Pass zx2c4 and PassFF for WSL2 Windows

guide linux

The article describes installation process of pass zx2c4 and browser intergration passFF from WSL2 on Windows platform. This approach can ensure correct structure of password storage which can include chars which are not possible use in the filename system on windows. There are much more several reasons why handle pass inside the WSL Linux system and externalize just connection to passFF and external calling by wsl pass command.


  • install WSL2 Ubuntu 20.04 LTS in powershell:

    Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux 
    choco install wsl-ubuntu-2004

    start and update ubuntu 20.04, sudo apt update, sudo apt upgrade

  • Change distribution by WSL commands:

wsl -l
wsl -s Ubuntu-20.04
wsl lsb_release -a


  • Install pass and your linux storage in wsl:

    sudo apt install pass git qrencode xclip
  • Import your gpg keys:

    gpg --import /mnt/c/Users/user/Downloads/privkey.asc
    gpg --import /mnt/c/Users/user/Downloads/gpg-public.key 

    change trust to ultimate (necessary for pass):

    gpg --edit-key <KEY-ID>
    type cmds: trust, choose 5, Y/save, quit
  • Clone your password-store git to new destination:

    git clone ssh://git@<SERVER>:<PORT>/<PSSWORD-STORE-PROJECT>.git ~/.password-store

or create new one password-storage by standard commands:

pass init
pass git init
pass git remote add origin ssh://git@<SERVER>:<PORT>/<PSSWORD-STORE-PROJECT>.git

Sign and push supports settings:

pass git config --global "<YOUR-EMAIL>"
pass git config --global "<YOUR-NAME>"
pass git config --global user.signingkey <YOUR-GPG-KEY-ID>

Finally, test it from powershell or cmder:

wsl pass

Run PASSFF in Firefox and Chrome

from WSL:

curl -sSL | bash -s -- firefox
curl -sSL | bash -s -- chrome

FYI the are installed to:


And on Windows, install passff-host too!

git clone
c:\Users\<user>\git\github\passff-host\src\install_host_app.bat firefox --local
c:\Users\<user>\git\github\passff-host\src\install_host_app.bat chrome --local

GPG PASSPHRASE Dialog Solution

There is problem that external commands from windows cannot show passphrase dialog which is inside the wsl, if the command line is not started.

So, you can change the ttl time to 8h:

In your ~/.gnupg/gpg-agent.conf file, add the following:
default-cache-ttl 28800
max-cache-ttl 28800

Clear cache for fast testing: gpg-connect-agent reloadagent /bye

GPG PASSPHRASE Dialog Solution 2 (better choice)

Usage the pinentry from several ways. There is just one example with very nice small git project with powershell dialog.

TRICK! Use git clone command not from Windows! but from linux path, because it keeps correct EOL etc. It means: git clone /mnt/c/Users/<user>/git/github/pinentry-wsl-ps1

in ~/.gnupg/gpg-agent.conf add line:

pinentry-program /mnt/c/Users/<user>/git/github/pinentry-wsl-ps1/


Now needs hack, because "wsl" command cannot be started from passff-host, direct full path has to be used instead of wsl command! So, edit passff.bat in installed folder:


Change content by calling directly ubuntu 20.04, python3 inside and your internal which see the internal pass.

Content of c:\Users\<user>\AppData\Roaming\passff\passff.bat (firefox passff variant):

"C:\Users\<user>\AppData\Local\Microsoft\WindowsApps\ubuntu2004.exe" run "/usr/bin/python3" "/home/<user>/.mozilla/native-messaging-hosts/" %*


Install Passff extension for your Firefox.

Test it!


Previous Post Next Post