Edmondo's Vault

pass

May 18, 20262 min read

What is pass?

pass (the standard Unix password store) is a command-line password manager created by Jason A. Donenfeld (also the creator of WireGuard, the VPN protocol). Each password is stored as a GPG-encrypted file inside a directory tree at ~/.password-store/. The directory structure mirrors the organization of passwords (e.g., email/gmail, web/github).

How it works

  1. Initialize with your GPG key ID: pass init <gpg-id>
  2. Add a password: pass insert email/gmail (prompts for the password, encrypts it with GPG)
  3. Retrieve a password: pass email/gmail (decrypts with GPG, prints to stdout)
  4. Copy to clipboard: pass -c email/gmail (decrypts, copies to clipboard for 45 seconds)
  5. Generate a random password: pass generate web/newsite 20 (generates 20-char password, stores it)

The entire store is a directory of .gpg files, which means:

  • It works with Git out of the box: pass git init turns the store into a repo, and every pass insert/edit/generate auto-commits.
  • Multi-device sync is just git push / git pull.
  • Multi-user: re-encrypt the store with multiple GPG keys so a team can share passwords.

Ecosystem

  • Browser extensions: browserpass, passff (Firefox)
  • Mobile: Android Password Store (Android), Pass for iOS
  • GUI: QtPass (cross-platform)
  • Alternatives: gopass — a Go rewrite that adds features (YAML secrets, AGE encryption support, improved multi-user)

Limitations

pass inherits GPG’s complexity: you need a working GPG setup with keyring, agent, and pinentry configured before pass works. For users frustrated with GPG, gopass with AGE backend is an alternative.

See also

  • GPG — the encryption backend pass uses by default.
  • AGE — gopass supports AGE as an alternative to GPG.

Graph View

Backlinks