The Unix Password Manager

6 minute read



As the number of username-passwords we need to remember increases, password managers are becoming more and more relevant. By using a password manager we no longer have to revert our password because we can’t remember the variation we used for that particular website, or use the same one everywhere. But chances are you already know that since you came across this post, so let’s cut to the chase and talk about pass, the standard unix password manager.

Pass is a simple password manager that stores our credentials in gpg encrypted files, where the filenames correspond to the respective titles of the service / website.

We can also utilize the build-in git integration to keep those credentials synced between our devices - including Android, iOS devices windows computers etc.


Create a PGP key

In order to start using pass, we need a PGP key with encryption capabilities.

In most Linux distributions GnuPG toolchain should already be installed and is avaliable through their package managers. If not, get the latest verion from GnuPG website. Make sure you use a GnuPG version > 2 (in Ubuntu for example, that would be the gpg2 command):

$ gpg --version
gpg (GnuPG) 2.2.5
libgcrypt 1.8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Home: /home/mike/foo
Supported algorithms:
Hash: SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

So let’s generate our gpg key using the following command:

$ gpg --full-generate-key 

I went with the default options for the key type (RSA and RSA), and the key size (2048). I could have selected a 4096-bits long key, but I intend to use with my YubiKey Neo and it doesn’t support 4096-bit keys yet. I then specified the valid until date, my name - email, a password. Make sure you don’t forget that key’s password cause every password managed by pass is encrypted with that private key. But we used to remember our credentials for all those services that we use so a single key’s password won’t be much of an issue!

We can verify that the key was successfully generated, using the command below:

$ gpg -K
gpg: checking the trustdb
gpg: marginals needed: 3  completes needed: 1  trust model: pgp
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: next trustdb check due at 2019-06-10
sec   rsa2048 2018-06-10 [SC] [expires: 2019-06-10]
uid           [ultimate] Michail Mylonakis (My gpg key) <>
ssb   rsa2048 2018-06-10 [E] [expires: 2019-06-10] 

Install pass

Pass is available on all major linux distributions, so it should be easy to install using the package manager. In Arch linux that would be pacman, and we can easily install pass.

$ pacman -S pass 

Initialise pass

In order to set up pass, we need to run the following:

$ pass init 

Note that we used the same email address of our secret gpg key. Let’s also enable the git integration:

$ pass git init

Now our password store (the ~/.password-store directory) is a git repository, so we can utilize git to keep our password synced between our multiple devices (we ll see how in a next section).

Export the private key

Now let’s export our private key so that we can import it into our other devices. It also makes sense to save it somewhere “safe” as a backup.

$ gpg --export-secret-keys > secret.asc

Using pass

Generate a new pass

Now we are ready to start using pass. Let’s generate our first simple password, for the website

$ pass generate 10
  [master e065551] Add generated password for
   1 file changed, 0 insertions(+), 0 deletions(-)
   create mode 100644
  The generated password for is:

In the last line above, we see the (randomly) generated password. The number 10 that we passed as the last argument of the pass generate command specifies the password length. We can use the -n or --no-symbols option to blacklist specific chars. Our password is stored at the file ~/.password-store/ in an encrypted format.

Insert an existing password

Now let’s insert an already existing password.

$ pass insert social/twitter
  mkdir: created directory '/home/mike/.password-store/social'
  Enter password for social/twitter: 
  Retype password for social/twitter: 
  [master d2f3237] Add given password for social/twitter to store.
   1 file changed, 0 insertions(+), 0 deletions(-)
   create mode 100644 social/twitter.gpg 

We can organize the password store directory structure into categories, as seen bellow.

Update an existing password

We can update an existing password like this:

$ pass edit social/twitter

or have pass generate a new password for us.

$ pass generate -i social/twitter

Retrieve a password

We can see what passwords exist in the password store usgin the pass ls command:

$ pass ls
  Password Store
  ├── social
  │   └── twitter

We can reveal a password like this:

$ pass 

If we pass the -c flag on the above command the password is copied to our clipboard and stays there for 45 seconds by default.

Store more details

Another interesting feature of pass is that we can store more details alongside with the password - just make sure that the first line contains the password as that’s what pass copies into our clipboard. We can edit an existing password using the pass edit command, in which case the text editor specified by the $EDITOR env variable will open up and let us modify the file. We can also use the -m flag in the pass insert command to add the details in one go:

$ pass insert -m github
  Enter contents of github and press Ctrl+D when finished:
  username: myusername
  [master 791253d] Add given password for github to store.
   1 file changed, 0 insertions(+), 0 deletions(-)
   create mode 100644 github.gpg 

Remove a password

We can easily remove an existing password:

$ pass rm github 
  Are you sure you would like to delete github? [y/N] y
  removed '/home/mike/.password-store/github.gpg'
  [master 99c7fda] Remove github from store.
   1 file changed, 0 insertions(+), 0 deletions(-)
   delete mode 100644 github.gpg 

Git integration

Interacting with the git repo

As we have enabled git integration in the beginning of this guide our passwords are stored encrypted in a full-fledged git repository. We can examine the repo using the normal git commands prepended by pass:

$ pass git log
  commit 791253d6ad8bd4149f1106a3a32f1d65c55c34df (HEAD -> master)
  Author: Mike <>
  Date:   Sat Jun 16 17:58:00 2018 +0100
      Add given password for github to store.
  commit 99c7fdaf5a902f2dd6e31f211933fdb950b8548b
  Author: Mike <>
  Date:   Sat Jun 16 17:53:41 2018 +0100
      Remove github from store.
  commit 53f887ce03aadbe865daead5923fb6dbb2e44b26
  Author: Mike <>
  Date:   Sat Jun 16 17:51:23 2018 +0100
      Edit password for using vi.

Adding a remote

We can easily add a remote so that we can clone the repo from other devices. Note however that, although our passwords are encrypted (so without our private key they cannot be decrypted) the filenames are not encrypted so one could see the websites / services that we maintain an account.

We could use a private or a self-hosted git repository as a workaround:

$ pass git remote add origin 

And then push our password-store to the remote:

$ pass git push origin master 

Now all we have to do is import our private key (using the .asc file that we have exported) into our other device and clone the repo to start using pass and have our passwords synced!


Pass is a very simple but powerful password manager that is open source (thus free) easy to use and can keep our passwords synced across many devices. There are also some very cool pass clients and extensions that make working with pass even easier.