Pass, pass-otp and nitrokey?

pass already supports gpg keys on a token like Nitrokey. I guess also the plugins like pass-otp

pass init <gpg_key_in_hex> initializes a new password store and protects it with the key that may be a regular gpg key or a token. You just need to load the key into gpg-agent.

1 Like

That sounds great! Any “newbie” guide out there step-by-step? How to set up. How to use, how to backup to new machines and set it up with the nitrokey? Yeah i would use pass any day before keepass2! Thank you!

Can i use hotp in the nitrokey and paste into pass or how do i set it up? Why is there no guide already on this site? There is a keepass guide already…

Do you mean something like this, and that i should paste it into totp on the nitrokey?

I’m not a coder. Any computer guide for “dummies” out there on how to use this with the nitrokey? Do i need the pass-otp plugin and use those codes in the nitrokey then?

ok now i saw i get some key in hex… yeah i could just copy in that instead of base32 you are right… Need to find some good guide and try it.
Yeah this is for advanced users…

I can try it out though.

The hex keyid or your email address just needs to match the gpg key on your token. Via gpg-agent you then decrypt the credentials in pass using your token.

Please be aware that you also need to safeguard your public key as it cannot be recreated from the data on the token.

1 Like

Any step-by-step guide im to tired for this right now…Can i use the guide i linked earlier?
I still don’t get why it’s an keepass guide here and not for pass and a nitrokey on their site. thanks

$ gpg --card-status
Reader ...........: Nitrokey Nitrokey Start (FSIJ-1.2xxx-xxx) 00 00
Application ID ...: D27xxx
Application type .: OpenPGP
Version ..........: 2.0
Manufacturer .....: unmanaged S/N range
Serial number ....: xxx
Name of cardholder: [not set]
Language prefs ...: [not set]
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 4
KDF setting ......: off
Signature key ....: AF45 BC55 0B79 2328 FDA8  FDDF 52C4 7BAA 4A43 C43D
      created ....: 2022-06-15 10:32:37
Encryption key....: D214 2C33 7BB8 BCD1 A408  BCE6 9DB9 9182 D416 D26A
      created ....: 2022-06-15 10:32:37
Authentication key: 8457 9611 C3FE 28D0 5069  5B06 2320 EE45 DDBF A285
      created ....: 2022-06-15 10:32:37
General key info..: pub  rsa2048/52C47BAA4A43C43D 2022-06-15 nku demo key <>
sec>  rsa2048/52C47BAA4A43C43D  created: 2022-06-15  expires: never     
                                card-no: FFFE xxx
ssb>  rsa2048/2320EE45DDBFA285  created: 2022-06-15  expires: never     
                                card-no: FFFE xxx
ssb>  rsa2048/9DB99182D416D26A  created: 2022-06-15  expires: never     
                                card-no: FFFE xxx

$ gpg -k
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   rsa2048 2022-06-15 [SC]
uid           [ultimate] nku demo key <>
sub   rsa2048 2022-06-15 [A]
sub   rsa2048 2022-06-15 [E]

$ pass --version
= pass: the standard unix password manager =
=                                          =
=                  v1.7.4                  =
=                                          =
=             Jason A. Donenfeld           =
=                 =
=                                          =
=       =

$ pass init AF45BC550B792328FDA8FDDF52C47BAA4A43C43D
mkdir: created directory '/home/nku/.password-store/'
Password store initialized for AF45BC550B792328FDA8FDDF52C47BAA4A43C43D

$ pass generate
mkdir: created directory '/home/nku/.password-store/'
The generated password for is:

$ pass
Password Store
    `-- nku

$ tree ~/.password-store/
    └── nku.gpg

1 directory, 1 file

$ pass show

$ pass otp insert --secret --issuer
Enter secret for this token: GZ4FORKTNBVFGQTFJJGEIRDOKY
Retype secret for this token: GZ4FORKTNBVFGQTFJJGEIRDOKY
Insert into [y/N] y
mkdir: created directory '/home/nku/.password-store/'

$ pass otp


You are awesome! :slight_smile: I read that just in the right time now when setting it up. Peace and thanks!

This is the best password manager i have ever tried!!! :slight_smile: Combined with nitro. Sweet
pass is brilliant! It just beats keepass with its simplicity and no errors, and it has way stronger encryption.

It’s the only password manager you will ever have to have really…
So i can also just paste the pass otp i borrow from onto the nitrokey as token and then save that token as a backup if i switch computers and so on then? Then it’s a really secure password manager! And you could back it up to different keys even if you wanted…
Even having 2fa one one, and keys on another if you wanted, but that seems “overkill” for me though.
Gotta learn how to back up passwords and restore them and so on though… On other computers.
Thanks for your help!

A few questions… When the key is in and the database is unlocked… Could the thief/attacker download the keys un-encrypted then? Or would he get the files, but need to un-encrypt them on his/her machine?
How easily can passwords be stolen? How hard can you make it if someone hacks your machine… Plus you need to take backups of the tree ~/.password-store/ right, for all machines? Do you usually unplug the key after you have used the passwords for security? Thanks!

The password manager pass stores all data gpg encrypted at rest. Accessing the data needs the unlock of the gpg key. The passphrase gets cached some time (AFAIR 600 seconds; timer resets on use).

Your nitrokey passphrase is being verified via scdaemon CHECKPIN on card and cached with gpg-agent. The most secure way is unplugging the Nitrokey. killall -s HUP gpg-agent lets gpg-agent forget the entered passphrase. Killing gpg-agent should also work gpgconf --kill gpg-agent.

If you decide to print the password to screen, it could be added to the backlog buffer of your terminal and written on disk (some terminals have that as a feature to scroll back previous sessions or large output and might write that to disk)

When you copy / paste passwords, it could be recorded in convenience tools like gpaste that allow to access a clipboard history. Also other tools have access to the clipboard and may access copied passwords.

Having a second factor token that cannot be copied is considered as a plus for some users and use cases. Everyone that has access to your OTP secret can generate valid OTP codes.

1 Like

ok thanks. I could then use the nitro to generate otp’s. Just paste the demo token on the nitrokey… that would be the safest.
But i have backed up the secret-key…

How can i add that on another card? Do i wait with that or can i do that now already? Or can i use one card at a time? What if i drop one usb key?
What’s the best way to back up the secret key on two usb sticks, and/or how do i do if i have a new computer and want to restore the password database and the secret keys and so on?
Thanks again. Good answers!

I mean this guide…

If i have backed up the key and try to restore a backed up key to another device from the:
gpg --edit-key --expert keyID

I get that the key is on the first nitrokey…
Can you even have two cards as devices for this or do you have one at a time, and if you lose one, you need to set it all up from scratch with the sec-key ?
I’m new to gpg.

You can backup the password store with the gpg encrypted secrets (3-2-1 backup strategy), take a note on how you installed pass and the plugins, maybe even backup the iso to install the os and the software packages in order to be able to install the exact same versions. As pass is very open, I doubt that the latter would be necessary but for completeness, I would back it up.

Make sure to also backup the PUBLIC key! Especially when created on the Nitrokey. It is a hassle/sometimes impossible to regenerate it!

The gpg key can be generated externally and stored on multiple Nitrokeys. After that, you could save the key in pass, store it somewhere safe (e.g. self-encrypted usb key), print it out or whatever suits your disaster recovery strategy.

Make sure to not loose User PIN and Admin PIN for your Nitrokeys.

That should be quite safe.

I backup top-most important data on steel plates with embossed letters/digits to be safe from fire.

1 Like

Haha, you take your security seriously… I like it. :wink:
Link the plates in PM. That sounded smart! What do you mean by make an iso? How would that look like?
Yeah i can back up the public key also… Might have deleted it. I think i can generate it again, and if not i can start over… Just testing this system out some.
I like pass! But how do i take an backed up sec-key.asc and make other nitrokeys have it?
Do you do that when you create everything at the start or can you do it later on?

Any good guides out there on how you restore everything? Yeah i’m gonna read some. But i definitely prefer pass over keepass. And no i would not loose the pins. I remember stuff like that.

Cheapest way is numbering / stamping some washers:

What do you mean by make an iso?

e.g. Linux Live CD or Debian install iso

I like pass! But how do i take an backed up sec-key.asc and make other nitrokeys have it?

And no i would not loose the pins. I remember stuff like that.

Scenario would be that you are not available and someone else would need to access/recover passwords (e.g. intensive care).

1 Like

Thanks for the answers!
How do i import another pass instance in another debian machine if i have the secret.asc and the public.asc?
Just import them? Any link or could you write how i set up pass init and my passwords if i just copy the password files from pass on one machine, and then set up gpg with privatekey.asc and publickey.asc? Thanks

You need to import your gpg key

gpg --armor --export > public.asc
gpg --import public.asc

You could host the public key somewhere and then use gpg --card-edit followed by a ‘fetch’.

Then just copy over your password directory and you should be good.

Some people like to add the encrypted password store to git and use git clone via ssh to copy instances over. Afterwards you could commit changes and sync it by git fetch.

1 Like

I did import both keys… But i might have intilized the new pass init wrong i choosed a random name… Now when i try to generate a pass i get this:
gpg: user: skipped: No public key
gpg: [stdin]: encryption failed: No public key
Password encryption aborted.

You know what i could try now?
Do i need to init this on every computer then? pass init <gpg_key_in_hex>
I need to look up which key i picked last time or if email did work…

Now when i tried to use a key as init and generate a pass i get this instead:
gpg: 727randomnumbers657: There is no assurance this key belongs to the named user
gpg: [stdin]: encryption failed: Unusable public key
Password encryption aborted.

What do i do now? I’m gonna try to set this up later on… A step-by-step guide online would been nice to have… How to set up this on a machine, and backup, that’s done… But to start on a new machine, i need to learn this. Thanks again for your good answers.

Is it the same keyid? If so, you could just copy over.

Yes everything is the same… Just a copy of everything… What should i copy over exactly? And how do i set up pass init on the new machine? Could you write some steps?
Others are free to answer also, but you seem to know this in detail. Thanks

I also imported the secretkey.asc should i not have done that? How do i set up pass on another machine if i have public.asc and secret.asc? And pass init… Got any link or some tips for a few steps? What key ison the nitrokey? Oh… does the nitrokey have the secret so i should not import the secret key on the machine and in gpg?
Do you know how to set this up on other machines? I should copy the .password folder or whatever it was called… What else? Can i backup the passwords in one file or should i move the folder?