4.8 KiB
+++ title = "Unix pass and Android Password Store with YubiKey" date = 2025-01-01 description = "Setting Up Unix pass with YubiKey and Android Password Store" +++
Using a secure and versatile password manager is a must for managing your digital life, and pass, the Unix password manager, is a fantastic choice. If you store your GPG key on a YubiKey and use the Android Password Store app with OpenKeychain, this guide will help you set everything up while addressing a common compatibility issue with throw-keyids in gpg.conf.
What You’ll Need
- A YubiKey configured with your GPG key (see the excellent YubiKey-Guide by drduh).
- The pass command-line utility.
- OpenKeychain installed on your Android device.
- The Android Password Store app.
Configuring pass with a YubiKey-Stored GPG Key
-
Set up your YubiKey and GPG key
- Follow the steps in drduh’s YubiKey guide to create and configure your GPG key on your YubiKey.
-
Install
pass- Install the
passutility on your Linux system. Most distributions have it in their package repositories:
apt install pass # For Debian/Ubuntu-based distros xbps-install -S pass # For Void Linux - Install the
-
Initialize
passwith your GPG key- Run the following command to initialize the
.password-storedirectory:
pass init <KEYID>- Replace
<KEYID>with your GPG key ID stored on the YubiKey.
- Run the following command to initialize the
-
Sync passwords to your Android device
- Clone your
.password-storerepository to your Android device and set up thePassword Storeapp withOpenKeychain.
- Clone your
The throw-keyids Issue
While working through this issue, I found a helpful discussion in GitHub issue #173 for the Android Password Store repository. This thread provided insights that clarified the root cause of the problem and its resolution.
During setup, you might encounter an error in the Android Password Store app. OpenKeychain could report that the .gpg files are encrypted for a different key, even if they are not. This issue arises due to the throw-keyids option in ~/.gnupg/gpg.conf.
What Does throw-keyids Do?
The throw-keyids option in gpg.conf hides the recipient’s key ID during encryption. While this enhances privacy by preventing others from identifying the intended recipient(s), it can cause issues with OpenKeychain. OpenKeychain relies on visible key IDs to identify the correct decryption key, and without them, it assumes the files were encrypted for an unknown key.
Fixing the Issue
To resolve this, you need to disable throw-keyids and re-encrypt your password store.
-
Comment Out
throw-keyidsingpg.conf- Open
~/.gnupg/gpg.confin your favorite text editor and comment out the line:
# throw-keyids - Open
-
Re-encrypt Your Password Store
- Run the following command to re-encrypt all passwords with the new GPG options:
PASSWORD_STORE_GPG_OPTS="--no-throw-keyids" pass init <KEYID>- Replace
<KEYID>with your GPG key ID.
-
Optional: Update Your Environment
- To ensure
--no-throw-keyidsis always used, add the following line to your~/.bashrc:
export PASSWORD_STORE_GPG_OPTS='--no-throw-keyids' # Fix for OpenKeychain- While this step is not strictly necessary (since the change in
gpg.confresolves the issue), it can serve as a safeguard.
- To ensure
-
Sync the Updated Password Store
- Push the updated
.password-storeto your remote repository and pull it on your Android device.
- Push the updated
Conclusion
With these steps, you can seamlessly use pass with a YubiKey and the Android Password Store app. The issue with throw-keyids is a minor hurdle that can be resolved by adjusting your gpg.conf and re-encrypting your password store. Disabling throw-keyids makes your key IDs visible, which slightly reduces privacy but is necessary for compatibility with OpenKeychain.
For further details on pass, GPG, or YubiKey, refer to their respective documentation. A secure password manager setup like this ensures your sensitive information stays safe across devices.