Mastering Pass on Ubuntu 24.04
Jean-Marc StrauvenTable of contents
- ๐ Introduction
- ๐งฐ Prerequisites
- ๐ Step 1: Create Your GPG Key
- ๐ Step 2: Initialize Your Password Store
- ๐ Step 3: Storing and Retrieving Passwords
- ๐ Step 4: Adding OTP Tokens
- ๐ Step 5: Chrome Integration
- ๐ Step 6: Git Synchronization
- ๐งณ Step 7: Sync Your GPG Key
- ๐ง Best Practices
- ๐งฉ Optional: Bonus Tools
- โ Conclusion
๐ Introduction
If you care about security, privacy, and full control over your password management, then Passโthe Standard Unix Password Managerโis a serious contender. Paired with GPG encryption, OTP support, Git-based sync, and browser integration, it becomes a powerful solution for developers, sysadmins, and power users.
In this guide, weโll walk you through setting up and mastering pass on Ubuntu 24.04, with a secure and synchronized workflow across all your machines.
๐งฐ Prerequisites
Make sure your system is up to date:
sudo apt update && sudo apt upgrade
Then install the required packages:
sudo apt install pass gnupg2 git xclip
For OTP support:
sudo apt install pass-otp
For Chrome integration:
pip install chrome-pass
๐งช Python >= 3.6 is required for
chrome-pass.
๐ Step 1: Create Your GPG Key
pass uses GPG to encrypt and decrypt your password files. Letโs create a key:
gpg --full-generate-key
Choose:
(1) RSA and RSA
Key size: 4096
Expire: 2y (or your choice)
Enter your name, email, and a strong passphrase
Then list your key:
gpg --list-keys
Copy the key ID (usually a 16-digit hex string).
๐ Step 2: Initialize Your Password Store
pass init <your-gpg-key-id>
Example:
pass init 0123456789ABCDEF
Your password store is now set up at ~/.password-store/.
๐ Step 3: Storing and Retrieving Passwords
Respect the structure: domain.com/username
pass generate -c www.google.com/your_email@domain.com 16
This creates a new entry where:
The folder name is the domain (e.g.,
www.google.com)The file name is the username (e.g.,
your_email@domain.com)The password is stored inside the file
To retrieve:
pass show www.google.com/your_email@domain.com
To copy to clipboard:
pass -c www.google.com/your_email@domain.com
This structure is mandatory for Chrome extension compatibility.
๐ Step 4: Adding OTP Tokens
To append OTP token (without overwriting password):
pass otp append -e www.google.com/your_email@domain.com
Where -e echoes the OTP URI to the terminal so you can verify its content before it's appended to the entry.
To get the current token:
pass otp www.google.com/your_email@domain.com
โ ๏ธ Always use
appendto avoid overwriting the password.
๐ Step 5: Chrome Integration
Install the Chrome extension: ๐ Chrome Pass
Start the client:
chrome_pass install
โ Ensure your pass entries follow the structure
domain/username. ๐ The client runs a local WebSocket for the extension. Keep it local and ephemeral.
๐ Step 6: Git Synchronization
pass includes built-in Git integration. To set it up correctly:
pass git init
pass git remote add origin git@github.com:johndoe/pass-store.git
pass git push -u --all
Once initialized, all Git-related operations are handled through pass git.
For example, after making changes (adding passwords, etc.):
pass git push
To retrieve updates on another machine:
pass git pull
You donโt need to use commit or addโpass manages that internally.
To clone your password store on a new machine:
git clone git@github.com:johndoe/pass-store.git ~/.password-store
pass init <your-gpg-key-id>
From there, you can use pass as usual.
๐งณ Step 7: Sync Your GPG Key
Export your private key:
gpg --export-secret-keys --armor <your-key-id> > gpg-private-key.asc
Export your public key:
gpg --export --armor <your-key-id> > gpg-public-key.asc
Transfer securely (e.g., USB stick + Veracrypt) to your other machine, then import:
gpg --import gpg-public-key.asc
gpg --import gpg-private-key.asc
Trust the key:
gpg --edit-key <your-key-id>
> trust
> 5 (ultimate)
> quit
๐ง Best Practices
โ
Always use a strong passphrase for your GPG key
โ
Back up your private key securely (offline storage or encrypted vault)
โ
Use pass git to track and synchronize changes
โ
Donโt sync your GPG key via Git โ ever
โ
Use SSH authentication with your Git remote
โ
Rotate your GPG key every 1โ2 years
๐งฉ Optional: Bonus Tools
๐
syncthingfor offline sync๐ Yubikey + GPG Smartcard
โ Conclusion
With pass, Ubuntu, GPG, OTP, Git, and browser integration, you have a password manager that is transparent, secure, and under your control. No more cloud-based black boxesโjust clean Unix philosophy.
Your passwords are only as safe as your habits. Encrypt, audit, sync wisely.
๐ง Feel free to share or fork this guide to make your own secured setup easier for your team or friends.
Subscribe to my newsletter
Read articles from Jean-Marc Strauven directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
Jean-Marc Strauven
Jean-Marc Strauven
Jean-Marc (aka Grazulex) is a developer with over 30 years of experience, driven by a passion for learning and exploring new technologies. While PHP is his daily companion, he also enjoys diving into Python, Perl, and even Rust when the mood strikes. Jean-Marc thrives on curiosity, code, and the occasional semicolon. Always eager to evolve, he blends decades of experience with a constant hunger for innovation.