qvm-pass is a frontend for pass running in a vault VM. It is an implementation of split-pass in the spirit of split-gpg and split-ssh using the qrexec RPC interface of Qubes OS. qvm-pass aims to provide the same user interface as the original pass
command. However, the pass git
subcommand gets blocked to avoid execution of dangerous operations.
Consider combining qvm-pass with split-gpg.
This code was written in a very short time frame and hasn't had any peer review. Use at your own risk!
git clone https://github.com/mtdcr/qvm-pass
pipx install ./qvm-pass
qvm-copy qvm-pass/qubes-rpc/qubes.PasswordStoreWrite
Create policy files:
/etc/qubes-rpc/policy/qubes.PasswordStoreRead
/etc/qubes-rpc/policy/qubes.PasswordStoreWrite
Examples can be found in qubes-rpc/policy
.
sudo install -m755 ~/QubesIncoming/*/qubes.PasswordStoreWrite /etc/qubes-rpc/
sudo ln -s qubes.PasswordStoreWrite /etc/qubes-rpc/qubes.PasswordStoreRead
qvm-pass reads the name of the vault VM from ~/.config/qvm-pass/qube
. It defaults to pass-vault
.
PASSWORD_STORE_CLIP_TIME=45
PASSWORD_STORE_GENERATED_LENGTH=25
PASSWORD_STORE_X_SELECTION=clipboard
- qubes-pass - It uses a slightly modified command-line interface compared to the original
pass
command.