Synchronize pass with git

I like pass, "the standard Unix password manager", that is a reliable and secure solution for password management. It is a great option for those who value security and control over their password management, it is essentially a simple script that uses GnuPG for encryption, and other utility tools such as git, tree, xclip, qrcode; but it may not be suitable for those who are not comfortable with technical setup and maintenance. It requires some technical know-how to use it properly. You need to set up the right command-line interface, a GnuPG key, and a backup process.

One of the most popular backup alternative is git. Using pass in conjunction with git offers several benefits, including the ability to synchronize your passwords across multiple devices, logging, historical tracking, and conflict resolution.

Example

In this snippet, we initialize pass and git repository, and create a post-commit hook that automatically pushes to the origin when there is a change in the repo.

pass init <fingerprint> # add multiple keys if needed.

pass git init
# Initialized empty Git repository in ~/.password-store/.git/

pass git remote add origin git@<service>.com:<user>/<repo>.git

pass git push --set-upstream origin master

filepath_post_commit="$(pass git rev-parse --show-toplevel)/.git/hooks/post-commit"
cat << EOF > "$filepath_post_commit"
#!/bin/sh
git push origin master:master
EOF
chmod +x "$filepath_post_commit"

• Enter a value for $PASSWORD_STORE_DIR if you want the passwords to be stored in a different path than the default ~/.password-store.

• The gpg key trust level has to be ultimate; otherwise, you get an error such as gpg: There is no assurance this key belongs to the named user.

• You can host the passwords on a version control platform such as GitHub (in a private repository, if possible), a self-hosted Gitea instance, or any machine where you can pull and push. The choice is yours.

Then we test it.

pass insert foo/bar
# Enter password for foo/bar: ***
# Retype password for foo/bar: ***
# ... (git push)

pass ls
# Password Store
# └── foo
#     └── bar

pass edit foo/bar
# ... (edit in the editor)
# ... (git push)

Optionally, it's a good idea to create a shell alias to override the behavior of pass that does a git pull every time you command. It is a way of being sure that you are always in sync with the git repository, especially important when multiple people/devices use it.

alias pass="pass git pull && pass"

It is a kind of on-demand solution for syncing. Alternatively, you can hook up git pull to your system daemon to periodically update it with cron or systemd-timer.

Caveats and alternatives

• All the passwords are encrypted, but the name of the files and folders are not. If this is important, the alternative to add to this setup can be pass-tomb. Note that I haven't used it before because I don't mind having metadata unencrypted (in this case files and folders).

• You can also sign the commits with PGP by setting pass.signcommits to true (see details at man pass) to prevent any kind of tampering in the remote. It's identified in CVE-2020-28086. In threat model, it does not have very high severity because the whole security becomes void if the remote isn't secure. However, if you consider this option, it's also a good idea to create a pre-receive-hook verifying the commit signature.

• git solution works well on computer OS. However, if you need need a solution across different type of devices, like you also want to access your passwords on your mobile OS, using Syncthing instead of git can be much easier. (Note again, I haven't tried it).

• gopass is another version offers more out-of-the-box solutions.