roddhjav / pass-tomb Goto Github PK

Hello, I use ownCloud to store my password tomb so that I have it available on all my machines.
I noticed that every time I close the tomb it has to be uploaded again, even if I did not change anything.
Since the tomb has changed the whole file has to be uploaded again which takes some 30 seconds on my internet connection. Is this intended behavior? Should I upload the tomb in another way?

Today I lost all my passwords on one of synced PC when migrating configs semi-automatically :)
As you can see -- I have (non-obviously) redundant pass open here.

  set -eu
  tmp=~/.password-store_tmp
  [[ -d ~/.password-store ]] && mv -vT ~/.password-store "$tmp"
  pass tomb "$gpgid" --timer=2h
  pass open
  pass git init
  [[ -d $tmp ]] && cp -aT "$tmp"/. ~/.password-store && rm -rf "$tmp"
  pass close
  pass open

Which resulted in temporary situation of having two loop devices mounted one on top of another:

/dev/mapper/tomb..password.1566943678.loop0  on  /home/user/.password-store       type  ext4         (rw,nodev,noatime)
/dev/mapper/tomb..password.1566944186.loop2  on  /home/user/.password-store       type  ext4         (rw,nodev,noatime)

And after pass close everything written into overlayed mount of loop2 become lost (no pass git init, no copied passwords, only virgin pass init).
I don't think this situation is acceptible. I would even say it's critically disastrous.
Why pass-tomb allows opening something twice at all?
Look how it had messed up my dmesg:

[ 5875.693475] EXT4-fs (dm-4): mounted filesystem with ordered data mode. Opts: (null)
[ 5879.012068] EXT4-fs (dm-6): mounted filesystem with ordered data mode. Opts: (null)
[ 5879.394609] EXT4-fs error (device dm-4): ext4_validate_block_bitmap:376: comm kworker/u16:11: bg 0: bad block bitmap checksum
[ 5879.407010] EXT4-fs (dm-4): Delayed block allocation failed for inode 12 at logical offset 0 with max blocks 1 with error 74
[ 5879.407017] EXT4-fs (dm-4): This should not happen!! Data will be lost

[ 5883.290629] EXT4-fs (dm-4): mounted filesystem with ordered data mode. Opts: (null)

Moreover it hinders automation of other scripts -- I would liked if neomutt on startup tried to open tomb unconditionally and only then queried password from db. Because otherwise my workflow looks like -- "try running neomutt", "fail", "visually check tomb is opened (to prevent overlays)", "open if not (unconditional pass open results in problem above)", "try running neomutt again". It's horrendeous. Especially horrendeous is usecase with timeout when you never know, in which moment something will silently break, instead of simple password prompt in appropriate moment.

P.S. I know rm was bad decision and I removed it already. However it won't save anybody from manual error with loop2 anyway, because you see files until... you close it.
Also, I use git only for versioning, not for sync, so no concerns here.

By the way, why it requires sudo at all? Won't fuse will be enough to accomplish mounting without sudo prompt each time?

MEta

Ubuntu 16.04.01 / elementary os loki, encrypted volume, swap shared w multiple OS (?)
pass-tomb (latest)
Tomb 2.4

Latest version of tomb fails when pass-tomb tries to open the store when a swap file is present and in use:

~$ pass open
[x] Error : Unable to open the password tomb.
~$ tomb open .password.tomb -k .password.tomb.key

tomb . Commanded to open tomb .password.tomb
tomb . An active swap partition is detected...
tomb [W] This poses a security risk.
tomb [W] You can deactivate all swap partitions using the command:
tomb [W] swapoff -a
tomb [W] [#163] I may not detect plain swaps on an encrypted volume.
tomb [W] But if you want to proceed like this, use the -f (force) flag.
tomb [E] Operation aborted.

~$
~$ sudo swapoff -a
~$ pass open

You need a passphrase to unlock the secret key for
user: "XXXXXXXXXX [email protected]"
2048-bit RSA key, ID 5FCC6403, created 2017-11-10 (main key ID DA795D2A)

(*) Your password tomb has been opened in /home/mark/.password-store/.
. You can now use pass as usual.
. When finished, close the password tomb using 'pass close'.

~$

I don't remember if I encrypted my swap, but as this dev machine has Windows and Linux running in parallel, I probably tried to share it, and left it unencrypted.

Could you add a -F option to `pass open --force (or -F)' that turns swap off prior to opening, and back on at the end of the bash script? Running with swap off is deadly...

I have set PASSWORD_STORE_TOMB_FILE="$HOME/password.tomb".

With this setting pass close calls tomb close with the argument password.tomb, see here. However, tomb list shows that the opened tomb is instead just called password. Thus pass-tomb will fail to close the password tomb.

#11

Is it possible to create multiple pass tomb and open them separately or together?

I do not get a prompt for the key passphrase and hence the script times out after some time -

pass open --verbose
. pass Opening the password tomb /home/sanjxxxx.password.tomb using the key /home/sanjxxxx/.password.tomb.key
. tomb . Commanded to open tomb /home/sanjxxxx/.password.tomb
. tomb . An active swap partition is detected...
. tomb () The undertaker found that all swap partitions are encrypted. Good.
. tomb [W] File is not yet a tomb: /home/sanjxxxx/.password.tomb
. tomb . Valid tomb file found: /home/sanjxxxx/.password.tomb
. tomb . Key is valid.
. tomb () Opening .password on /home/sanjxxxx/.password-store/
. tomb . This tomb is a valid LUKS encrypted device.
. tomb . Cipher is "aes" mode "xts-plain64:sha256" hash "sha256"
. tomb [E] No valid password supplied.
[x] Error: Unable to open the password tomb.

Hi,
I'm trying to move my password tomb to a new laptop. I have installed pass, tomb and pass-tomb, moved my password tomb file and my password tomb key to the new laptop.
When I try pass open, I get this:

~$ pass open
 [x] Error : There is no password tomb to open.

What am I missing?

I'm having problems with PASSWORD_STORE_SIGNING_KEY and I'm just wondering if it was tested with a gpg-id that has embedded whitespace, e.g. "John Doe".

Let's say I set the timer to 1h when creating the tomb. If I manually close the tomb after 20min and then reopen the tomb 5min later, another timer is created while the previous timer is also present. Shouldn't the previous timer be updated rather than creating a new timer every time pass is closed and opened?

I was able to get it to build and install by making minor modifications to the make file:

$ git diff
diff --git a/Makefile b/Makefile
index 9674cd3..26d7b13 100644
--- a/Makefile
+++ b/Makefile
@@ -16,9 +16,9 @@ all:
 install:
        @install -v -d "$(DESTDIR)$(MANDIR)/man1" && install -m 0644 -v pass-$(PROG).1 "$(DESTDIR)$(MANDIR)/man1/pass-$(PROG).1"
        @install -v -d "$(DESTDIR)$(SYSTEM_EXTENSION_DIR)/"
-       @install -Dm0755 $(PROG).bash "$(DESTDIR)$(SYSTEM_EXTENSION_DIR)/$(PROG).bash"
-       @install -Dm0755 open.bash "$(DESTDIR)$(SYSTEM_EXTENSION_DIR)/open.bash"
-       @install -Dm0755 close.bash "$(DESTDIR)$(SYSTEM_EXTENSION_DIR)/close.bash"
+       @install -m 0755 $(PROG).bash "$(DESTDIR)$(SYSTEM_EXTENSION_DIR)/$(PROG).bash"
+       @install -m 0755 open.bash "$(DESTDIR)$(SYSTEM_EXTENSION_DIR)/open.bash"
+       @install -m 0755 close.bash "$(DESTDIR)$(SYSTEM_EXTENSION_DIR)/close.bash"
        @echo
        @echo "pass-$(PROG) is installed succesfully"
        @echo

And installing like this:

$sudo make install PREFIX=/usr/local

When I try to create a new tomb this is the output:

$ pass tomb
 \e[1;31m[x]\e[0m \e[1mError :\e[0m Tomb is not present.

I read issue #4 and I believe this issue is because it is trying to open pinentry-curses, however on OS X the pin entry program is called pinentry-mac. Here is the line from my gpg-agent.conf:

pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac

Is there a way I could configure pass-tomb to use this pin entry program or help debug this in any way. I would really like to use pass-tomb on my mac and it seems like it should work without much of a change. Thank you.

I'm using this syntax:

~$ pass tomb [email protected] -v -d
 (*) tomb [D] Identified caller: rav (1000:1000)
 (*) tomb [D] Tomb command: dig /home/rav/password
 (*) tomb [D] Caller: uid[1000], gid[1000], tty[/dev/pts/6].
 (*) tomb [D] Temporary directory: /tmp/zsh
 (*) tomb  .  Commanded to dig tomb /home/rav/password
 (*) tomb (*) Creating a new tomb in /home/rav/password
 (*) tomb  .  Generating password of 10MiB
 (*) tomb [D] Data dump using dd from /dev/urandom
 (*) 10+0 records in
 (*) 10+0 records out
 (*) 10485760 bytes (10 MB) copied, 1.10843 s, 9.5 MB/s
 (*) -rw------- 1 rav rav 10M Mar 10 13:05 /home/rav/password
 (*) tomb (*) Done digging password
 (*) tomb  .  Your tomb is not yet ready, you need to forge a key and lock it:
 (*) tomb  .  tomb forge /home/rav/password.key
 (*) tomb  .  tomb lock /home/rav/password -k /home/rav/password.key
 (*) tomb [D] Identified caller: rav (1000:1000)
 (*) tomb [D] Tomb command: forge /home/rav/password.key
 (*) tomb [D] Caller: uid[1000], gid[1000], tty[/dev/pts/6].
 (*) tomb [D] Temporary directory: /tmp/zsh
 (*) tomb  .  Commanded to forge key /home/rav/password.key with cipher algorithm AES256                                                                                
 (*) tomb [W] This operation takes time, keep using this computer on other tasks,
 (*) tomb [W] once done you will be asked to choose a password for your tomb.
 (*) tomb [W] To make it faster you can move the mouse around.
 (*) tomb [W] If you are on a server, you can use an Entropy Generation Daemon.
 (*) tomb [D] Data dump using dd from /dev/random
 (*) 512+0 records in
 (*) 512+0 records out
 (*) 512 bytes (512 B) copied, 583.43 s, 0.0 kB/s
 (*) tomb (*) Using the GnuPG key [email protected] to encrypt the key: /home/rav/password.key                                                                   
 (*) tomb  .  (You can also change it later using 'tomb passwd'.)
 (*) tomb [D] is_valid_recipients
 (*) tomb [D] Created tempfile: /tmp/zsh/158601790430456841
 (*) tomb [D] [GNUPG:] BEGIN_ENCRYPTION 2 9
 (*) tomb [D] [GNUPG:] END_ENCRYPTION
 (*) tomb [D] is_valid_key
 (*) tomb  .  Key is valid.
 (*) tomb  .  Done forging /home/rav/password.key
 (*) tomb (*) Your key is ready:
 (*) -rw------- 1 rav rav 1.6K Mar 10 13:15 /home/rav/password.key
 (*) tomb [D] Identified caller: rav (1000:1000)
 (*) tomb [D] Tomb command: lock /home/rav/password
 (*) tomb [D] Caller: uid[1000], gid[1000], tty[/dev/pts/6].
 (*) tomb [D] Temporary directory: /tmp/zsh
 (*) tomb  .  Commanded to lock tomb password
 (*) tomb [D] Tomb found: /home/rav/password
 (*) tomb [D] Loop mounted on /dev/loop0
 (*) tomb  .  Checking if the tomb is empty (we never step on somebody else's bones).
 (*) tomb  .  Fine, this tomb seems empty.
 (*) tomb [D] load_key key encrypted with a GnuPG Key
 (*) tomb  .  Key encrypted with a GnuPG Key
 (*) tomb [D] load_key: /home/rav/password.key
 (*) tomb [D] is_valid_key
 (*) tomb  .  Key is valid.
 (*) tomb  .  Locking using cipher: aes-xts-plain64:sha256
 (*) tomb [D] no password needed, using GPG key
 (*) tomb [D] get_lukskey
 (*) tomb [D] Created tempfile: /tmp/zsh/29895117701498311683
 (*) tomb [D] [GNUPG:] ENC_TO 0000000000000000 16 0
 (*) tomb [D] gpg: anonymous recipient; trying secret key 5149EA28 ...
 (*) tomb [D] [GNUPG:] USERID_HINT XXXXXXXXXXXXXX My Name <[email protected]>
 (*) tomb [D] [GNUPG:] NEED_PASSPHRASE XXXXXXXXXXXXXX XXXXXXXXXXXXXX 16 0
 (*) tomb [D] gpg: can't query passphrase in batch mode
 (*) tomb [D] [GNUPG:] MISSING_PASSPHRASE
 (*) tomb [D] [GNUPG:] BAD_PASSPHRASE XXXXXXXXXXXXXX
 (*) tomb [D] gpg: encrypted with ELG-E key, ID 00000000
 (*) tomb [D] [GNUPG:] NO_SECKEY 0000000000000000
 (*) tomb [D] [GNUPG:] BEGIN_DECRYPTION
 (*) tomb [D] [GNUPG:] DECRYPTION_FAILED
 (*) tomb [D] gpg: decryption failed: secret key not available
 (*) tomb [D] [GNUPG:] END_DECRYPTION
 (*) tomb [D] get_lukskey returns 1
 (*) tomb [E] No valid password supplied.
 [*] Error : Unable to lock the password tomb

I've removed my actual email from the above output. I think the problem is that I'm not getting a prompt for my GPG passphrase, even though I have gpg-agent and use it daily for my e-mail. I use pinentry-curses, does pass-tomb require the gtk version?

× [email protected] - pass-close .password
     Loaded: loaded (/usr/local/lib/systemd/system/[email protected]; static)
     Active: failed (Result: exit-code) since Thu 2021-05-13 14:33:19 PDT; 11min ago
    Process: 13180 ExecStart=/usr/local/bin/pass close --verbose .password (code=exited, status=1/FAILURE)
   Main PID: 13180 (code=exited, status=1/FAILURE)
        CPU: 15ms

May 13 14:33:19 **** systemd[1]: Starting pass-close .password...
May 13 14:33:19 **** pass[13180]:  [x] Error: There is no password tomb.
May 13 14:33:19 **** systemd[1]: [email protected]: Main process exited, code=exited, status=1/FAILURE
May 13 14:33:19 **** systemd[1]: [email protected]: Failed with result 'exit-code'.
May 13 14:33:19 **** systemd[1]: Failed to start pass-close .password.

The password tomb is called .password.tomb. Could it be getting the wrong filename?

I can open and close manually just fine.

Which is the recommended way to sync a tomb? My thoughts are the following so far:

• syncing an open tomb probably is not helpful, because it conflicts with processes writing to the tomb at the same time leaving the tombs filesystem in an unpredictable state
  • best approach seems to sync closed tombs only
• since the syncing software doesn't know anything about the tombs content it's hard to decide which version of two tomb files is more recent - except for the closing time which should be reflected by mtime(?)
  • keep a long history of versions of tomb files to make it easy to manually merge any entry that has gotten lost - if that ever happens
  • I'm the only user of my pass-tomb using it on a handful of devices.
  • Conflicts should be rare, because good practice would be to leave the tomb not open on a device I'm not using anymore.
• how should I find the right moment to sync?
  • Is there a hook for open and close on a pass-tomb I didn't stumble over?
  • I'm using a gpg key from a nitrokey. This gives me udev-events when inserting and removing the nitrokey: could sync on removal (outgoing) and on connect (incoming)

Side note: should think about how important it is to me to protect the file structure of my pass content by a tomb. Is it sufficient for me to have it protected "on the road" carrying a tomb file, but push it to a self-hosted git repository? In the light of the thoughts above this seems to be a compromise.

Any thoughts, help, further information on this would be very welcome 😏 !

If the user's group name differs from the user's account name, pass-tomb will fail to set the permissions of the decrypted password store. See chown invocation 1 and 2.

I'm not sure it is related to pass-tomb, but since I used it to create my password store and I can't find an issue tracker for pass, I'm posting this issue in this repo. Maybe @zx2c4 or @jaromil could have an idea on what's going on?

So the issue is that I can't edit a password entry. I can show it, copy it in clipboard, etc., but not edit it.

Show ok:

$ pass show bandyou
****************** (redacted)

Update ok (with pass-update extension):

$ pass update bandyou
Changing password for bandyou
****************** (redacted)
Are you ready to generate a new password? [y/N] 

Edit not ok:

$ pass edit bandyou
Error: You must run:
    pass init your-gpg-id
before you may use the password store.

============================================
= pass: the standard unix password manager =
... and the rest of the banner and usage message

Edit is not working either with other password entries.

• pass v1.7
• tomb v2.3
• pass-tomb 0.1
• also upgraded to pass-tomb 1.0 and tomb 2.4, still not working

Is it broken? I don't see any .timer file inside opened tomb.

run pass tomb gpgid --timer=2h OR pass open --timer=2h

  w  Unable to set the timer to close the password tomb in 2h.
 (*) Your password tomb has been opened in /home/amer/.password-store/.
  .  You can now use pass as usual.
  .  When finished, close the password tomb using 'pass close'.

My system:

Linux host 5.2.9-arch1-1-ARCH #1 SMP PREEMPT Fri Aug 16 11:29:43 UTC 2019 x86_64 GNU/Linux
systemd 242 (242.84-2-arch)
+PAM +AUDIT -SELINUX -IMA -APPARMOR +SMACK -SYSVINIT +UTMP +LIBCRYPTSETUP +GCRYPT +GNUTLS +ACL +XZ +LZ4 +SECCOMP +BLKID +ELFUTILS +KMOD +IDN2 -IDN +PCRE2 default-hierarchy=hybrid

I tried changing the permissions back to 700 but after closing and opening the tomb again, the permissions are reset to 711. Is this intended?

I have installed pass, tomb, and pass-tomb and followed the instructions in the manual to create a password tomb. However, each time I run the command
pass tomb (entering my gpg-id, of course)
I receive the error message listed in the title. I am not sure where to look in order to get more information about why I cannot forge the tomb.

Hi there, I was wondering if there is a way to import and existing Password Store from pass?

Thanks!

Hello,

I installed Pass Tomb and everything is working as advertised except for the timer.
At one point I decided to invoke the timer to 15 MIN but only for that session and now the timer is called regardless.
This password store will be closed in 15min and I only entered pass open
I reboot it and no change. Did the systemd set this to enable so that it opens tomb with a timer of 15Min?

Regards,

When I try to build it in mac os I get:

sudo make isntall

install: illegal option -- D
usage: install [-bCcpSsv] [-B suffix] [-f flags] [-g group] [-m mode]
               [-o owner] file1 file2
       install [-bCcpSsv] [-B suffix] [-f flags] [-g group] [-m mode]
               [-o owner] file1 ... fileN directory
       install -d [-v] [-g group] [-m mode] [-o owner] directory ...
make: *** [install] Error 64

I have the same issue as #30. Not sure how I should resolve.

I'm running Fedora 34. I have a swap file. I do not have a swap partition. The drive is encrypted. Why do I need to disable swap?

... not a bug, but an inconvenience:

• open the tomb
• move to the .password-store directory to do some manual work on the gpg files/folders
• finish the work and close the tomb without changing directory out of the store
• close fails and no error message tells me I am interfering with the close action

resolution: added a line to the close bash script to perform a "cd ~" if I am currently located anywhere in the .password-store folder tree.

So recently I ran into the same issue multiple times.
I want to open my password tomb as usual, so my operations are:

• I run sudo swapoff -a to disable swap before opening the pass-tomb
• it seems my swap is correctly emptied and disabled
• I run pass open, decrypt my key with no issue
  and I see a

[x] Error: Unable to open the password tomb.

Here is the interesting part when running with the --debug flag:

.  Cannot initialize device-mapper. Is dm_mod kernel module loaded?
.  Cannot use device tomb..password.1588584847.loop12, name is invalid or still in use.
.  tomb [E] Failure mounting the encrypted file.

But when I reboot, there's a 1/2 chance everything's working.
I'm willing to provide info for debugging purposes.
Thanks in advance to anyone taking the time to respond 🙂

I am running Debian Testing. I installed package updates, rebooted my computer, and pass tomb seems to no longer work. It will not let me open my password tomb, and fails with the error message:

$ pass open
Error: open is not in the password store.

It looks like the pass program might be intercepting pass-tomb? Or it thinks the store is already open? Also, I am pretty sure I forgot to close the password store before I rebooted, but this has never been a problem before.

$ uname -a
Linux [hostname] 5.15.0-2-amd64 #1 SMP Debian 5.15.5-2 (2021-12-18) x86_64 GNU/Linux

$ apt policy pass pass-extension-tomb
pass:
  Installed: 1.7.4-4
  Candidate: 1.7.4-4
  Version table:
 *** 1.7.4-4 500
        500 http://deb.debian.org/debian testing/main amd64 Packages
        500 http://deb.debian.org/debian testing/main i386 Packages
        100 /var/lib/dpkg/status
pass-extension-tomb:
  Installed: 1.3-1
  Candidate: 1.3-1
  Version table:
 *** 1.3-1 500
        500 http://deb.debian.org/debian testing/main amd64 Packages
        500 http://deb.debian.org/debian testing/main i386 Packages
        100 /var/lib/dpkg/status

I generated a pass-tomb using the default values and imported the passwords from my firefox and from password safe. I ended up with 936 passwords:

$ find .password-store | wc -l
936

Then I wanted to add git:

$ pass git init
hint: Using 'master' as the name for the initial branch. This default branch name
hint: is subject to change. To configure the initial branch name to use in all
hint: of your new repositories, which will suppress this warning, call:
hint: 
hint: 	git config --global init.defaultBranch <name>
hint: 
hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
hint: 'development'. The just-created branch can be renamed via this command:
hint: 
hint: 	git branch -m <name>
Initialized empty Git repository in .password-store/.git/
error: unable to create temporary file: No space left on device
error: unable to create temporary file: No space left on device
error: Error building trees
/usr/bin/pass: line 638: .password-store/.gitattributes: No space left on device
fatal: Unable to create '.password-store/.git/index.lock': No space left on device
error: could not lock config file .git/config: No space left on device
error: could not lock config file .git/config: No space left on device

The filesystem had been generated with 10MB, but with 2048 inodes only.

$ df .password-store
Filesystem                                                                                        1K-blocks  Used Available Use% Mounted on
/dev/mapper/tomb..password.25a458f4b45f7041a9407b6f2d0c1b49bfb3824a0e9e588bddc47fda0c1b87c3.loop9      6844  2170      4102  35% .password-store
$ df -i .password-store
Filesystem                                                                                        Inodes IUsed IFree IUse% Mounted on
/dev/mapper/tomb..password.25a458f4b45f7041a9407b6f2d0c1b49bfb3824a0e9e588bddc47fda0c1b87c3.loop9   2048  2048     0  100% .password-store

Since it is to be expected that there'd be small files in the pass-tomb, I'd suggest to generate the filesystem with a higher count of inodes.

How does pass-tomb interact with git? One of the things I like so much about pass is that it can handle merging encrypted files. It looks like pass git push would only work once the tomb is opened? And in that case, the remote server gets an untombed password store? Thanks in advance.

Possible bug or am I missing some configuration?

Here is the output of a timed open with verbose and debug options:

ウ pass open -t 60s -v -d
  .  pass Opening the password tomb ~/.password.tomb using the key ~/.password.tomb.key
  .  tomb [D] Identified caller: user (1000:1000)
  .  tomb [D] Tomb command: open ~/.password.tomb
  .  tomb [D] Caller: uid[1000], gid[1000], tty[/dev/pts/0].
  .  tomb [D] Temporary directory: /tmp/zsh
  .  tomb  .  Commanded to open tomb ~/.password.tomb
  .  tomb  .  An active swap partition is detected...
  .  tomb (*) The undertaker found that all swap partitions are encrypted. Good.
  .  tomb [D] is_valid_tomb ~/.password.tomb
  .  tomb [D] tomb file is readable
  .  tomb [D] tomb file is a regular file
  .  tomb [D] tomb file is not empty
  .  tomb [D] tomb file is not currently in use
  .  tomb  .  Valid tomb file found: ~/.password.tomb
  .  tomb [D] load_key argument: ~/.password.tomb.key
  .  tomb [D] load_key: ~/.password.tomb.key
  .  tomb [D] is_valid_key
  .  tomb  .  Key is valid.
  .  tomb (*) Opening .password on ~/.password-store/
  .  tomb  .  This tomb is a valid LUKS encrypted device.
  .  tomb  .  Cipher is "aes" mode "xts-plain64:sha256" hash "sha1"
  .  tomb [D] dev mapper device: tomb..password.1497360684.loop0
  .  tomb [D] Tomb key: ~/.password.tomb.key
  .  tomb [D] Tomb name: .password (to be engraved)
  .  tomb [D] no password needed, using GPG key
  .  tomb [D] get_lukskey
  .  tomb [D] Created tempfile: /tmp/zsh/2029029091984619440
  .  tomb [D] [GNUPG:] ENC_TO 2CE736FDCCD9FC47 1 0
  .  tomb [D] [GNUPG:] GOOD_PASSPHRASE
  .  tomb [D] gpg: encrypted with 4096-bit RSA key, ID 0x..., created 2014-12-05
  .  tomb [D]       "..."
  .  tomb [D] [GNUPG:] BEGIN_DECRYPTION
  .  tomb [D] [GNUPG:] DECRYPTION_INFO 2 9
  .  tomb [D] [GNUPG:] PLAINTEXT 62 1497267931 
  .  tomb [D] [GNUPG:] DECRYPTION_OKAY
  .  tomb [D] [GNUPG:] GOODMDC
  .  tomb [D] [GNUPG:] END_DECRYPTION
  .  tomb [D] get_lukskey returns 0
  .  tomb [D] lo_preserve on /dev/loop0
  .  tomb (*) Success unlocking tomb .password
  .  tomb [D] Key size is 512 for cipher aes-xts-plain64:sha256
  .  tomb  .  Checking filesystem via /dev/loop0
  .  fsck from util-linux 2.25.2
  .  .password: clean, 253/2048 files, 1646/8192 blocks
  .  tomb [D] Tomb engraved as .password
  .  tomb (*) Success opening .password.tomb on ~/.password-store/
  .  tomb  .  Last visit by user(1000) from /dev/pts/0 on computer
  .  tomb  .  on date Tue 13 Jun 2017 14:30:54 IST
  .  tomb [D] bind-hooks not found in ~/.password-store/
  .  pass Setting user permissions on ~/.password-store/
  .  pass systemd-run: unrecognized option '--on-active=60s'
  w  Unable to set the timer to close the password tomb in 60s.
 (*) Your password tomb has been opened in ~/.password-store/.
  .  You can now use pass as usual.
  .  When finished, close the password tomb using 'pass close'.

Briefly reading through the code to pass-tomb, I see you use sudo to create systemd system timers. Is there any reason you did not consider using --user mode timers?

I believe it would also allow removing the requirement to set permissions, which uses sudo, which would entirely remove it as a dependency.

A few days ago, I deleted all the scripts associated with tomb and pass-tomb and disabled the systemd timer while the tomb was open, thinking this was all I needed to do. I also deleted the password tomb. Then I used the system for several days. This morning, when I rebooted, my password store was owned by root (and was empty). What did I do wrong?

As pass-tomb needs to be run as root, it's almost impossible to automate pass open in a workflow, for instance to ask the root password with gksudo, because there is no way to pass it to pass-tomb which waits from root password from standard input.

There should be an option to send the root password as standard input to pass open

A workaround would be to directly run echo $password | sudo -S pass open but this can't work as the gnupg password prompt can't appear on the screen if it's run as root.

.