passage - age based password/secrets manager

UPDATE - it appears the author of Age has forked pass to use Age as a backend, versus GPG. https://github.com/FiloSottile/passage. I have converted my personal comuters/machines to use it. I am no longer going to mess with my janky version.

If you have used this project to manage passwords using Age and would like to convert over to FiloSottile's do the following:

• delete /usr/local/bin/passage
• copy your age pub key to .passage/store/.age-recipients
• copy your age private key to .passage/identities
• edit /usr/local/etc/bash_completion.d/passage_autocomplete, so that your PASSWORD_STORE_DIR has /store in the path. local prefix="${PASSWORD_STORE_DIR:-$HOME/.passage/store/}"
• • git clone https://github.com/FiloSottile/passage
• follow the INSTALL
• things should just work. Or at least on my two machines they do. If you are having issues with passage git commands, do mv ~/.passage/.git to ~/.passage/store/.git and passage git commands should use what you set up prior.

A simple password manager using age written in POSIX bash. Based on pash by dylanaraps. I forked this project from pa by biox. Also, this implementation of passage has nothing to do with passage which was based on Rust and that project appears to be archived.

• Automatically generates an age key if one is not detected.
• Only 120~ LOC (minus blank lines and comments).
• Configurable password generation using /dev/urandom.
• Guards against set -x, ps and /proc leakage.
• Easily extendible through the shell.
• Ability to edit passwords using $EDITOR

I am just a ham fisted knucklehead and have never claimed to be a developer. I have been a long time user of pass and have been following age for quite some time. I have been waiting for Age and Pass to get together at some point, so when I saw pa as a pass+age type password manager, figured I would mess around with it for my own purposes.

Changes thus far for my usage are: using .passage for storage, I use ~/.config/age to store my keypairs since they are synced via my personal git repo across multiple machines and age-keygen is a password protected file because I do not want to sync my keypairs in plain text, and I am using pbcopy since I run MacOS.

I'm also throwing in a few scripts that I have used in the past for age encryption and decryption, as I have integrated age into my day to day usage. The gist can be seen here also -> https://gist.github.com/chrisswanda/bc537f87df7ab958773b3dab2d8f1f44

Dependencies

• age
• age-keygen
• oathtool
• qrencode
• git repository (optional)

Usage

Examples:

  passage show   github
  passage copy   Travel/Uber
  passage otp    Development/Github
  passage qrcode Foo/bar
  passage list
  passage add    Web/gmail
  passage edit   Finance/ETrade
  passage del    Social/Facebook
  passage git    {pull}{push}{status}

USAGE

- show   [name]    - Show password for an entry.
- copy   [name]    - Copy password to clipboard. Clears in 30 seconds.
- otp    [name]    - Copy OTP to clipboard. Clears in 30 seconds.
- qrcode [name]    - Display stored otpauth:// as qrcode.
- list             - List all entries.
- add    [name]    - Create a new password, randomly generated.
- edit   [name]    - Edit a password entry with vim.
- del    [name]    - Delete a password entry.
- git    [command] - push, pull, status, add, commit

I have included something that resembles autocomplete.

$ passage {tab}
Foo/          SelectQuote/  Travel/       copy          edit          list          qrcode
Personal/     Shopping/     add           del           git           otp           show

Add this to your autocomplete directory.

$ cp passage_autocomplete /usr/local/etc/bash_completion.d/passage_autocomplete

Then you can source it $source /usr/local/etc/bash_completion.d/passage_autocomplete

or add it to your ~.bashrc

[[ -r "/usr/local/etc/bash_completion.d/passage_autocomplete" ]] && source "/usr/local/etc/bash_completion.d/passage_autocomplete"

FAQ

Where are passwords stored?

The passwords are stored in age encrypted files located at ${XDG_DATA_HOME:=$HOME/}.passage}.

If your storage directory is backed by a git repo, you can keep it synchronized using passage git {push|pull}. For my purposes I keep my .passage directory sycned up with my personal git repo, and since I am the only person using it, I do not use any branching. All pushes and pulls are to the master/main branch. It works for me.

How does the copy command work?

The copy command takes the very first line of your passage entry, and copies it to your clipboard.

For example, here is an entry for Foo/bar

$ passage show Foo/bar
Enter passphrase for identity file "{your age private key location}":
4cWLle2RB2hPDFMkw
login: my_user_name
URL: www.example.com
Notes: free form notes
otpauth://totp/ACME%20Co:[email protected]?secret=HXDMVJECJJWSRB3HWIZR4IFUGFTMXBOZ&issuer=ACME%20Co&algorithm=SHA1&digits=6&period=30

Recovery keys:
blah
cruft
things

When you run the copy command:

$ passage copy Foo/bar
Enter passphrase for identity file "{your age private key location}":
Clearing clipboard in 30 seconds.

$ 4cWLle2RB2hPDFMkw

How do I change the password store location?

Set the environment variable PASSAGE_DIR to a directory.

# Default: '~/.passage'.
export PASSAGE_DIR=~/.passage

Or you can set it to whatever directory you want:

export PASSAGE_DIR=~/.local/some_other_dir

Any other environment variables?

You can change the password length
# Password length:   export PASSAGE_LENGTH=21

And you can set your password characters
# Password pattern:  export PASSAGE_PATTERN=_A-Z-a-z-0-9

How can I rename my passwords?

You can just drop into your $PASSAGE_DIR, and merely just rename the file. $mv test_file.age new_test_file.age Your passwords are just files stored in a directory, so use any POSIX commands that you would use to manage any files normally. Do not forget to name your files with an *.age extention.

How can I extend passage?

A shell function can be used to add new commands and functionality to passage. The following example adds passage git to execute git commands on the password store.

passage() {
    case $1 in
        g*)
            cd "${PASSAGE_DIR:=${XDG_DATA_HOME:=$HOME/}.passage}"
            shift
            git "$@"
        ;;

        *)
            command passage "$@"
        ;;
    esac
}

What if I want to try out your version of passage?

Just note that I made this for my MacOS environment. If you are using some other linux distro, you will need to make a few tweaks.

• For pw_edit(), I am copying to mktemp since MacOS does not have a /dev/shm and I sure as hell don't want to make a ram drive.
• For pw_copy(), I am using pbcopy. For your linux environment, you can use xclip.
• I am using a password protected private key for my age credentials. Granted, my hard drive is encrypted and if someone is on my local machine, I have bigger issues. But, since I sync ~/.config/age to my personal git repo, I figured might as well keep this key protected since age does not offer forward security. To generate your password protected age credentials use age-keygen | age -p > private_key.

    age-keygen | age -p > ~/.config/age/username.priv.key

    Public key: age16wm8r7a6hzghjcqpze4302jwthvwrux46ud78zj9fsjn4c9eyp3qljm0gn
    Enter passphrase (leave empty to autogenerate a secure one): xxxxxxxx
    Confirm passphrase: xxxxxxxx

I take the output of my public key and put it into a file named username.pub.key and put it in my ~/.config/age directory.

echo "age16wm8r7a6hzghjcqpze4302jwthvwrux46ud78zj9fsjn4c9eyp3qljm0gn" > ~/.config/age/username.pub.key