Pass: Difference between revisions
(→Käsud) |
(→Käsud) |
||
| Line 15: | Line 15: | ||
<syntaxhighlight lang="bash">init [ --path=sub-folder, -p sub-folder ] gpg-id...</syntaxhighlight> | <syntaxhighlight lang="bash">init [ --path=sub-folder, -p sub-folder ] gpg-id...</syntaxhighlight> | ||
Initialize new password storage and use gpg-id for encryption. Multiple gpg-ids may be specified, in order to encrypt each password with multiple ids. This command must be run first before a password store can be used. If the specified gpg-id is different from the key used in any existing files, these files will be reencrypted to use the new id. Note that use of gpg-agent(1) is recommended so that the batch decryption does not require as much user intervention. If --path or -p is specified, along with an argument, a specific gpg-id or set of gpg-ids is assigned for that specific sub folder of the password store. If only one gpg-id is given, and it is an empty string, then the current .gpg-id file for the specified sub-folder (or root if unspecified) is removed. | Initialize new password storage and use gpg-id for encryption. Multiple gpg-ids may be specified, in order to encrypt each password with multiple ids. This command must be run first before a password store can be used. If the specified gpg-id is different from the key used in any existing files, these files will be reencrypted to use the new id. Note that use of gpg-agent(1) is recommended so that the batch decryption does not require as much user intervention. If --path or -p is specified, along with an argument, a specific gpg-id or set of gpg-ids is assigned for that specific sub folder of the password store. If only one gpg-id is given, and it is an empty string, then the current .gpg-id file for the specified sub-folder (or root if unspecified) is removed. | ||
<syntaxhighlight lang="bash">ls subfolder</syntaxhighlight> | <syntaxhighlight lang="bash">ls subfolder</syntaxhighlight> | ||
List names of passwords inside the tree at subfolder by using the tree(1) program. This command is alternatively named list. | List names of passwords inside the tree at subfolder by using the tree(1) program. This command is alternatively named list. | ||
<syntaxhighlight lang="bash">grep search-string</syntaxhighlight> | <syntaxhighlight lang="bash">grep search-string</syntaxhighlight> | ||
Searches inside each decrypted password file for search-string, and displays line containing matched string along with filename. Uses grep(1) for matching. Make use of the GREP_OPTIONS environment variable to set particular options. | Searches inside each decrypted password file for search-string, and displays line containing matched string along with filename. Uses grep(1) for matching. Make use of the GREP_OPTIONS environment variable to set particular options. | ||
<syntaxhighlight lang="bash">find pass-names...</syntaxhighlight> | <syntaxhighlight lang="bash">find pass-names...</syntaxhighlight> | ||
List names of passwords inside the tree that match pass-names by using the tree(1) program. This command is alternatively named search. | List names of passwords inside the tree that match pass-names by using the tree(1) program. This command is alternatively named search. | ||
<syntaxhighlight lang="bash">show [ --clip[=line-number], -c[line-number] ] [ --qrcode[=line-number], -q[line-number] ] pass-name</syntaxhighlight> | <syntaxhighlight lang="bash">show [ --clip[=line-number], -c[line-number] ] [ --qrcode[=line-number], -q[line-number] ] pass-name</syntaxhighlight> | ||
Decrypt and print a password named pass-name. If --clip or -c is specified, do not print the password but instead copy the first (or otherwise specified) line to the clipboard using xclip(1) and then restore the clipboard after 45 (or PASSWORD_STORE_CLIP_TIME) seconds. If --qrcode or -q is specified, do not print the password but instead display a QR code using qrencode(1) either to the terminal or graphically if supported. | Decrypt and print a password named pass-name. If --clip or -c is specified, do not print the password but instead copy the first (or otherwise specified) line to the clipboard using xclip(1) and then restore the clipboard after 45 (or PASSWORD_STORE_CLIP_TIME) seconds. If --qrcode or -q is specified, do not print the password but instead display a QR code using qrencode(1) either to the terminal or graphically if supported. | ||
<syntaxhighlight lang="bash">insert [ --echo, -e | --multiline, -m ] [ --force, -f ] pass-name</syntaxhighlight> | <syntaxhighlight lang="bash">insert [ --echo, -e | --multiline, -m ] [ --force, -f ] pass-name</syntaxhighlight> | ||
Insert a new password into the password store called pass-name. This will read the new password from standard in. If --echo or -e is not specified, disable keyboard echo when the password is entered and confirm the password by asking for it twice. If --multiline or -m is specified, lines will be read until EOF or Ctrl+D is reached. Otherwise, only a single line from standard in is read. Prompt before overwriting an existing password, unless --force or -f is specified. This command is alternatively named add. | Insert a new password into the password store called pass-name. This will read the new password from standard in. If --echo or -e is not specified, disable keyboard echo when the password is entered and confirm the password by asking for it twice. If --multiline or -m is specified, lines will be read until EOF or Ctrl+D is reached. Otherwise, only a single line from standard in is read. Prompt before overwriting an existing password, unless --force or -f is specified. This command is alternatively named add. | ||
<syntaxhighlight lang="bash">edit pass-name</syntaxhighlight> | <syntaxhighlight lang="bash">edit pass-name</syntaxhighlight> | ||
Insert a new password or edit an existing password using the default text editor specified by the environment variable EDITOR or using vi(1) as a fallback. This mode makes use of temporary files for editing, but care is taken to ensure that temporary files are created in /dev/shm in order to avoid writing to difficult-to-erase disk sectors. If /dev/shm is not accessible, fallback to the ordinary TMPDIR location, and print a warning. | Insert a new password or edit an existing password using the default text editor specified by the environment variable EDITOR or using vi(1) as a fallback. This mode makes use of temporary files for editing, but care is taken to ensure that temporary files are created in /dev/shm in order to avoid writing to difficult-to-erase disk sectors. If /dev/shm is not accessible, fallback to the ordinary TMPDIR location, and print a warning. | ||
<syntaxhighlight lang="bash">generate [ --no-symbols, -n ] [ --clip, -c ] [ --in-place, -i | --force, -f ] pass-name [pass-length]</syntaxhighlight> | <syntaxhighlight lang="bash">generate [ --no-symbols, -n ] [ --clip, -c ] [ --in-place, -i | --force, -f ] pass-name [pass-length]</syntaxhighlight> | ||
Generate a new password using /dev/urandom of length pass-length (or PASSWORD_STORE_GENERATED_LENGTH if unspecified) and insert into pass-name. If --no-symbols or -n is specified, do not use any non-alphanumeric characters in the generated password. The character sets used in generating passwords can be changed with the PASSWORD_STORE_CHARACTER_SET and PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS environment variables, described below. If --clip or -c is specified, do not print the password but instead copy it to the clipboard using xclip(1) and then restore the clipboard after 45 (or PASSWORD_STORE_CLIP_TIME) seconds. If --qrcode or -q is specified, do not print the password but instead display a QR code using qrencode(1) either to the terminal or graphically if supported. Prompt before overwriting an existing password, unless --force or -f is specified. If --in-place or -i is specified, do not interactively prompt, and only replace the first line of the password file with the new generated password, keeping the remainder of the file intact. | Generate a new password using /dev/urandom of length pass-length (or PASSWORD_STORE_GENERATED_LENGTH if unspecified) and insert into pass-name. If --no-symbols or -n is specified, do not use any non-alphanumeric characters in the generated password. The character sets used in generating passwords can be changed with the PASSWORD_STORE_CHARACTER_SET and PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS environment variables, described below. If --clip or -c is specified, do not print the password but instead copy it to the clipboard using xclip(1) and then restore the clipboard after 45 (or PASSWORD_STORE_CLIP_TIME) seconds. If --qrcode or -q is specified, do not print the password but instead display a QR code using qrencode(1) either to the terminal or graphically if supported. Prompt before overwriting an existing password, unless --force or -f is specified. If --in-place or -i is specified, do not interactively prompt, and only replace the first line of the password file with the new generated password, keeping the remainder of the file intact. | ||
<syntaxhighlight lang="bash">rm [ --recursive, -r ] [ --force, -f ] pass-name</syntaxhighlight> | <syntaxhighlight lang="bash">rm [ --recursive, -r ] [ --force, -f ] pass-name</syntaxhighlight> | ||
Remove the password named pass-name from the password store. This command is alternatively named remove or delete. If --recursive or -r is specified, delete pass-name recursively if it is a directory. If --force or -f is specified, do not interactively prompt before removal. | Remove the password named pass-name from the password store. This command is alternatively named remove or delete. If --recursive or -r is specified, delete pass-name recursively if it is a directory. If --force or -f is specified, do not interactively prompt before removal. | ||
<syntaxhighlight lang="bash">mv [ --force, -f ] old-path new-path</syntaxhighlight> | <syntaxhighlight lang="bash">mv [ --force, -f ] old-path new-path</syntaxhighlight> | ||
Renames the password or directory named old-path to new-path. This command is alternatively named rename. If --force is specified, silently overwrite new-path if it exists. If new-path ends in a trailing /, it is always treated as a directory. Passwords are selectively reencrypted to the corresponding keys of their new destination. | Renames the password or directory named old-path to new-path. This command is alternatively named rename. If --force is specified, silently overwrite new-path if it exists. If new-path ends in a trailing /, it is always treated as a directory. Passwords are selectively reencrypted to the corresponding keys of their new destination. | ||
<syntaxhighlight lang="bash">cp [ --force, -f ] old-path new-path</syntaxhighlight> | <syntaxhighlight lang="bash">cp [ --force, -f ] old-path new-path</syntaxhighlight> | ||
Copies the password or directory named old-path to new-path. This command is alternatively named copy. If --force is specified, silently overwrite new-path if it exists. If new-path ends in a trailing /, it is always treated as a directory. Passwords are selectively reencrypted to the corresponding keys of their new destination. | Copies the password or directory named old-path to new-path. This command is alternatively named copy. If --force is specified, silently overwrite new-path if it exists. If new-path ends in a trailing /, it is always treated as a directory. Passwords are selectively reencrypted to the corresponding keys of their new destination. | ||
<syntaxhighlight lang="bash">git git-command-args...</syntaxhighlight> | <syntaxhighlight lang="bash">git git-command-args...</syntaxhighlight> | ||
Revision as of 11:26, 29 April 2017
Sissejuhatus
Pass is a very simple password store that keeps passwords inside gpg2 encrypted files inside a simple directory tree residing at ~/.password-store.
The pass utility provides a series of commands for manipulating the password store, allowing the user to add, remove, edit, synchronize, generate, and manipulate passwords.
Süntaks
pass [COMMAND][OPTIONS][ARGS]
Käsud
If no COMMAND is specified, COMMAND defaults to either show or ls, depending on the type of specifier in ARGS. Alternatively, if PASSWORD_STORE_ENABLE_EXTENSIONS is set to "true", and the file .extensions/COMMAND.bash exists inside the password store and is executable, then it is sourced into the environment, passing any arguments and environment variables. Extensions existing in a system-wide directory, only installable by the administrator, are always enabled. Otherwise COMMAND must be one of the valid commands listed below.
Several of the commands below rely on or provide additional functionality if the password store directory is also a git repository. If the password store directory is a git repository, all password store modification commands will cause a corresponding git commit. Sub-directories may be separate nested git repositories, and pass will use the inner-most directory relative to the current password. See the EXTENDED GIT EXAMPLE section for a detailed description using init and git(1). The init command must be run before other commands in order to initialize the password store with the correct gpg key id. Passwords are encrypted using the gpg key set with init. There is a corresponding bash completion script for use with tab completing password names in bash.
init [ --path=sub-folder, -p sub-folder ] gpg-id...
Initialize new password storage and use gpg-id for encryption. Multiple gpg-ids may be specified, in order to encrypt each password with multiple ids. This command must be run first before a password store can be used. If the specified gpg-id is different from the key used in any existing files, these files will be reencrypted to use the new id. Note that use of gpg-agent(1) is recommended so that the batch decryption does not require as much user intervention. If --path or -p is specified, along with an argument, a specific gpg-id or set of gpg-ids is assigned for that specific sub folder of the password store. If only one gpg-id is given, and it is an empty string, then the current .gpg-id file for the specified sub-folder (or root if unspecified) is removed.
ls subfolder
List names of passwords inside the tree at subfolder by using the tree(1) program. This command is alternatively named list.
grep search-string
Searches inside each decrypted password file for search-string, and displays line containing matched string along with filename. Uses grep(1) for matching. Make use of the GREP_OPTIONS environment variable to set particular options.
find pass-names...
List names of passwords inside the tree that match pass-names by using the tree(1) program. This command is alternatively named search.
show [ --clip[=line-number], -c[line-number] ] [ --qrcode[=line-number], -q[line-number] ] pass-name
Decrypt and print a password named pass-name. If --clip or -c is specified, do not print the password but instead copy the first (or otherwise specified) line to the clipboard using xclip(1) and then restore the clipboard after 45 (or PASSWORD_STORE_CLIP_TIME) seconds. If --qrcode or -q is specified, do not print the password but instead display a QR code using qrencode(1) either to the terminal or graphically if supported.
insert [ --echo, -e | --multiline, -m ] [ --force, -f ] pass-name
Insert a new password into the password store called pass-name. This will read the new password from standard in. If --echo or -e is not specified, disable keyboard echo when the password is entered and confirm the password by asking for it twice. If --multiline or -m is specified, lines will be read until EOF or Ctrl+D is reached. Otherwise, only a single line from standard in is read. Prompt before overwriting an existing password, unless --force or -f is specified. This command is alternatively named add.
edit pass-name
Insert a new password or edit an existing password using the default text editor specified by the environment variable EDITOR or using vi(1) as a fallback. This mode makes use of temporary files for editing, but care is taken to ensure that temporary files are created in /dev/shm in order to avoid writing to difficult-to-erase disk sectors. If /dev/shm is not accessible, fallback to the ordinary TMPDIR location, and print a warning.
generate [ --no-symbols, -n ] [ --clip, -c ] [ --in-place, -i | --force, -f ] pass-name [pass-length]
Generate a new password using /dev/urandom of length pass-length (or PASSWORD_STORE_GENERATED_LENGTH if unspecified) and insert into pass-name. If --no-symbols or -n is specified, do not use any non-alphanumeric characters in the generated password. The character sets used in generating passwords can be changed with the PASSWORD_STORE_CHARACTER_SET and PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS environment variables, described below. If --clip or -c is specified, do not print the password but instead copy it to the clipboard using xclip(1) and then restore the clipboard after 45 (or PASSWORD_STORE_CLIP_TIME) seconds. If --qrcode or -q is specified, do not print the password but instead display a QR code using qrencode(1) either to the terminal or graphically if supported. Prompt before overwriting an existing password, unless --force or -f is specified. If --in-place or -i is specified, do not interactively prompt, and only replace the first line of the password file with the new generated password, keeping the remainder of the file intact.
rm [ --recursive, -r ] [ --force, -f ] pass-name
Remove the password named pass-name from the password store. This command is alternatively named remove or delete. If --recursive or -r is specified, delete pass-name recursively if it is a directory. If --force or -f is specified, do not interactively prompt before removal.
mv [ --force, -f ] old-path new-path
Renames the password or directory named old-path to new-path. This command is alternatively named rename. If --force is specified, silently overwrite new-path if it exists. If new-path ends in a trailing /, it is always treated as a directory. Passwords are selectively reencrypted to the corresponding keys of their new destination.
cp [ --force, -f ] old-path new-path
Copies the password or directory named old-path to new-path. This command is alternatively named copy. If --force is specified, silently overwrite new-path if it exists. If new-path ends in a trailing /, it is always treated as a directory. Passwords are selectively reencrypted to the corresponding keys of their new destination.
git git-command-args...
If the password store is a git repository, pass git-command-args as arguments to git(1) using the password store as the git repository. If git-command-args is init, in addition to initializing the git repository, add the current contents of the password store to the repository in an initial commit. If the git config key pass.signcommits is set to true, then all commits will be signed using user.signingkey or the default git signing key. This config key may be turned on using:
pass git config --bool --add pass.signcommits true
Kokkuvõte
Autor
Nimi: Oliver Rahula
Rühm: C11
Kuupäev: 23.04.2017
