I can’t ACK the above. I run
pass on all my FreeBSD laptops and on the L5, on the latter together with the OpenPGP card. I have around 350 secrets store (browser credentials, banking, PINs, …) When I do need a secret on the L5, I run in its
terminal the following (here in a SSH session for easy cut&paste to the browser where I’m typing this small demo):
$ pass test
│ Please unlock the card │
│ Number: 0005 0000A6FE │
│ Holder: Matthias Apitz │
│ PIN ******__________________________________ │
│ <OK> <Cancel> │
secret is what
pass test decrypted with GnuPG.
After any usage of
pass the OpenPGP card gets locked again, so that it can’t be stolen unlocked.
What is missing on the L5 is a plug-in for the browser, like I have it on FreeBSD with firefox. When you are on certain URL with the browser, where credentials are required (for example your bank account) you press an icon in FF which takes the URL and asks some daemon decrypting the
pass file, for example
~/.password-store/web/www.my-bank.com, this in turn aks for the OpenPGP unlock PIN and when provided the plug-in gets the credentials and fills them in into the browser window.