pass
pass is a command-line password manager that stores, retrieves, generates, and synchronizes passwords securely. It integrates directly with the user's PGP keys to store password in encrypted format on disk. Pass is written in Bash and was created by Gentoo developer Jason A. Donenfeld (Zx2c4) .
Installation
USE flags
USE flags for app-admin/pass Stores, retrieves, generates, and synchronizes passwords securely
+git
|
Use dev-vcs/git for password revisions. |
X
|
Use x11-misc/xclip to copy passwords to the clipboard. |
dmenu
|
Add support for x11-misc/dmenu with the 'passmenu' program. |
emacs
|
Add support for GNU Emacs |
importers
|
Allow importing passwords from other password managers using various contributed scripts. |
wayland
|
Enable dev-libs/wayland backend |
Emerge
root #
emerge --ask app-admin/pass
Additional software
Plugins
- app-admin/pass-audit::guru - Audit your password repository.
- app-admin/pass-otp - Manage and generate one-time passwords (OTP).
- app-admin/pass-update::guru - Update your passwords.
Browser add-ons
Compatible tools
CLI:
- app-admin/gopass - Go implementation of pass.
GUI:
- app-admin/qtpass - Qt GUI for pass.
- gui-apps/tessen::guru - Interactive menu to autotype and copy pass data.
- kde-misc/plasma-pass - Plasma applet to access passwords from pass.
Configuration
For initial steps and configuration read the pass man pages:
user $
man pass
Usage
pass-otp
Adding a pass entry for the user larry:
user $
pass edit gentoo/larry
Example pass entry generating (OTP) one-time passwords:
user $
pass show gentoo/larry
otpauth://totp/larry@gentoo?secret=ZBURIWIVW5UQP4F5PYZ75LHTXU======
Generating a (OTP) one-time password using pass otp command:
user $
pass otp gentoo/larry
076884
ViM
Users of Vim or Neovim should configure the editor not to write the password to disk when using pass edit command,
which can inadvertently happen with options such as swapfile
and undofile
. There is a plugin to set the appropriate options when the editor is editing a password file at https://dev.sanctum.geek.nz/cgit/vim-redact-pass.git. Like other Vim plugins, this can be installed using a plugin manager or by placing the files in an appropriate location manually.
Invocation
user $
pass --help
============================================ = pass: the standard unix password manager = = = = v1.7.4 = = = = Jason A. Donenfeld = = Jason@zx2c4.com = = = = http://www.passwordstore.org/ = ============================================ Usage: pass init [--path=subfolder,-p subfolder] gpg-id... Initialize new password storage and use gpg-id for encryption. Selectively reencrypt existing passwords using new gpg-id. pass [ls] [subfolder] List passwords. pass find pass-names... List passwords that match pass-names. pass [show] [--clip[=line-number],-c[line-number]] pass-name Show existing password and optionally put it on the clipboard. If put on the clipboard, it will be cleared in 45 seconds. pass grep [GREPOPTIONS] search-string Search for password files containing search-string when decrypted. pass insert [--echo,-e | --multiline,-m] [--force,-f] pass-name Insert new password. Optionally, echo the password back to the console during entry. Or, optionally, the entry may be multiline. Prompt before overwriting existing password unless forced. pass edit pass-name Insert a new password or edit an existing password using /usr/bin/vim. pass generate [--no-symbols,-n] [--clip,-c] [--in-place,-i | --force,-f] pass-name [pass-length] Generate a new password of pass-length (or 25 if unspecified) with optionally no symbols. Optionally put it on the clipboard and clear board after 45 seconds. Prompt before overwriting existing password unless forced. Optionally replace only the first line of an existing file with a new password. pass rm [--recursive,-r] [--force,-f] pass-name Remove existing password or directory, optionally forcefully. pass mv [--force,-f] old-path new-path Renames or moves old-path to new-path, optionally forcefully, selectively reencrypting. pass cp [--force,-f] old-path new-path Copies old-path to new-path, optionally forcefully, selectively reencrypting. pass git git-command-args... If the password store is a git repository, execute a git command specified by git-command-args. pass help Show this text. pass version Show version information. More information may be found in the pass(1) man page.
Removal
Unmerge
root #
emerge --ask --depclean --verbose app-admin/pass
See also
- KeePassXC/cli — a command line interface for the KeePassXC password manager.
- Password management tools — This meta article is dedicated to secure password generation, auditing of generated passwords for security, and management of existing passwords.
- Jason A. Donenfeld (Zx2c4) 's wiki page.
- Google Authenticator — describes an easy way to setup two-factor authentication on Gentoo.
- OATH-Toolkit — toolkit for (OTP) One-Time Password authentication using HOTP/TOTP algorithms.
External resources
- List of integrations on project website.
- https://vitalyparnas.com/guides/pass/ - A blog post covering clever uses of pass.