I use the excellent pass utility locally for managing myriad passwords for all sites on the internet. These passwords are available in my macs, ipads, and iphone.

My reasons for not using a cloud based solution (like lastpass or even keybase):

  1. Passwords are synchronized and encrypted on personal endpoint devices(ex: MacBook, iPhone, iPad, …). This provides redundancy as well as zero leakage of sensitive information over the internet.
  2. Password store on the local server is encrypted and versioned.
  3. Mobile apps are freely available, and the synchronization requirements for passwords is infrequent enough.
  4. Since there is no one to collaborate, the security protocol for managing keys is simpler than building and managing an elaborate Web of Trust.

There are two main programs from the GNU Privacy Guard toolset that are handy in managing keys, and they are fully integrated with pass:

  1. gpg cli that provides key management and encryption features (user, trust, expiry, encryption, sign), and
  2. pinentry cli that provides secure pass phrase entry for your private key.

NOTE: Always have a pass phrase for your private key.

Here’s a recipe for using gpg effectively, and how it interoperates with pass.

brew install pass gpg

# generate your private key that will be used
# for encryption of
# your passwords locally
gpg --gen-key

# OR export/ import an existing key
gpg --export-secret-keys --armor $(KEYID_FINGERPRINT) > privkey.asc
gpg --export --armor $(KEYID_FINGERPRINT) > pubkey.asc

# import these files on a new machine
gpg --import pubkey.asc
gpg --allow-secret-key-import --import privkey.asc

# trust the imported keys fully (as they are your keys) trust command, option 4
gpg --edit-key $(KEYID_FINGERPRINT)

# pass setup
pass init $(KEYID_FINGERPRINT)

# make the new store a git repo
pass git init

# have the new repo sync to a remote git repo
pass git remote add origin $(GIT_SERVER)/$(PASS_REPO)

# FOR a new device, clone the existing encrypted git repo
git clone ssh:$(GIT_SERVER)/$(PASS_REPO) ~/.password_store

After the setup, using pass is easy. I also use a password generator, pwgen that helps generate passwords.

brew install pwgen

# generate a new password
pwgen 12

# add a new password to the store
pass insert -m Ecommerce/amazon.com

# sync it to $(PASS_REPO), making it available to all other devices
pass git push -u origin main

# search for a given password
pass search amazon

# read a password
pass Ecommerce/amazon.com

Finally, here’s a key capability of trying to list and show your previous passwords.

# use gpg as a program
git config --global diff.gpg.textconv "gpg --no-tty --decrypt"
echo "*.gpg filter=gpg diff=gpg" > ~/.gitattributes

# command for displaying changes
pass git log -p -- Ecommerce/amazon.com.gpg