Learn Docker With My Newest Course

Dive into Docker takes you from "What is Docker?" to confidently applying Docker to your own projects. It's packed with best practices and examples. Start Learning Docker →

Setting Up the Password Store (Pass) App to Work with Android 13+

blog/cards/setting-up-the-password-store-pass-app-to-work-with-android-13.jpg

When traveling it gives me peace of mind to have my most critically important passwords accessible outside of my browser.

Quick Jump: Why Use a Password Manager on a Phone? | What's Up with Modern Versions of Android? | Backup Your GPG Key | Install OpenKeychain and Import Your GPG Key | Install the Password Store App | Setup the Password Store App | Video Post

Prefer video? Here it is on YouTube.

I’ve been using the pass CLI tool since around 2016 and have hundreds of passwords saved with it. If you’re looking for the basics of using it on a desktop or laptop then check out this post. This post will focus on getting it to work on Android 13+.

Why Use a Password Manager on a Phone?

From a safety / confidence perspective under normal circumstances, saving your passwords in your device’s browser’s or app’s password storage is likely fine. Even if you get logged out you can always log back in without knowing the password.

But if you update your password on your non-mobile device now you need to manually update it again on mobile which is going to be annoying to keep in sync. I know some browsers let you sync your profiles across devices but I never enable that option.

Also, if you don’t decide to use a password manager at all, what happens if you’ve never traveled internationally and now you have an upcoming trip where lots of things are dependent on being logged into various apps on your phone?

In my opinion it’s too much of a risk to depend on just my mobile browser or the app to be able to login again without knowing my password.

Now you could say, “well I’ll have a full backup and working pass CLI tool on my laptop” (assuming you’re traveling with one) and I agree. I will too, but I’ll likely leave it in a hotel for the day and it’s not impossible it decides to die at an inconvenient time.

In any case, if you’re traveling solo in very unfamiliar locations in a country where you don’t speak the native language it’s worth the extra 15 minutes to set this up for 1 extra level of redundancy.

Are you going full blown password manager or only saving the important logins?

If you’re storing your passwords in git with pass then it’s pretty painless to sync things up but I’m not using git which unfortunately means any reasonably new version of the mobile app won’t be able to sync all of your passwords.

However, don’t fret. I will include instructions for both methods. Really after all is said and done, only a small part of the set up process is different. Everything else is the same.

I may end up switching to git just for this ability since wanting to have passwords on my Chromebook and phone is a very recent want on my end since I’ll be traveling internationally soon. If I do, I’ll make a future post on converting pass to use git outside of your phone and link it here but that’s not related to this post.

This now becomes a decision point for you. Do you want to sync everything? Then use git and it’s no problem, otherwise you may want to consider creating a new password store on your mobile device that you manually manage and keep up to date which we’ll cover in this post too.

That could perhaps be your mission critical logins like email, bank, essential travel related sites for bookings, etc.. I know this has the same problem of not being synced with your main device but it’s better than nothing if you don’t plan to use git.

What’s Up with Modern Versions of Android?

The Password Store app which is the official unofficial app for the pass tool on Android was written for older versions of Android and there’s security related policies that are no longer compatible with modern versions of Android but the app still works.

There’s a bunch of issues for this, but it’s likely not going to get resolved.

If you search the app store on your phone for “Password Store” it won’t show up but it is available if you Google for it.

We’ll get to downloading it in on your mobile device in a few minutes since technically we’ll want to first set up a GPG key on your phone before using the app.

Backup Your GPG Key

On your main machine with your GPG key and password store, run this command to get your key’s ID. In the output below, that would be the 21311... value. This ID isn’t private information.

$ gpg --list-secret-keys
/home/nick/.gnupg/pubring.gpg
-----------------------------
sec   rsa4096 2014-09-21 [SC] [expires: 2024-12-01]
      2131167286E80AE77CE6B16FD2AD01A3FC57C925
uid           [ultimate] Nick Janetakis <nick.janetakis@gmail.com>
ssb   rsa4096 2014-09-21 [E] [expires: 2024-12-01]
ssb   rsa4096 2014-09-21 [S]

NOTE: If your key is set to expire during any travel time frames I suggest renewing it now. Of course you can do it live on your trip but why make your life unnecessarily more complicated?

Then run this command (replacing my ID with yours) to backup your private key to a file. The file produced is private, never share it with anyone.

$ gpg --export-secret-key 2131167286E80AE77CE6B16FD2AD01A3FC57C925 > secret.gpg

That will likely prompt you for your GPG password and take a few seconds to run. Now you have your GPG key in a format that you can import on another trusted machine such as your phone or another device.

How you transfer this file to your phone is up to you. I suggest using a flash drive to ensure the file isn’t stored on the cloud or hit the public internet. Alternatively you can connect your phone to your device with a USB cable or Bluetooth too.

Ok, at this point it’s expected your secret.gpg file exists on your phone.

Install OpenKeychain and Import Your GPG Key

We can use the OpenKeychain app to import your GPG key. You should be able to find this app on the app store (it’s free).

It’s a really nice general purpose GPG app to manage your keys and encrypt / decrypt things. It’s not directly related to the Password Store app but the pass app will use the GPG key handled by OpenKeychain.

The home page for this tool has a screenshot of the interface but I think you’ll figure it out without needing screenshots. The app is very intuitive.

Here’s the steps:

  • Install and open the app
  • Click the + icon
  • Choose “Import from File”
  • Click the folder icon on the “Import Keys” screen
  • Search your phone’s files for your secret.gpg key
  • Select your key

At this point after it’s been imported you’ll see your key’s details on the main screen of the app (the same screen where you hit +). Feel free to click into your key to see its details.

You can now go back and delete your secret.gpg key from your phone’s file manager. The OpenKeychain app manages storing your key after it’s been imported.

Install the Password Store App

This is the last step. As we covered earlier on in this post, we can’t install this app through the app store due to security policy changes with Android.

Instead we can download a specific version from GitHub and install the app manually. This is even suggested by a maintainer of the project.

You can download the latest release from https://github.com/android-password-store/Android-Password-Store/releases/tag/latest. At the time of writing this post that’s v2.0.X but it’s considered a pre-release. I personally used version v1.13.5 which was the latest stable release but it’s up to you.

In either case, you’ll want to download the APS-freeRelease-X.X.X-SNAPSHOT.apk file for your selected version. They may change their file name format in the future, but the takeaway is to get the free version of the .apk file.

When you try to run this file on your phone, Android may block you from installing unknowns apps but it will provide a link to the settings to allow toggling that on.

Once you’ve enabled that you can install the app. Now you can run it, make a shortcut or uninstall it like any other app.

Setup the Password Store App

Here’s a partially guided tour of using the app. Remember, I’m using v1.13.5 so these screenshots might be different with 2.0.X+. Things might look different between versions but hopefully it’s similar enough to get the gist of it.

After First Launching the App

blog/password-store-1.jpg

We need to do something, so let’s go!

Deciding to Clone a Repo or Create a Local Repo

blog/password-store-2.jpg

Not using git with pass?

This is easy, you can create a local repo and on the next screen choose hidden to save your new password store on your phone’s internal storage in a hidden folder. Lastly it will prompt you for your GPG key, choose the one you imported from OpenKeychain.

Also there’s no pressure here. The app lets you delete this local repo in case you want to switch to using another repo that you clone later. You can find that option in the settings which is accessed in the ... menu after things are set up.

Using git with pass?

It’ll be expected you have a remote git repo somewhere with your password store pushed. A private repo on GitHub, GitLab or Bitbucket makes sense but it’s up to you.

Choose clone remote repo. It will prompt you for the git URL, the branch name as well as an authentication method.

I suggest using SSH. After clicking clone it will say no SSH key is found and provide you an option to generate a new SSH key. Go ahead and do that. I suggest using Ed25519 as the type and enable the option to protect it with screen lock credentials.

After generating your key you’ll be able to choose to share it or click later. If you click share it, it lets you copy your public key to your clipboard or email it to yourself. Feel free to do whatever you need to add that public key to your remote git repo.

The reason I suggest making a new key instead of importing it is this allows you to add your mobile device’s public SSH key to your remote repo. If your phone gets stolen or compromised you can delete that SSH key. In my opinion that’s way better than putting your main machine’s SSH key on your phone and using that.

At this point I’m not sure what happens since I don’t have a git repo hooked up, but I did go at least this far just to see what would happen. If it asks you for your GPG key, do it and pick the one you imported through OpenKeychain.

Also, I’m not sure if it will prompt you to configure your git settings after cloning, such as the username and email address of the committer.

If it doesn’t prompt you for that I know that option is available in the settings of the app, you can find that by clicking the ... in the top right once you get to the point where you see a + in the bottom right to begin using the app.

Beyond the settings, that ... menu also lets you sync, pull and push to your repo so you can keep everything in sync. Nice! That should be everything or close to it for keeping things in order using git.

If it hasn’t already pulled in your passwords, go for it. Based on their documentation the synchronize option is a shortcut for git pull --rebase origin && git push --all origin so it looks like it does a pull and push.

Using the App

You can click + to create folders or new passwords and then fill out various fields in a similar way you have used the CLI tool. You’ll figure it out.

On the screen to create a new password, click the first icon on the top right side to create it.

Once you have at least 1 entry created the app lets you access it. It will prompt you for your GPG password and let you determine how long you want to cache your GPG password (if ever).

Personally I’d probably go with 1 hour or maybe every time you access anything since you wouldn’t want someone accessing your passwords without authentication if your phone were stolen and they broke into it somehow.

This will really be a personal decision based on how you’re using it. If it’s emergencies only if you get logged out then no caching or every 1 hour is ok, but if you’re accessing the app 10 times a day and aren’t traveling then maybe every 24 hours is reasonable.

Once the password is accessed you can click the copy icon to copy it to your clipboard, view it, edit it or use it however you see see fit.

On the main page listing all of your passwords you can also select 1 or more items and delete them.

That’s it! You should be all good to go to securely use passwords on your phone.

The video below mostly walks through this blog post but it’s not a live demo with a phone emulator or anything like that.

Video Post

Timestamps

  • 0:41 – Why use a password manager on a phone?
  • 2:33 – Manage all passwords or just the essentials?
  • 4:04 – Modern versions of Android?
  • 5:57 – Backing up your main GPG key
  • 8:15 – Install OpenKeychain and import your GPG key
  • 10:03 – Install the Password Store app
  • 12:40 – Setting up the Password store app
  • 13:35 – Not using git with pass?
  • 14:34 – Using git with pass?
  • 18:36 – Using the Password Store app

Are you using this password manager on your phone? How did it go?

Never Miss a Tip, Trick or Tutorial

Like you, I'm super protective of my inbox, so don't worry about getting spammed. You can expect a few emails per month (at most), and you can 1-click unsubscribe at any time. See what else you'll get too.



Comments