyS on autocompletion.. man pages for gpg also show there is a keyS option, plural. my shell: bash. OS: ubuntu 23.04 x86_64
excellent topic coverage , cheers mate
at 1:56 is that a floating terminal, and how can I replicate that? I'm asking cause when I get prompted to write my passphrase I get an ugly window.
What operating system are you on? There's a couple of UI options for password entry
I'm on arch linux with qtile as a window manager
My notebook is the best password manager, it has never been compromised, I can always get back in and the transfer from once device to another is easy as well.
I hope this is satire lol. So many risk vectors.
Do you have an off-site backup at least?
@@dreamsofcode notebook as in paper and its at home lol
@@rrraewr I know 😭😭😭. I'm just worried for your logins if anything happens.
What a manual and slow way to enter passwords. I rather like BitWarden, you just click and done. Takes less than a nano-second compared to your slow way.
Been using pass for years (with the "passmenu" dmenu script on a keyboard shortcut) and love it.
A side note for teams, or cases where you might want to share your passwords, it is possible to encrypt passwords with multiple keys!
pass init shared/BlueTeam/
Now both key1 and key2 can decrypt the passwords stored in the BlueTeam subdirectory (and all subdirectories of BlueTeam so be aware).
As pass was used at work the root of my password directory was split into two (~/.password-store/personal and /shared).
Setting the personal directory to be ignored via the git ignore file. Backed that up using rsync to a separate solution, and this way my passwords didn't make the shared dir more chaotic for others. Though if you use QtPass (which works on Linux, Mac and Windows) you can define multiple password stores with separate git repositories so you don't have to be quite as terminal-goblin-y to get the same effect.
One last thing: if you use Thunderbird with PGP, you may want to get a separate password PGP key. Otherwise your passwords can be decrypted using a left-open Thunderbird client (I know, physical access etc so only if this fits in your threat model). Actually used this to re-encrypt some passwords one time.
This is some great advice, you can also get people to encrypt passwords for you using your public key and submitting a PR to your password store repo!
I do think pass is maybe too high of a technical barrier for enterprise or business, which is a shame. But it's certainly possible to do so.
Honestly, a product built off of pass would be incredibly useful I think.
@@dreamsofcode There's QtPass for people who need a GUI, I haven't used it so I'm not sure how simple it is. Great video!
@@MrA26749 Yeah, qtpass is pretty great! Could do with a little modernizing, but it works!
Aweome! Recently I am learning from your videos a lot. Would be great if you release at a video how to make ArchLinux looks so beautiful. A complete series on managing local environment, dotfiles (with scalability and interoperability in mind) and system setup would be a great help for us.
I watched your videos about Tmux, NvChad as well. Those also were a great help for me. Thanks a lot.
Great suggestion! I shall add the idea to my video backlog
Sorry for my typos.
how did you get rounded corner in your vim/neovim pop-up for auto completion at 5:23 ?
I use NVChad as my base configuration which uses cmp as the auto completion. I have a video on NVChad which can help you in setting it up!
1:18 Dropping a like after use hearing that you use Arch. By the way it is mainly because I also use Arch.
Excellent! Thank you
Thank you for watching!
Unrelated to the video, but do you edit these videos on Arch? If so, what video editor do you use? Love your stuff!
I use Davinci Resolve on Arch. Which is pretty great. The only thing I can't do is After Effects, but a lot of my animations are done with Fusion. Thank you!
This is nice, I currently just write my passwords on paper because they can't be hacked but I might switch to something like this
Paper is a good option! But this is probably a little more secure in case of any natural disasters.
I always tend to forget the gpg commands. So I switched to keepassxc.
Great video as usual! ❤
Thank you!
Wonderful channel, perfect content 🎉 thank you
My current workflow is KeepassXC with a script that use it's cli command tool.
Hey, do you have a video about your Linux terminal setup?
I don't have anything specific! But it's just Alacritty with the Catpuccin theme. My tmux video is probably better for getting close to my setup!
there is also gopass, which is cross platform, and, as the name suggests uses go instead of a bash script
Gopass is awesome!
i was wondering about something, how do you organize your passwords? Do you do it by category? E.g. entertainment, social, development, and so on, or do you do it by website domain, or a third option? I'm currently using the first one, but I've found myself using a "misc" folder far too frequently for my liking, what'd you recommend?
@@bastiana3611 if you're putting a lot of entries into your Misc folder, I would suggest either your other categories are too specific, or you lack categories. I had the same issue, but taking some time to think about new categories or reorganizing your vault is worth :)
I don't use X or other similar graphical UI. I use tty only, so no xclip. Will I be able to use pass? I don't have access to X clipboard
Just subscribed! I never knew about this pass before. Your video is very informative
Awesome! Thank you!
Yeh but the alias at 10:27 has some problems.
First of all, the quoting stores the password in the alias…
Secondly, this leaves nasty characters in the command invoked by the shell.
Hi! I got a no public key error, even though pass -k lists the key I created. could u help?
anyway how you can change the default text editor on pass, the default is use vi, i want to use neovim
What's a recommended process for also keeping user names? User name in xclip primary (middle mouse button) and password in xclip clipboard would be nice. Is there anything like that in Pass.
Because it's gpg you could probably build out an extension that takes the second line and adds it to your other clipboard. I don't think pass supports this out of the box though unfortunately.
The browser extensions work similar to this, however!
Thanks for video, have question - Is there any way to safely store a backup of the GPG private key in public repositories such as google-disk, or GitHub etc?
You mean the public key right? I dont think you want to leak your private key
This is cool and all, but how do you manage when you want to login to smt on mobile?
what i'm having trouble understanding is how is this different from using a combination of gnupg + git ? Both password store and gnupg will create encrypted files where you can store passwords. and then you can use git to keep history and upload encrypted files
This is basically that, except it's a more standardized format
can it also encrypt and keep other file formats for example I want to store my ID card image, or bank statement pdf
so that I can keep it uploaded on github and at the same time they are encrypted
Yubikey sounds like an obvious thing to improve the experience with gpg keys here
I use this setup. It's great
Agreed, I use Yubikeys as well with mine! I didn't want to add more complexity to the video but I have one coming about setting up yubikey.
@@dreamsofcode super nice. Thanks
@@dreamsofcode any news about the Yubikey setup? 🤗
think this is the only video I intentionally "watched" post-roll ads for...
Just wondering, where do you store your private key? I mean, do you use some service?
I manage my own using yubikeys. I also have an offline backup stored securely so if I lost all my keys, I could still recover.
Great tips !!! Thank you !!!
1:16 Leaving after "arch, btw". 😔
I think you meant:
"Leaving a comment..." 😉
@@dreamsofcode right. I'll never use arch because it's become something of a pretentious meme distro.
But, I'll leave another comment to increase engagement. +1 :)
So we store entire log of all edits in GitHub, each password encrypted individually, so any reuse is obvious without the key. And unencrypted passwords are in terminal memory until we close the terminal. Does it at least support yubikey?
Love the archbtw throwaway. I don't use archbtw btw.
I'm trying to set up this with github, but I don't know how to authenticate to it. Can someone explain how to do that for pass?
Not related to the topic but Itachi would be proud of your instance's name 😅
Great content! Thanks for sharing.
I'm glad you enjoyed it!
there's also a an integration with dmenu `pass-menu` which is great , and one with fzf too!
Some of the integrations are awesome! I probably should do a video on my favorite ones.
How are you getting master password prompt in terminal? Is it a kind of polkit agent? How did you set it up?
I believe it's the default pinentry program that's installed with password store. pinentry-curses. You can also adjust it to a different peogram if you like as well
Super helpful , thank you
Do you have a video or guide on how to set up your terminal colors and especially the vim/tmux setup?
I have two videos! One for my Tmux config and the other for my Neovim config! Otherwise I'm using the Alacritty terminal with Catppuccin theme!
for some reason tmux wont allow me to copy/paste a password into cli
Do you have xclip installed if you're on X11?
You have all the videos for things i thought,
I might do some day.
just ❤
I'm glad you're enjoying them!
@@dreamsofcode today i setup ur vim config, in process of configuring tmux
truly amazing.
Would work on setting up java, learning basics of vim since im a vim noob.
If u have an ongoing project would love to help😁
How secure is it to upload to remote github?
If that account get hacked, aren’t all my passwords available for grabs…?
The passwords are encrypted using gpg so they'd need you private key as well
This video was just perfect.
Thank you!
Keybase for the gpg key store?
thanks a ton. It was really well explained, btw also a terminal guy❤
Command line Chad!
Sadly my android version is too new for the Android app... Let's see how much I do or don't need an Android version...
You can host bitwarden on ur own server btw
Could be do passkey on local system
Like using raspberry pi
What about if you need to login on another computer which does not have the encrypted keys setup?
I usually keep a copy on my store on my phone as well so if I need a password I can pull it from there and type it in (tedious).
I also have my gpg key on a yubikey which I can plug into other another computer easily to decrypt it. So you could clone the repo and use the key.
Otherwise you can keep the key in a remote drive that's accessible, although yubikey is much more secure.
@@dreamsofcode so then all your keys are accessible to all who have access to that other computer? Even if you deleted the key and the repo, we can assume the other computer made a copy already.
@@abuk95 With the Yubikey, no. and as long as you're using a password for the GPG key, then also no. Although I wouldn't want to put my private key on other machines, personally. Probably better to just copy from your phone.
well it good idea in case of mistake and backup system. Which is good thing.
Clear and concise. Noice video!
When you went over to macOS the rounded icons in statusline for tmux didn't look funky, whereas with any terminal emulator I tried, they look... weird. Back when I still used p10k, those looked kind of horrible as well. Did you find a way to fix it, or is that just another less popular terminal emulator?
Thank you!
I use Alacritty on macOS and use a nerd font. The font I use is JetBrainsMono Nerd font. That should give you the same experience as myself
Great video. Thanks
The video is amazing, but why does pass open nano to me instead of vim? It's really annoying
change your default CLI editor
Just to be sure, apart from the git remote you may or may not setup, there are no servers involved? Can I go offline and still use this?
Correct. You can go completely offline. I have my main password store backed up on to my NAS, so it's only in my local network. (Except my encrypted backups)
@@dreamsofcode this is a gem!! Thank you for sharing!
Also, what is an NAS and can I set it up for free?
@@norielgames4765 a NAS is a network attached storage. If you have an old computer or a raspberry pi with some external Hard drives you can easily set this up!
@@dreamsofcode thanks!! 😁
I was really satisfied with pass and had been using it for years, but I switched to keepassxc recently for cross-compatibility and integration with yubikey. It seems like gpg supports yubikey and the application is indeed cross-compatible, so I'm migrating back!
I use yubikeys with my password stores! It's the perfect solution
How do you make the terminal prompt like that?
Looks like powerlevel10k + zsh
what DE or TWM do you use?
does anybody know if password-store is usable with windows? i'm not the most tech proficient person, but this video did get me to use password-store as my main password manager whilst using ubuntu, and now i would like to use it with windows, but i don't see a rather simple way to install it. am i missing something or do i simply have to find another option?
There is a fork called pass winmenu for Windows. Pretty simple to use. I use it for work.
Do you store recovery codes there too?
You can do! You can store pretty much anything you'd like. Recovery codes are pretty decent to do so
Hey, i love ur vim config, do you have an accessible version ?
I do! I also have a video on it. If you look on my GitHub, you should find an accessible version.
Is this available for Windows?
Bitwarden can be self hosted so will it be safe?
Bitwarden is pretty great. Definitely less technical know how needed as well. As with anything self hosted, you'll need to make sure you take care of backups securly!
How'd you make it so that your macbook's host is named `amaterasu` and not its local IP address?
That is my Linux box, which I have set it's hostname in the /etc/hostname file.
MacBooks automatically set their hostname to be Name-MacBook-Pro usually. You can change the local hostname of a MacBook pro as well though in your system preferences.
@@dreamsofcode Gotcha, I somehow missed it but you were on your macbook when you did the scp command. Thanks!
I just can't get the gpg prompt to run without a terminal, pass-menu is kind of useless in my use case.
What OS are you using? You can change the pin entry program to something else as well!
@@dreamsofcode Oh, thanks for pointing me to the right direction. Problem solved.
when the java config video is coming sir still waiting................
It's on the backlog! It'll come I promise but you may have to wait a little longer.
How did you get a mac like topbar of the terminal app?
On gn*me or KDE or GTK QT you have themes that give you that, on a tiling wm you usually don't want that but you can still use something like lxapparance for apps that force a bar on you