Managing password with pass and rofi
I'm a Team Lead and Solutions Architect during the day, lazy "Dev Sec Ops" at night with a passion for selfhosting and data privacy. Free and Open Source advocate since 2005, I sporadically write Blog or Gemlog posts and share short notes and bookmarks on my website.
Introduction
As I’ve said before on this blog, I’m using pass as my password manager. There are lots of alternative out there, but I love the simplicity of this one. Also, I don’t want a password manager hosted on the web (selfhosted or not) as I prefer no to expose it to anyone. I don’t need any advance features and I just prefer simplicity. Pass may not be for everyone, though.
Installation
The installation is as simple as installing a package from your distribution repository (should be available on most). For Archlinux based system like mine, a simple pacman -S pass is enough. There is a QT GUI available (qtpass), but I’m not using as I prefer to use pass either via the CLI or with rofi.
One important step before starting using pass is to have (or create) a pgp key (eg: with gnupg as I explained here). This is required because your password will be encrypted using the pgp key.
Once you have it setup, you can run:
pass init <email@domain.tld>
Replace the email with the one attached to your key. You can use the gpg id as well instead.
Usage
Usage is really simple, to generate a new password:
pass generate site.url.tld/username
You can also add a number at the end of the line to indicate the desire length of the password.
It will create a tree like:
Password Store
└── site1.domain.tld/
└── username
A more complete extract could like:
Password Store
├── site1.domain.tld/
| └── username
├── site2.domain.tld.
│ └── user@example.com
└── site3.domain2.tld
├── user1@example.com
└── user2@example.com
To insert a password (not generate one), one can run:
pass insert site.domain.tld/username
And then insert the password when asked for it (twice).
To copy a password in your clipboard:
pass show -c domain.tld/username
Without the -c, it will display in your terminal the password, so I prefer the -c version.
But that isn’t the fastest when browsing a web page, to open a new terminal, type the command and then go back to the site and paste the password in the right field.
Improved workflow with rofi-pass
To improve this, I’m using rofi and rofi-pass to open a popup where I can filter my stored password quickly. On the popup, I can start typing to find the right password, and when selecting I’ll be asked for my pgp key password to decrypt the password.
With rofi-pass, you can configure different behavior, either it will insert your username, then use TAB to switch to the next field and then insert your password (default). I change it so that when I validate, it will insert only my password (so no use of tab and potential mistake). It really depends on your preferences :).
Installation and configuration of rofi-pass
Let’s install and configure this. First, let’s install rofi-pass. If you don’t have rofi and/or rofi-pass installed, start with that. On Archlinux:
pacman -S rofi rofi-pass
I’m using i3wm as my window manager, so I added a shortcut to open it with super+p with the following line in my ~/.config/i3/config (adapt to your desktop or window manager to have a working shortcut):
bindsym $mod+p exec /usr/bin/rofi-pass
Now, I can use the shortcut to open a rofi popup that list all my passwords:
Figure 1: rofi-pass dialog box
To configure rofi-pass, you can edit the ~/.config/rofi-pass/config file. As said, I changed the behavior from inserting the username and then the password in the next field to just insert the password. For that I changed:
default_do='autotype'
To:
default_do='typePass'
There are additional options here (eg: actionMenu, OpenUrl, …), read the documentation to make it work with the flow you want :).
I also changed some keybind (that were incompatible with some of my i3 shortcuts):
autotype="Alt+a"
type_user="Alt+u"
type_pass="Alt+p"
Which are the 3 I could use, even though 99.9% of the time I just stick with default option of just typing the password.
Fixing rofi-pass password prompt (pinentry)
I had one issue though during this setup. Rofi-pass didn’t ask me for my password. It worked when using pass in a terminal, but no GUI popup to ask for it when using rofi. The main reason relies within my pinentry configuration. As said on their homepage:
pinentry is a small collection of dialog programs that allow GnuPG to read passphrases and PIN numbers in a secure manner. There are versions for the common GTK and Qt toolkits as well as for the text terminal (Curses). – https://gnupg.org/related_software/pinentry/
Basically pinentry is used to configure which dialog box will be used to ask for your password. And it seems rofi can not work with the default (on Archlinux at least) curses (text terminal) dialog. Having more GTK than QT libraries on my system, I decided to go with the gnome3 version. In the ~/.gnupg/gpg-agent.conf file (create it if it doesn’t exist yet):
pinentry-program /usr/bin/pinentry-gnome3
But based on your preference, you could use others like:
➜ pacman -Ql pinentry | grep /usr/bin/
pinentry /usr/bin/
pinentry /usr/bin/pinentry
pinentry /usr/bin/pinentry-curses
pinentry /usr/bin/pinentry-emacs
pinentry /usr/bin/pinentry-gnome3
pinentry /usr/bin/pinentry-gtk-2
pinentry /usr/bin/pinentry-qt
pinentry /usr/bin/pinentry-qt5
pinentry /usr/bin/pinentry-tty
You then need to reload the daemon:
gpg-connect-agent reloadagent /bye
Now you should see a gtk dialog (or equivalent) to enter your password once you select a password to use.
Importing existing passwords
One last thing I needed to do was importing some passwords I had temporary saved in Firefox for the first few weeks. As you may recall, I had to reset everything very quickly after the previous hard drive death, and I postponed this setup for a few weeks. It meant that in the meantime, I had to save passwords somewhere. I know it isn’t really secure but I had other priorities. Since then all passwords were removed from Firefox.
Also, note that password can be imported from many places using the pass-import tool. Look at their README for more information.
Anyway, let’s install it first. For this, I had to first import the developer key and then install the pass-import package from AUR. You can also just download the sources and install it manually. In my case with Archlinux:
wget -qO - https://pujol.io/keys/0xc5469996f0df68ec.asc | gpg --import
yay -S pass-import
Then in Firefox, I exported passwords in a CSV file (via Firefox settings menu) that I simply fed to pass:
pass import firefox ~/passwordsfile.csv
And voilà, my passwords were rightly copied and I was able to delete them from Firefox to only use pass from now on.
Conclusion
That’s it for now, nothing crazy here, but I do strongly advice to use a secure password manager for handling the hundreds of passwords that we need nowadays :).