Complete Guide to pass: The Standard Unix Password Manager.
pass is a simple, Unix-philosophy-based password manager that stores each password in a GPG-encrypted file. It uses standard Unix tools and can be version-controlled with Git, making it perfect for developers and anyone who appreciates simple, transparent tools.
Why pass?
- Simple: Just encrypted files in
~/.password-store/ - Transparent: No proprietary formats, everything is GPG-encrypted text
- Version Controlled: Built-in Git support for tracking changes
- Flexible: Organize passwords however you want with folders
- Portable: Sync across multiple machines using Git
- Scriptable: Easy to integrate with other tools
Installation
Arch:
sudo pacman -S pass
Setting Up GPG Keys
Before using pass, you need a GPG key pair.
Generate a New GPG Key
gpg --full-generate-key
Follow the prompts:
- Choose RSA and RSA (default)
- Key size: 4096 bits
- Expiration: 0 (doesn’t expire) or set your preference
- Enter your name and email
- Set a strong passphrase
Get Your GPG Key ID
gpg --list-secret-keys --keyid-format LONG
Look for the line like sec rsa4096/ABCD1234EFGH5678. The part after the / is your key ID.
Initializing pass
Basic Initialization
pass init "your-gpg-key-id"
Or use your email:
pass init "[email protected]"
This creates ~/.password-store/ and initializes it.
Initialize with Git
pass git init
This turns your password store into a Git repository, automatically tracking all changes.
Add a Remote Repository
pass git remote add origin [email protected]:yourusername/password-store.git
pass git push -u origin main
Basic Usage
Insert a New Password
pass insert Email/gmail
You’ll be prompted to enter the password.
Insert Multi-line Data
pass insert -m Social/github
Format example:
your_password_here
Username: yourusername
URL: https://github.com
Recovery email: [email protected]
2FA: enabled
Generate a Random Password
pass generate Email/newaccount 20
Generate without symbols:
pass generate -n Email/newaccount 20
Generate and copy to clipboard:
pass generate -c Email/newaccount 20
Retrieve a Password
Show password:
pass Email/gmail
Copy to clipboard (clears after 45 seconds):
pass -c Email/gmail
Edit a Password
pass edit Email/gmail
Remove a Password
pass rm Email/gmail
List All Passwords
pass
Organizing Your Passwords
Create a logical hierarchy:
Password Store
├── Email
│ ├── gmail.com
│ └── work-email.com
├── Social
│ ├── twitter.com
│ ├── facebook.com
│ └── github.com
├── Banking
│ ├── main-bank
│ └── credit-card
└── Work
├── vpn
└── servers
└── production-server
Syncing Across Multiple Machines
Exporting Your GPG Key
On your primary machine, export your private key:
gpg --export-secret-keys --armor [email protected] > private-key
Export your public key:
gpg --export --armor [email protected] > public-key
Importing GPG Key on New Machine
Transfer your key files to the new machine, then:
gpg --import private-key.gpg
gpg --import public-key.gpg
Set trust level for your key:
gpg --edit-key [email protected]
In the GPG prompt:
gpg> trust
Select option 5 (ultimate trust), then:
gpg> quit
Setting Up pass on New Machine
-
Install
pass(see installation section) -
Clone your password store:
git clone [email protected]:yourusername/password-store.git ~/.password-store
- Initialize pass with your key:
pass init "[email protected]"
- Test it works:
pass
You should see your password list and be prompted for your GPG passphrase.