Pass is a command line password manager built with the Unix philosophy in mind. It allows you to communicate with your passwords using common Unix commands. Credentials are stored in GPG encoded files.
pass is available within the package managers of the most popular Linux distributions. Try to install it as
pass using the package manager relevant to you, such as
apt for Ubuntu / Debian or
yum for Fedora / RHEL. Specific guidelines for each supported distribution are available on the Pass website.
Before proceeding you will need a GPG key. The key is used to encrypt the contents of your password store. You can create a new one using the following terminal command:
Follow the instructions to create your key and make sure to write down the ID. You must use the default key type (RSA and RSA), but change the key size to 4,096 bits for maximum security.
With your GPG key available, you are now ready to initialize
pass. Run the following command and replace
placeholder-gpg-id with your own GPG ID.
pass init placeholder-gpg-key
A new directory,
.password-store, will be created in your home folder. Pass stores your passwords here. Each password gets its own file, making it easy to back up login data, individually or in bulk.
You can optionally use multiple password stores by using the
PASSWORD_STORE_DIR environment variable in your shell. This allows you to override the default storage folder and access passwords stored in any location.
Add passwords to the store
Passwords are added to the store with the
pass insert order. This takes the name of the service as an argument and interactively prompts you to enter the password.
The password will be saved in a new encrypted file in your store. You can create a reference hierarchy by using slashes in your service names. This results in a tree of subfolders at the root of the password store.
Pass can generate new passwords for you. Use
pass generatefollowed by the service name and then the character length to be produced. By default, a strong password is created consisting of alphanumeric and special characters. You can prevent special characters from appearing with the
pass generate cloudsavvy/example-generated 32 --no-symbols
The above command will generate a new 32 character password, save it as
cloudsavvy/example-generated, and send it to the terminal. You can have it copied to the clipboard by using the
Retrieve your passwords
To display the names of all your passwords, enter it
pass command without any arguments.
To get the value of a password, enter its name as the sole argument to the command.
The password is sent to the terminal by default. You can instead copy it to the clipboard by using the
-c) flag. Clipboard data is automatically cleared after 45 seconds to maintain security.
Passwords are removed by passing the name of a credential to
pass rm (e.g
pass rm cloudsavvy/example). Likewise, you can edit passwords with
pass edit. The password file will open in your default text editor.
Any interaction with passwords will bring up a system prompt to unlock your GPG key. You will need to enter your key passphrase if it is secured. This acts as the master key that protects your entire password store.
Since passwords are just text files, it is possible to add multiple lines of data. This is ideal when you need to store additional security information, such as recovery codes for two-factor authentication.
pass edit command to open a password file in your editor. Add extra lines to the file to include any additional metadata you need. The actual password must remain on the first line, without a prefix, to ensure that it is correctly recognized by Pass’s shorthand commands on the clipboard.
You can save time creating passwords by using the
-m) option to the
pass insert order. This allows you to enter multiple lines in your terminal. Press Ctrl + D when ready to save the credentials to your store.
Pass has built-in support for Git. This allows you to version control your passwords and provides a simple mechanism for keeping data synchronized between machines. Run
pass git init to add Git to your password store.
You can now just use Pass. Every time a password is added, changed, or removed, a Git commit is created. You can interact with the Git repository by using normal Git commands preceded by
pass git remote add origin example-server:/passwords.git pass git push -u origin master
The previous command adds an external Git repository to your password store. You can then
git push your passwords in it, so you can get a backup in case you lose access to your current machine.
Pass is an intentionally minimal solution. It is much simpler than most graphical password managers and prefers a file-based approach that adheres to Unix principles. A strong ecosystem of third-party projects supports the Pass core, allowing integration with other apps and operating systems.
Data importers are available for the most popular password managers, including 1Password, Keepass and Lastpass. Compatible client apps are available for Android, iOS and Windows.
dmenu users can use the
passmenu script to quickly find and select passwords without opening a terminal window.
The Pass website features many notable community projects that extend the functionality of the tool and enable data portability to other platforms. You can find out more about using Pass itself on the manual page, accessible via running
man pass in a terminal.