pass is a simple password manager for the command line. Passwords are stored inside gpg encrypted files in a simple directory tree structure. pass is a shell script that makes use of existing tools like gnupg, pwgen, tree and git.

Contents

Installation

Install the pass package.

Tip: An optional Qt GUI is available via the qtpass package.

Basic usage

Note: To be able to use pass, set up GnuPG.

To initialize the password store:

$ pass init <gpg-id or email>

To create a new password, first provide a descriptive hierarchical name. In this example, this is archlinux.org/wiki/username.

$ pass insert archlinux.org/wiki/username

To get a view of the password store do the following. Note the example output which shows the hiearchy we just created.

$ pass
Password Store
└── archlinux.org
    └── wiki
        └── username

To generate a new random password for the above example, do the following, where n is the desired password length as a number:

$ pass generate archlinux.org/wiki/username n

To retreive a password, enter the gpg passphrase at the following prompt, again using the same hierarchical example name from above:

$ pass archlinux.org/wiki/username

Users of Xorg with xclip installed can retrieve the password directly onto the clipboard temporarily (*e.g.,* to paste into web forms). To do so, do the following (again with the same example hierarchical name from above):

$ pass -c archlinux.org/wiki/username
Note: Users preferring the classical middle-click/paste can add the following to their respective ~/.shellrc for this behavior: export PASSWORD_STORE_X_SELECTION=primary

Migrating to pass

There are multiple scripts listed on the pass-project page to import passwords from other programs

Advanced usage

Environment variables can be used to alter where pass looks to do store and git operations via

PASSWORD_STORE_DIR=/path/to/store
PASSWORD_STORE_GIT=/path/to/store

For more information on how this can be used to support multiple pass repositories see this link.

Multiple pass Contexts (e.g. Teaming)

One can use aliases to set up different pass contexts, which helps when collaborating with different teams. We've gotten this working in bash as follows:

Add aliases to your ~/.bashrc:

 alias passred="PASSWORD_STORE_DIR=~/.pass/red PASSWORD_STORE_GIT=~/.pass/red pass"
 alias passblue="PASSWORD_STORE_DIR=~/.pass/blue PASSWORD_STORE_GIT=~/.pass/blue pass"

Add these for bash-completion to your ~/.bash_completion and make sure bash-completion is installed:

 source /usr/share/bash-completion/completions/pass
 _passred(){
     PASSWORD_STORE_DIR=~/.pass/red/ _pass
 }
 complete -o filenames -o nospace -F _passred passred
 _passblue(){
     PASSWORD_STORE_DIR=~/.pass/blue/ _pass
 }
 complete -o filenames -o nospace -F _passblue passblue

Now you can initialize into ~/.pass/red and ~/.pass/blue and have two pass contexts with the passred and passblue aliases. You can generalize this further into as many contexts as you like.

See also