Pass is a command-line password manager built with the Unix philosophy in mind. It enables you to interact with your passwords using regular Unix commands. Credentials are stored in GPG-encrypted files.
pass is available within the package managers of most popular Linux distributions. Try to install it as
pass using the package manager relevant to you, such as
apt for Ubuntu/Debian or
yum for Fedora/RHEL. Specific guidance for each supported distribution is available on the Pass website.
Before continuing, you’ll need a GPG key available. The key will be used to encrypt the contents of your password store. You can create a new one using the following terminal command:
Follow the prompts to create your key, taking care to note down its ID. You should use the default key type (RSA and RSA) but change the keysize to 4,096 bits for maximum security.
With your GPG key available, you’re now ready to initialise
pass. Run the following command, substituting
placeholder-gpg-id with your own GPG ID.
pass init placeholder-gpg-key
A new directory,
.password-store, will be created within your home folder. Pass will store your passwords here. Each password gets its own file, making it simple to backup credentials either individually or en masse.
You can optionally use multiple password stores by setting the
PASSWORD_STORE_DIR environment variable in your shell. This enables you to override the default store directory and access passwords stored in an arbitrary location.
Adding Passwords to the Store
Passwords are added to the store using the
pass insert command. This accepts the name of the service as an argument and interactively prompts you to enter the password.
The password will be saved to a new encrypted file inside your store. You can create a credential hierarchy by using forward slashes in your service names. This will result in a tree of subdirectories within the password store’s root.
Pass can generate new passwords for you. Use
pass generate, followed by the service name and then the character length to produce. By default, a strong password consisting of alphanumeric and special characters will be created. You can prevent special characters from appearing using the
pass generate cloudsavvy/example-generated 32 --no-symbols
The command shown above will generate a new 32-character password, store it as
cloudsavvy/example-generated, and emit it to the terminal. You can have it copied to the clipboard instead by passing the
Retrieving Your Passwords
To list the names of all your passwords, run the
pass command without any arguments.
To retrieve the value of a password, supply its name as the only argument to the command.
The password will be emitted to the terminal by default. You can copy it to the clipboard instead by passing the
-c) flag. Clipboard data is automatically cleared after 45 seconds to maintain security.
Passwords are removed by passing a credential’s name to
pass rm (e.g.
pass rm cloudsavvy/example). Similarly, you can edit passwords using
pass edit. The password’s file will be opened in your default text editor.
Any interactions with passwords will display a system prompt to unlock your GPG key. You’ll need to enter your key’s passphrase if it’s protected. This acts as the master key protecting your entire password store.
Because passwords are just plain text files, it’s possible to add multiple lines of data. This is ideal when you need to store additional security details, such as two-factor authentication recovery codes.
pass edit command to open a password file in your editor. Add additional lines to the file to attach any extra metadata you require. The actual password must remain on the first line, unprefixed, to ensure it’s recognized correctly by Pass’s clipboard shorthand commands.
You can save time when creating passwords by passing the
-m) option to the
pass insert command. This will enable you to enter multiple lines into your terminal. Press Ctrl+D when done to save the credentials into your store.
Pass has built-in support for Git. This enables you to version control your passwords and provides a simple mechanism to keep data synchronised across machines. Run
pass git init to add Git to your password store.
You can now use Pass as normal. A Git commit will be created each time a password is added, changed, or removed. You can interact with the Git repository by using regular Git commands, prefixed by
pass git remote add origin example-server:/passwords.git pass git push -u origin master
The previous command adds a remote Git repository to your password store. You can then
git push your passwords into it, giving you a backup in case you lose access to your current machine.
Pass is an intentionally minimal solution. It’s much simpler than most graphical password managers, favoring a file-based approach that aligns with Unix principles. A strong ecosystem of third-party projects supports the Pass core, enabling integration with other apps and operating systems.
Data importers are available for most popular password managers, including 1Password, Keepass, and Lastpass. Compatible client apps are available for Android, iOS and Windows.
dmenu users can utilize the
passmenu script to rapidly search and select passwords without opening a terminal window.
The Pass website lists many notable community projects that extend the tool’s functionality and enable data portability to other platforms. You can obtain further guidance on using Pass itself from its manual page, accessed by running
man pass in a terminal.