Pass extension for OpenKeyChain

It looks like these days I’m spending my free time mostly fiddling with passwords… I swear I have other interests. Really.

Motivation

Anyhow: I use pass everywhere and I am happy with it.

I’ve been using the vanilla, OG, CLI client on all my devices except for my smartphone, where I had the native Android app, which kinda did the job, except a few things kept bugging me:

1. what's the point of using a tool that integrates beautifully with my unix system, if I have to access it from a GUI disconnected from my trusty bash?

2. sure, I could easily solve point 1. by using pass in termux, but I have my keys on hardware tokens (mostly implanted ones, as per my previous post) and poor little gpg has no clue how to reach an NFC smartcard from its sandbox.

Luckily OpenKeyChain supports NFC smartcards and you can tap into it from termux using OkcAgent: the only missing ingredient separating me from a fully satisfying password managing experience was pass being able to use OpenKeyChain, so here we are.

Putting it togehter

It turns out making extensions for pass is as easy as dropping shell scripts in the right folder, so I had a quick look at the source code to figure out the simplest way to get what I wanted, without messing up the standard pass workflow.

My first instinct was to brutally put okc-gpg in the $GPG variable in pass, but this quickly proved to be the wrong approach: okc-gpg only implements a subset of the gpg commands, so swapping the two would result in a bunch of broken pass commands. Which of course would still work if you know what works and what not, but it would be unbearably ugly.

During one of those long administrative meetings (the kind you’re allowed to contribute only a “goodmorning“ at the beginning and a “till next time“ at the end), I realized that what I actually needed was just adding 3 commands to pass , to be able to use OpenKeyChain only for the operations needing it. This sounded like a lean, quick’n’dirty plan, so after spending the lunch break in front of vim , I had my working POC.

Using it

If you want to try it, you get the extension here.

You clone the repo, and you install it with:

make install

Then you want to set the OpenKeyChain key you’re planning to use:

pass okc-id yourkeyid

Now that you’re setup, if you want add a new password, you do:

pass okc-insert youraccount

And if you wanna retrieve/decrypt your newly created password, you do:

pass okc-get youraccount

Apart from that you use pass the usual way.

This is very WIP (meaning it’s done mainly for myself and gets updates if I feel inspired or bored), so there is plenty of room for improvement. But it does the job.