The Complete Computing Environment

Using Pass for Passwords


(These days I use Bitwarden and vaultwarden but maintain this until I'm confident that I won't need any of my "deprecated" passwords.)

(provide 'cce/pass)

I use the standard unix password manager, pass. I use the Emacs support packages for these, unsurprisingly, and I have a custom Hydra to put the keybindings to copy passwords hanging off of <SPC>k.

(use-package password-store
  :after hydra
  (setq password-store-password-length 32)
  (defhydra hydra-pass ()
    ("p" (lambda() (interactive)
           (background-shell-command "pass show"))
         :exit t)
    ("c" password-store-copy :exit t)
    ("e" password-store-edit :exit t)
    ("g" password-store-generate :exit t)
    ("o" password-store-otp-token-copy :exit t))
  :bind (:map evil-normal-state-map
         ("<SPC>k" . hydra-pass/body)))
(use-package password-store-otp
  :after password-store)
{config, pkgs, ...}:
  programs.password-store = {
    enable = true;
    package = pkgs.pass.withExtensions (exts: [ exts.pass-otp exts.pass-genphrase ]);
    settings = {
      PASSWORD_STORE_DIR = "$HOME/.password-store/";

  home.activation.password-store =
    pkgs.lib.mkActivationLocalLink config # symlink helper (ref:activation_local_link)

  home.packages = [

  programs.bash.initExtra = ''
    gpg-connect-agent /bye

  programs.browserpass.enable = true;

(activation_local_link) is a helper in mkActivationLocalLink.