A guide to set up a unified credential store using pass (GPG-encrypted password manager) that works with Docker, GitHub, and Azure DevOps.
- CachyOS (or any Arch-based system)
- Basic familiarity with terminal commands
# Install pass and Docker credential helper
paru -S pass docker-credential-pass-bin
# Install Git Credential Manager
paru -S git-credential-manager-binNote: Choose option 2 (the -bin versions) when prompted for provider selection.
gpg --gen-keyWhen prompted, enter:
- Real name: Your name (e.g.,
John) - Email address: Your email (e.g.,
your@email.com) - Passphrase: Choose a strong passphrase (you'll need this whenever accessing stored credentials)
The key will be generated and you'll see output showing your key ID.
# Initialize pass with your email (or GPG key ID)
pass init your@email.comThis creates the password store at ~/.password-store/
# Create Docker config directory if it doesn't exist
mkdir -p ~/.docker
# Create/edit ~/.docker/config.json
cat > ~/.docker/config.json << 'EOF'
{
"credsStore": "pass"
}
EOFVerify the setup:
docker-credential-pass list
# Should return: {}# Set GCM as the credential helper
git config --global credential.helper manager
# Configure GCM to use GPG/pass as backing store
git config --global credential.credentialStore gpg
# Configure GitHub provider
git config --global credential.https://github.com.provider github
# Configure Azure DevOps provider
git config --global credential.https://dev.azure.com.provider azure-reposOptionally, configure GCM globally:
git-credential-manager configure# Docker Hub
docker login
# GitHub Container Registry
docker login ghcr.io
# Azure Container Registry
docker login yourregistry.azurecr.ioCredentials are automatically stored in pass (GPG-encrypted).
When you interact with GitHub (e.g., git push, git clone private repo), GCM will automatically prompt for authentication and store credentials.
# Example: Clone a private repo
git clone https://github.com/yourusername/private-repo.gitSimilarly, when accessing Azure DevOps repositories:
# Example: Clone from Azure DevOps
git clone https://dev.azure.com/yourorg/yourproject/_git/yourrepo# List Docker credentials
docker-credential-pass list
# View in pass
pass show docker-credential-helpers/# View stored git credentials
pass show# View credential helper config
git config --global --get credential.helper
# View all credential configs
git config --global --list | grep credentialIf you get GPG agent errors, restart the agent:
gpgconf --kill gpg-agent
gpgconf --launch gpg-agentEnsure docker-credential-pass is executable and in PATH:
which docker-credential-pass
# Should return: /usr/bin/docker-credential-pass
# Test manually
echo '{"ServerURL":"https://index.docker.io/v1/"}' | docker-credential-pass listCheck if GCM is properly installed:
which git-credential-manager
# Should return: /usr/bin/git-credential-manager
# Check configuration
git-credential-manager --version- All credentials are GPG-encrypted at rest in
~/.password-store/ - Your GPG passphrase protects all stored credentials
- Credentials are only decrypted when needed
- Never commit
.password-store/to version control (it's in your home directory by default)
To remove the credential store:
# Remove pass and credential helpers
paru -R pass docker-credential-pass-bin git-credential-manager-bin
# Remove password store (optional - this deletes all stored credentials)
rm -rf ~/.password-store
# Remove GPG keys (optional - only if you're sure)
gpg --delete-secret-keys your@email.com
gpg --delete-keys your@email.com
# Reset Docker config
rm ~/.docker/config.json
# Reset Git credential config
git config --global --unset credential.helper
git config --global --unset credential.credentialStore
git config --global --unset credential.https://github.com.provider
git config --global --unset credential.https://dev.azure.com.provider