Pass is a command-line password manager for Linux systems. It provides a simple, easy-to-use interface to store and manage your passwords, and can be used to login to your system and access your files. Pass can be used to store passwords in the following ways:
- In the file ~/.pass
- In the directory /etc/passwd
- In the file /etc/shadow
- As a global variable in your shell startup file ( ~/.bashrc or /etc/profile )
- As an environment variable ( LANG=C , LC_ALL=C , PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin ):
Store passwords in ~/.pass: $HOME/.pass # Store passwords in /etc/passwd: $HOME/.etc_passwd # Store passwords in /etc/shadow: $HOME/.shadow
Pass is a command-line password manager built with the Unix philosophy in mind. It enables you to interact with your passwords using regular Unix commands. Credentials are stored in GPG-encrypted files.
Getting Setup
pass is available within the package managers of most popular Linux distributions. Try to install it as pass using the package manager relevant to you, such as apt for Ubuntu/Debian or yum for Fedora/RHEL. Specific guidance for each supported distribution is available on the Pass website.
Before continuing, you’ll need a GPG key available. The key will be used to encrypt the contents of your password store. You can create a new one using the following terminal command:
Follow the prompts to create your key, taking care to note down its ID. You should use the default key type (RSA and RSA) but change the keysize to 4,096 bits for maximum security.
With your GPG key available, you’re now ready to initialise pass. Run the following command, substituting placeholder-gpg-id with your own GPG ID.
A new directory, .password-store, will be created within your home folder. Pass will store your passwords here. Each password gets its own file, making it simple to backup credentials either individually or en masse.
You can optionally use multiple password stores by setting the PASSWORD_STORE_DIR environment variable in your shell. This enables you to override the default store directory and access passwords stored in an arbitrary location.
Adding Passwords to the Store
Passwords are added to the store using the pass insert command. This accepts the name of the service as an argument and interactively prompts you to enter the password.
The password will be saved to a new encrypted file inside your store. You can create a credential hierarchy by using forward slashes in your service names. This will result in a tree of subdirectories within the password store’s root.
Pass can generate new passwords for you. Use pass generate, followed by the service name and then the character length to produce. By default, a strong password consisting of alphanumeric and special characters will be created. You can prevent special characters from appearing using the –no-symbols (-n) flag.
The command shown above will generate a new 32-character password, store it as cloudsavvy/example-generated, and emit it to the terminal. You can have it copied to the clipboard instead by passing the –clip (-c) flag.
Retrieving Your Passwords
To list the names of all your passwords, run the pass command without any arguments.
To retrieve the value of a password, supply its name as the only argument to the command.
The password will be emitted to the terminal by default. You can copy it to the clipboard instead by passing the –clip (-c) flag. Clipboard data is automatically cleared after 45 seconds to maintain security.
Passwords are removed by passing a credential’s name to pass rm (e.g. pass rm cloudsavvy/example). Similarly, you can edit passwords using pass edit. The password’s file will be opened in your default text editor.
Any interactions with passwords will display a system prompt to unlock your GPG key. You’ll need to enter your key’s passphrase if it’s protected. This acts as the master key protecting your entire password store.
Multiline Passwords
Because passwords are just plain text files, it’s possible to add multiple lines of data. This is ideal when you need to store additional security details, such as two-factor authentication recovery codes.
Use the pass edit command to open a password file in your editor. Add additional lines to the file to attach any extra metadata you require. The actual password must remain on the first line, unprefixed, to ensure it’s recognized correctly by Pass’s clipboard shorthand commands.
You can save time when creating passwords by passing the –multiline (-m) option to the pass insert command. This will enable you to enter multiple lines into your terminal. Press Ctrl+D when done to save the credentials into your store.
Git Integration
Pass has built-in support for Git. This enables you to version control your passwords and provides a simple mechanism to keep data synchronised across machines. Run pass git init to add Git to your password store.
You can now use Pass as normal. A Git commit will be created each time a password is added, changed, or removed. You can interact with the Git repository by using regular Git commands, prefixed by pass git:
The previous command adds a remote Git repository to your password store. You can then git push your passwords into it, giving you a backup in case you lose access to your current machine.
Interacting with Other Tools
Pass is an intentionally minimal solution. It’s much simpler than most graphical password managers, favoring a file-based approach that aligns with Unix principles. A strong ecosystem of third-party projects supports the Pass core, enabling integration with other apps and operating systems.
Data importers are available for most popular password managers, including 1Password, Keepass, and Lastpass. Compatible client apps are available for Android, iOS and Windows. dmenu users can utilize the passmenu script to rapidly search and select passwords without opening a terminal window.
The Pass website lists many notable community projects that extend the tool’s functionality and enable data portability to other platforms. You can obtain further guidance on using Pass itself from its manual page, accessed by running man pass in a terminal.