It’s now time to configure pass the credentials-manager.

Tomb file for pass

I want to force pass to store its pass-files in a tomb-file. I create the tomb-file by setting these global vars:

IDENTITY="joe"
RECIPIENT="joe@foo.bar"
LABEL="cabal"
TOMBID="${IDENTITY}-${LABEL}"
SIZE=50
risks open gpg ${IDENTITY}

and following the standard procedure.

Don’t change ${TOMBID} or risks won’t work as expected.

Initialize password-store

Once the tomb-file creation is over I open it with:

risks open pass ${IDENTITY}

I initialize the password repository (~/.password-store):

pass init ${RECIPIENT}

Notice: ${RECIPIENT} is the email used for the GPG configuration which in this case acts as GPG key identifier

I can now start using pass and save my website credentials (or any kind of note) with it.

Check man pass for more details.

This is just a sample of how a pass-file looks like:

123#stha36ea93-1
---
domain: www.reddit.com
username: joe@foo.bar
url: https://www.reddit.com

Notice: The password is always saved in the first line of the file and it’s standard for pass

pass-split configuration

There is the option to configure some other AppVM to use pass in split mode, the same way as for GPG.

The pass-split project is hosted here and I need to download it.

So in joe-devq:

git clone https://github.com/Rudd-O/qubes-pass.git
cd qubes-pass

Now I copy the files to the relevant machines:

These are for vault:

qvm-copy etc/qubes-rpc/ruddo.PassRead # I select vault
qvm-copy etc/qubes-rpc/ruddo.PassManage # I select vault

and these are for debian-10-dev (joe-devq template):

qvm-copy bin/*  # I select _debian-10-dev_ template

vault configuration

sudo mv ~/QubesIncoming/<git AppVM>/ruddo.* /etc/qubes-rpc/

dom0 configuration

Dom0 is then configured to ask for confirmation both for read and write requests:

sudo sh -c 'echo $anyvm $anyvm ask > /etc/qubes-rpc/policy/ruddo.PassManage'
sudo sh -c 'echo $anyvm $anyvm ask > /etc/qubes-rpc/policy/ruddo.PassRead'

Eventually, if I really trust joe-devq and myself, I can authorize joe-devq by default:

sudo sh -c 'echo joe-devq vault allow > /etc/qubes-rpc/policy/ruddo.PassManage'
sudo sh -c 'echo $anyvm $anyvm ask >> /etc/qubes-rpc/policy/ruddo.PassManage'

sudo sh -c 'echo joe-devq vault allow > /etc/qubes-rpc/policy/ruddo.PassRead'
sudo sh -c 'echo $anyvm $anyvm ask >> /etc/qubes-rpc/policy/ruddo.PassRead'

template configuration

In debian-10-dev

sudo mv ~/QubesIncoming/<git AppVM>/qubes-pass-client /usr/bin/
sudo mv ~/QubesIncoming/<git AppVM>/qvm-pass /usr/bin/
sudo chmod +x /usr/bin/qubes-pass-client
sudo chmod +x /usr/bin/qvm-pass
sudo shutdown -P 0

joe-devq configuration

I have hard time remembering all theses scripts so I create an alias which allows me to use pass instead of qvm-pass in joe-devq

sudo sh -c 'echo "vault" > /rw/config/pass-split-domain'
echo 'alias pass="qvm-pass"' >> ~/.bash_aliases
sudo shutdown -P 0

Usage

In order be able to use pass in joe-devq:

I turn on vault
attach the hush partition from dom0 to vault (attach_hush_to)
I open a terminal in vault and type:

risks mount hush
risks open gpg ${IDENTITY}
risks open pass ${IDENTITY}

risks mount hush
risks open identity ${IDENTITY} #this opens GPG, pass (and ssh) in one shot

Then I open a terminal in joe-devq and I use pass without any difference from the usual behavior except for the fact that each time use it I have to clear the Qubes confirmation pop-up.

Relatively Insecure System for Keys and Secrets for Qubes OS

PASS setup