pass (1) - Linux Manuals
pass: stores, retrieves, generates, and synchronizes passwords securely
NAME
pass - stores, retrieves, generates, and synchronizes passwords securely
SYNOPSIS
pass [ COMMAND ] [ OPTIONS ]... [ ARGS ]...DESCRIPTION
pass is a very simple password store that keeps passwords inside gpg2(1) encrypted files inside a simple directory tree residing at ~/.password-store. The pass utility provides a series of commands for manipulating the password store, allowing the user to add, remove, edit, synchronize, generate, and manipulate passwords.
If no COMMAND is specified, COMMAND defaults to either show or ls, depending on the type of specifier in ARGS. Otherwise COMMAND must be one of the valid commands listed below.
Several of the commands below rely on or provide additional functionality if the password store directory is also a git repository. If the password store directory is a git repository, all password store modification commands will cause a corresponding git commit. See the EXTENDED GIT EXAMPLE section for a detailed description using init and git(1).
The init command must be run before other commands in order to initialize the password store with the correct gpg key id. Passwords are encrypting using the gpg key set with init.
There is a corresponding bash completion script for use with tab completing password names in bash(1).
COMMANDS
- init [ --reencrypt, -e ] [ --path=sub-folder, -p sub-folder ] gpg-id...
- Initialize new password storage and use gpg-id for encryption. Multiple gpg-ids may be specified, in order to encrypt each password with multiple ids. This command must be run first before a password store can be used. If --reencrypt or -e is specified, reencrypt all existing passwords in the password store using gpg-id. Note that use of gpg-agent(1) is recommended so that the batch decryption does not require as much user intervention. If --path or -p is specified, along with an argument, a specific gpg-id or set of gpg-ids is assigned for that specific sub folder of the password store.
- ls subfolder
- List names of passwords inside the tree at subfolder by using the tree(1) program. This command is alternatively named list.
- show [ --clip, -c ] pass-name
- Decrypt and print a password named pass-name. If --clip or -c is specified, do not print the password but instead copy the first line to the clipboard using xclip(1) and then restore the clipboard after 45 (or PASSWORD_STORE_CLIP_TIME) seconds.
- insert [ --echo, -e | --multiline, -m ] [ --force, -f ] pass-name
- Insert a new password into the password store called pass-name. This will read the new password from standard in. If --echo or -e is not specified, disable keyboard echo when the password is entered and confirm the password by asking for it twice. If --multiline or -m is specified, lines will be read until EOF or Ctrl+D is reached. Otherwise, only a single line from standard in is read. Prompt before overwriting an existing password, unless --force or -f is specified.
- edit pass-name
- Insert a new password or edit an existing password using the default text editor specified by the environment variable EDITOR or using vi(1) as a fallback. This mode makes use of temporary files for editing, but care is taken to ensure that temporary files are created in /dev/shm in order to avoid writing to difficult-to-erase disk sectors. If /dev/shm is not accessible, fallback to the ordinary TMPDIR location, and print a warning.
- generate [ --no-symbols, -n ] [ --clip, -c ] [ --force, -f ] pass-name pass-length
- Generate a new password using pwgen(1) of length pass-length and insert into pass-name. If --no-symbols or -n is specified, do not use any non-alphanumeric characters in the generated password. If --clip or -c is specified, do not print the password but instead copy it to the clipboard using xclip(1) and then restore the clipboard after 45 (or PASSWORD_STORE_CLIP_TIME) seconds. Prompt before overwriting an existing password, unless --force or -f is specified.
- rm [ --recursive, -r ] [ --force, -f ] pass-name
- Remove the password named pass-name from the password store. This command is alternatively named remove or delete. If --recursive or -r is specified, delete pass-name recursively if it is a directory. If --force or -f is specified, do not interactively prompt before removal.
- git git-command-args...
- If the password store is a git repository, pass git-command-args as arguments to git(1) using the password store as the git repository. If git-command-args is init, in addition to initializing the git repository, add the current contents of the password store to the repository in an initial commit. If the git config key pass.signcommits is set to true, then all commits will be signed using user.signingkey or the default git signing key. This config key may be turned on using: `pass git config --bool --add pass.signcommits true`
- help
- Show usage message.
- version
-
Show version information.
SIMPLE EXAMPLES
- Initialize password store
-
zx2c4 [at] laptop ~ $ pass init Jason [at] zx2c4.com
mkdir: created directory 18/home/zx2c4/.password-store19
Password store initialized for Jason [at] zx2c4.com. - List existing passwords in store
-
zx2c4 [at] laptop ~ $ pass
Password Store
1C0000 Business
02 1C0000 some-silly-business-site.com
02 140000 another-business-site.net
1C0000 Email
02 1C0000 donenfeld.com
02 140000 zx2c4.com
140000 France
1C0000 bank
1C0000 freebox
140000 mobilephone
Alternatively, "pass ls".- Show existing password
- zx2c4 [at] laptop ~ $ pass Email/zx2c4.com
sup3rh4x3rizmynam3- Copy existing password to clipboard
- zx2c4 [at] laptop ~ $ pass -c Email/zx2c4.com
Copied Email/jason [at] zx2c4.com to clipboard. Will clear in 45 seconds.- Add password to store
- zx2c4 [at] laptop ~ $ pass insert Business/cheese-whiz-factory
Enter password for Business/cheese-whiz-factory: omg so much cheese what am i gonna do- Add multiline password to store
- zx2c4 [at] laptop ~ $ pass insert -m Business/cheese-whiz-factory
Enter contents of Business/cheese-whiz-factory and press Ctrl+D when finished:
Hey this is my
awesome
multi
line
passworrrrrrrrd.
^D- Generate new password
- zx2c4 [at] laptop ~ $ pass generate Email/jasondonenfeld.com 15
The generated password to Email/jasondonenfeld.com is:
$(-QF&Q=IN2nFBx- Generate new alphanumeric password
- zx2c4 [at] laptop ~ $ pass generate -n Email/jasondonenfeld.com 12
The generated password to Email/jasondonenfeld.com is:
YqFsMkBeO6di- Generate new password and copy it to the clipboard
- zx2c4 [at] laptop ~ $ pass generate -c Email/jasondonenfeld.com 19
Copied Email/jasondonenfeld.com to clipboard. Will clear in 45 seconds.- Remove password from store
- zx2c4 [at] laptop ~ $ pass remove Business/cheese-whiz-factory
rm: remove regular file 18/home/zx2c4/.password-store/Business/cheese-whiz-factory.gpg19? y
removed 18/home/zx2c4/.password-store/Business/cheese-whiz-factory.gpg19
EXTENDED GIT EXAMPLE
Here, we initialize new password store, create a git repository, and then manipulate and sync passwords. Make note of the arguments to the first call of pass git push; consult git-push(1) for more information.
zx2c4 [at] laptop ~ $ pass init Jason [at] zx2c4.com
mkdir: created directory 18/home/zx2c4/.password-store19
Password store initialized for Jason [at] zx2c4.com.
zx2c4 [at] laptop ~ $ pass git init
zx2c4 [at] laptop ~ $ pass git remote add origin kexec.com:pass-store
zx2c4 [at] laptop ~ $ pass generate Amazon/amazonemail [at] email.com 21
zx2c4 [at] laptop ~ $ pass git push -u --all
zx2c4 [at] laptop ~ $ pass insert Amazon/otheraccount [at] email.com
zx2c4 [at] laptop ~ $ pass rm Amazon/amazonemail [at] email.com
zx2c4 [at] laptop ~ $ pass git push
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
Initialized empty Git repository in /home/zx2c4/.password-store/.git/
[master (root-commit) 998c8fd] Added current contents of password store.
mkdir: created directory 18/home/zx2c4/.password-store/Amazon19
[master 30fdc1e] Added generated password for Amazon/amazonemail [at] email.com to store.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 Amazon/amazonemail [at] email.com.gpg
The generated password to Amazon/amazonemail [at] email.com is:
<5m,_BrZY`antNDxKN<0A
Counting objects: 4, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (4/4), 921 bytes, done.
Total 4 (delta 0), reused 0 (delta 0)
To kexec.com:pass-store
* [new branch] master -> master
Branch master set up to track remote branch master from origin.
Enter password for Amazon/otheraccount [at] email.com: som3r3a11yb1gp4ssw0rd!!88**
[master b9b6746] Added given password for Amazon/otheraccount [at] email.com to store.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 Amazon/otheraccount [at] email.com.gpg
rm: remove regular file 18/home/zx2c4/.password-store/Amazon/amazonemail [at] email.com.gpg19? y
removed 18/home/zx2c4/.password-store/Amazon/amazonemail [at] email.com.gpg19
rm 'Amazon/amazonemail [at] email.com.gpg'
[master 288b379] Removed Amazon/amazonemail [at] email.com from store.
1 file changed, 0 insertions(+), 0 deletions(-)
delete mode 100644 Amazon/amazonemail [at] email.com.gpg
Counting objects: 9, done.
Delta compression using up to 2 threads.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (7/7), 1.25 KiB, done.
Total 7 (delta 0), reused 0 (delta 0)
To kexec.com:pass-store
FILES
ENVIRONMENT VARIABLES
AUTHOR
pass
was written by
Jason A. Donenfeld
For updates and more information, a project page is available on the
World Wide Web
COPYING
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.