Sep 122012


Introducing pass

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

pass makes managing these individual password files extremely easy. All passwords live in~/.password-store and pass provides some nice commands for adding, editing, generating, and retrieving passwords. It is a very short and simple shell script. It’s capable of temporarily putting passwords on your clipboard and tracking password changes using git.

You can edit the password store using ordinary unix shell commands alongside the pass command. There are no funky file formats or new paradigms to learn. There is bash completion so that you can simply hit tab to fill in names.

The pass command is extensively documented in its man page.


Using the password store

We can list all the existing passwords in the store:

[email protected] ~ $ pass Password Store
|--- Business
| |
| |
|--- Email
| |
| |
|--- France


And we can show passwords too:

[email protected] ~ $ pass Email/ sup3rh4x3rizmynam3

Or copy them to the clipboard:

[email protected] ~ $ pass -c Email/
Copied [email protected] to clipboard.
Will clear in 45 seconds.


There will be a nice password input dialog using the standard gpg-agent (which can be configured to stay authenticated for several minutes), since all passwords are encrypted.


We can add existing passwords to the store with 
insert [email protected] ~ $ pass insert Business/cheese-whiz-factory
Enter password for Business/cheese-whiz-factory:
omg so much cheese what am i gonna do


This also handles multiline passwords or other data with –multiline or -m, and passwords can be edited in your default text editor using 
pass edit pass-name


The utility can generate new passwords using the venerable pwgen utility internally:

[email protected] ~ $ pass generate Email/ 15
The generated password to Email/ is:


It’s possible to generate passwords with no symbols using 
–no-symbols or -n
and we can copy it to the clipboard instead of displaying it at the console using 
–clip or -c.


And of course, passwords can be removed:

[email protected] ~ $ pass remove Business/cheese-whiz-factory
rm: remove regular file ‘/home/zx2c4/.password-store/Business/cheese-whiz-factory.gpg’? y
removed ‘/home/zx2c4/.password-store/Business/cheese-whiz-factory.gpg’


If the password store is a git repository, since each manipulation creates a git commit, you can synchronize the password store using pass push and pass pull, which call git-push or git-pull on the store.

You can read more examples and more features in the man page.


Setting it up

To begin, there is a single command to initialize the password store:

[email protected] ~ $ pass init "ZX2C4 Password Storage Key"
mkdir: created directory ‘/home/zx2c4/.password-store’
Password store initialized for ZX2C4 Password Storage Key.


Here, ZX2C4 Password Storage Key is the ID of my GPG key. You can use your standard GPG key or use an alternative one especially for the password store as shown above. We can additionally initialize the password store as a git repository:

[email protected] ~ $ pass git init
Initialized empty Git repository in /home/zx2c4/.password-store/.git/
[email protected] ~ $ pass git remote add origin


If a git repository is initialized, pass creates a git commit each time the password store is manipulated. There is a more detailed initialization example in the man page.



The latest version is 1.2.

Ubuntu / Debian

$ sudo apt-get install gnupg git-core pwgen tree xclip
$ wget
$ sudo dpkg -i pass_1.2-1_all.deb
$ echo "source /etc/bash_completion.d/password-store" >> ~/.bashrc
$ rm -f pass_1.2-1_all.deb

A gpg signature is available here. If you’re in a position to add this to the official Ubuntu repositories, please contact me.


Fedora / RHEL / CentOS / OpenSUSE / Mageia

$ sudo yum install
$ echo "source /etc/bash_completion.d/password-store" >> ~/.bashrc

A gpg signature is available here.



The password store currently lives in the zx2c4 overlay, which you can get using layman:

# layman -a zx2c4
# emerge -av pass
# eselect bashcomp enable --global pass



The password store currently lives in AUR, which you can fetch with packer:

$ packer -S pass
$ echo "source /etc/bash_completion.d/password-store" >> ~/.bashrc



The password store is available through the Homebrew package manager:

$ brew install pass
$ echo "source /usr/local/etc/bash_completion.d/password-store" >> ~/.bashrc



The tarball contains a generic makefile, for which a simple sudo make install should do the trick. The signature may be verified using 0xA5DE03AE.


Git Repository

You may browse the git repository or clone the repo:

$ git clone

All releases are tagged, and the tags are signed with 0xA5DE03AE.


Data Organization & Migrating to pass

The password store does not impose any particular schema or type of organization of your data, as it is simply a flat text file, which can contain arbitrary data. Though the most common case is storing a single password per entry, some power users find they would like to store more than just their password inside the password store, and additionally store answers to secret questions, website URLs, and other sensitive information or metadata. Since the password store does not impose a scheme of it’s own, you can choose your own organization. There are many possibilities. One approach is to use the multi-line functionality of pass (–multiline or -m in insert), and store the password itself on the first line of the file, and the additional information on subsequent lines. For example, Amazon/bookreader might look like this:

URL: **
Secret Question 1: What is your childhood best friend's most bizarre
superhero fantasy? Oh god, Amazon, it's too awful to say...
Phone Support PIN #: 84719

This is the preferred organzational scheme used by the author. The –clip / -c options will only copy the first line of such a file to the clipboard, thereby making it easy to fetch the password for login forms, while retaining additional information in the same file.

Another approach is to use folders, and store each piece of data inside a file in that folder.
For example Amazon/bookreader/password would hold bookreader’s password inside the Amazon/bookreader directory, and Amazon/bookreader/secretquestion1 would hold a secret question, and Amazon/bookreader/sensitivecode would hold something else related to bookreader’s account. And yet another approach might be to store the password in Amazon/bookreader and the additional data in Amazon/bookreader.meta. And even another approach might be use multiline, as outlined above, but put the URL template in the filename instead of inside the file.

The point is, the possibilities here are extremely numerous, and there are many other organizational schemes not mentioned above; you have the freedom of choosing the one that fits your workflow best.

To free password data from the clutches of other (bloated) password managers, various users have come up with different password store organizations that work best for them. Some users have contributed scripts to help import passwords from other programs:

Credit & License

pass was written by Jason A. Donenfeld of and is licensed under the GPLv2+.


 Posted by at 9:51 pm

Sorry, the comment form is closed at this time.