From ArchWiki
Jump to: navigation, search

From the official website:

Password management should be simple and follow Unix philosophy. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password. These encrypted files may be organized into meaningful folder hierarchies, copied from computer to computer, and, in general, manipulated using standard command line file management utilities.

pass is a simple password manager for the command line. Pass is a shell script that makes use of existing tools like gnupg, tree and git.


Install the pass package.

Tip: An optional Qt GUI is available via the qtpass package.

Basic usage

Note: To be able to use pass, set up GnuPG.

To initialize the password store:

$ pass init <gpg-id or email>

To create a new password, first provide a descriptive hierarchical name. In this example, this is

$ pass insert

To get a view of the password store do the following. Note the example output which shows the hiearchy we just created.

$ pass
Password Store
    └── wiki
        └── username

To generate a new random password for the above example, do the following, where n is the desired password length as a number:

$ pass generate n

To retreive a password, enter the gpg passphrase at the following prompt, again using the same hierarchical example name from above:

$ pass

Users of Xorg with xclip installed can retrieve the password directly onto the clipboard temporarily (*e.g.,* to paste into web forms). To do so, do the following (again with the same example hierarchical name from above):

$ pass -c
Note: Users preferring the classical middle-click/paste can add the following to their respective ~/.shellrc for this behavior: export PASSWORD_STORE_X_SELECTION=primary

pass comes with a dmenu wrapper to enable easy searching/copying. To use it, install the optional dependency dmenu and run:

$ passmenu

Then selecting an entry will copy its password to the clipboard. See dmenu(1) for customization options such as case-insensitivity. You may want to set this to a systemwide keybinding in order to easily access passwords from any application.

Migrating to pass

There are multiple scripts listed on the pass-project page to import passwords from other programs


Since version 1.7, pass supports extensions developed by the community. These extensions extend the features of pass with the support of new commands.

Manage the whole tree of your password store encrypted inside a tomb.

Support for one-time-password (OTP) tokens.

A generic importer tool from other password managers.

An easy flow for updating passwords.

Advanced usage

Environment variables can be used to alter where pass looks to do store and git operations via:


For more information on how this can be used to support multiple pass repositories see this link.

Multiple pass Contexts (e.g. Teaming)

One can use aliases to set up different pass contexts, which helps when collaborating with different teams. We have gotten this working in bash as follows:

Add aliases to your ~/.bashrc:

 alias passred="PASSWORD_STORE_DIR=~/.pass/red PASSWORD_STORE_GIT=~/.pass/red pass"
 alias passblue="PASSWORD_STORE_DIR=~/.pass/blue PASSWORD_STORE_GIT=~/.pass/blue pass"

Add these for bash-completion to your ~/.bash_completion and make sure bash-completion is installed:

 source /usr/share/bash-completion/completions/pass
     PASSWORD_STORE_DIR=~/.pass/red/ _pass
 complete -o filenames -o nospace -F _passred passred
     PASSWORD_STORE_DIR=~/.pass/blue/ _pass
 complete -o filenames -o nospace -F _passblue passblue

Now you can initialize into ~/.pass/red and ~/.pass/blue and have two pass contexts with the passred and passblue aliases. You can generalize this further into as many contexts as you like.

Integration into git

You can use pass as a credentials helper for git. Install the pass-git-helperAUR or pass-git-helper-gitAUR package.


Detail are described in the github README file.

git Configuration

Install pass-git-helper as a git credentials helper by calling

git config --global credential.helper /usr/bin/pass-git-helper

Mapping File

Create the file ~/.config/pass-git-helper/git-pass-mapping.ini. It is used to map git remote hosts to your pass database. The format is something like this:



You can use wildcards in the host part, as shown in the example.

Password Store Layout

As usual with pass, the helper assumes that the password is contained in the first line of the passwordstore entry. Additionally, if a second line is present, this line is interpreted as the username.

For this to work, you have to use pass insert --multiline to create a multi line password store entry.

See also