GPG + Git: The pass Password Manager


As much as I’d like to see a world where PKI is used to secure digital resources, the status quo is a world often secured by passwords. Passwords are hard to remember, and easy to lose. We should use complex, hard-to-guess passwords. We should use separate passwords for every site. We should keep passwords to ourselves instead of sharing accounts with other users. All of these things add up to more than most minds should be taxed with.

The good news is: password managers can help!

Password Managers

A password manager is an application that stores a collection of passwords in an encrypted database. Typically, a single master password is used to protect this encrypted database. This means that you only need to remember one long and complex password instead of hundreds.

The two password managers I hear about most often are LastPass, a free browser-based tool, and 1Password, a paid desktop and mobile application, but there are many alternatives. Others include KeePassX and Bruce Schneier’s Password Safe.

A DIY Password Manager

Since learning more about how to use GnuPG for encryption, I started to work on a design for a new password manager that would store passwords in text files encrypted with gpg and stored in a git repository. I’ve found gpg to be a good tool for encrypting text and git to be a good way to both track changes and keep data in sync across multiple systems.

As these things go, I didn’t get very far before finding out that someone has already made almost exactly the tool I was working on!


It’s called “pass“, and it comes with a descriptive (if presumptuous) tagline: “the standard unix password manager.”

Pass stores passwords as encrypted files in a directory hierarchy (under ~/.password-store by default) that can optionally be kept in git.

Getting Started

1. Installation

Mac OS X, using Homebrew:

brew install pass

Debian-based Linux distros:

sudo apt-get install pass

RedHat-based Linux distros:

sudo yum install pass

2. Create the Store

$ pass init 0x1CC4DD0DBEA0E1BE
Password store initialized for 0x1CC4DD0DBEA0E1BE
$ pass git init
Initialized empty Git repository in /Users/english/.password-store/.git/
[master (root-commit) cbbb662] Added current contents of password store.
 1 file changed, 1 insertion(+)
 create mode 100644 .gpg-id

3. Store a Password

$ pass insert work/printer
Enter password for work/printer:
Retype password for work/printer:
[master 3a99ccf] Added given password for work/printer to store.
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 work/printer.gpg

4. Retrieve a Password

$ pass work/printer

I have a GUI pin entry program that prompts me for the PIN to my smartcard before the password is decrypted and displayed.

It’s also worth noting that with the bash or zsh completion scripts installed, you can tab-complete the paths to your passwords, i.e. pass work/p<TAB>.

You can also copy a password directly to your clipboard, by using the -c flag:

$ pass -c work/printer

This is usually what I want to do when retrieving a password.

Other Features

pass has a number of other features that are quite useful, like the ability to generate new passwords, and the ability to store “multiline passwords” which could be used for other types of sensitive information.

My Wishlist

Shared Passwords

I know, I know! Don’t share passwords! But, the current reality is that sometimes you don’t have an alternative. The one thing that pass doesn’t seem to do (yet?) is allow a password store to be shared between multiple users. I would love to see pass (or something like it) extended to support multiple recipients on the encrypted files in its store. Bonus points for a feature reminding you to change passwords after removing recipients!

Multiple Stores

Going hand-in-hand with the above, if pass allowed for managing portions of your password store as separate Git repos, you could have a private “home” repo and a shared “work” repo.

Rotation Reminders

A feature that kept track of when you last changed a password would be helpful, not only for regular good password hygiene, but especially when combined with news of data breaches.

UPDATE: On Twitter, Pierre Chapuis kindly informed me that since v1.5, pass has allowed sub-directories within the store to have different recipient lists, including multiple recipients. Look in the manpage at the -p flag of pass init for more details.