Pass: the Unix password manager that just works

I used KeePass for years. Then 1Password. Then Bitwarden. All decent tools, but they always felt… like too much. Too much UI, too many features, too much hassle to integrate properly into my workflow.

Then I discovered pass. A password manager that does exactly what the name says: store passwords. Nothing more, nothing less.

What is pass?

Pass is the “standard unix password manager.” It’s a shell script of ~700 lines that stores passwords as GPG-encrypted files in a directory. That’s it. No database, no proprietary format, no built-in cloud sync.

~/.password-store/
├── email/
│   ├── gmail.gpg
│   └── protonmail.gpg
├── social/
│   └── github.gpg
└── work/
    ├── gitlab.gpg
    └── jira.gpg

Each .gpg file is an encrypted text file with your password (and optionally extra info). The directory structure is your organization.

Get started in 5 minutes

Installation

# macOS
brew install pass gnupg

# Debian/Ubuntu
sudo apt install pass gnupg

# Arch
sudo pacman -S pass gnupg

You need a GPG key

Pass uses GPG for encryption. If you don’t have a GPG key yet:

gpg --full-generate-key

Choose RSA, 4096 bits, and fill in your name and email. Remember your passphrase well — you’ll need it to decrypt passwords.

Initialize the password store

# Use your GPG key ID or email
pass init "tom@example.com"

This creates ~/.password-store/ with a .gpg-id file indicating which GPG key is used.

Your first password

# Generate a new password
pass generate email/gmail 24

# Or add an existing password
pass insert social/github

That’s it. You now have a working password manager.

Retrieve a password

# Show password in terminal
pass email/gmail

# Copy to clipboard (disappears after 45 sec)
pass -c email/gmail

Why this works for me

Pass fits perfectly into a terminal-first workflow. No app that needs to start, no browser extension that needs to load. Just:

pass -c work/gitlab

And the password is in my clipboard.

But there’s more. Because pass just uses files in a directory:

It’s searchable: pass find gitlab or just ls ~/.password-store/
It’s scriptable: pass show -c $(pass find jira | head -1)
It integrates with everything: dmenu, rofi, fzf, Alfred, your own scripts

More than just passwords

A .gpg file can contain more than just a password. The convention is: first line is the password, then metadata.

pass edit email/gmail

SuperSecurePassword123!
---
username: tom@gmail.com
url: https://mail.google.com
otp: otpauth://totp/Gmail:tom@gmail.com?secret=JBSWY3DPEHPK3PXP
notes: recovery email is backup@proton.me

You can even generate TOTP (2FA) codes:

# With pass-otp extension
pass otp email/gmail

Git sync: the killer feature

Pass has built-in git support. This is why I’ll never go back to other password managers.

# Initialize git repo
pass git init

# Every change is automatically committed
pass generate new/password 20
# → [master 1a2b3c4] Add generated password for new/password.

# Push to remote
pass git push

Your password store is now a git repository. This means:

Automatic backups to your git remote
Sync between machines with just pass git pull
Version history of all your passwords
Conflict resolution if you modify on two machines simultaneously

I have my password store in a private GitLab repo. On a new machine:

git clone git@gitlab.com:tom/password-store.git ~/.password-store

Done. All passwords available.

Browser integration

“But I want auto-fill in my browser!”

You can have that. There are extensions for Firefox and Chrome:

Browserpass — native messaging, works well
passff — Firefox-only, also solid

Browserpass reads your password store, matches the URL with your directory structure, and fills in. It works surprisingly well.

~/.password-store/
├── github.com/
│   └── tom.gpg      # auto-matched on github.com
├── gitlab.com/
│   └── work.gpg
└── mail.google.com/
    └── personal.gpg

Fuzzy finding with fzf

This is my daily workflow. A simple script:

#!/bin/bash
# passfzf - fuzzy find and copy password

password=$(find ~/.password-store -name "*.gpg" | \
  sed 's|.*/\.password-store/||; s|\.gpg$||' | \
  fzf --height 40% --reverse)

[[ -n "$password" ]] && pass -c "$password"

Bind this to a hotkey and you have instant password lookup with fuzzy matching.

Or use rofi-pass if you use rofi:

rofi-pass

Multi-key encryption

Sharing passwords with a team? Pass supports multiple GPG keys:

pass init key1@example.com key2@example.com

Now both keys can decrypt all passwords. You can even use different keys per directory:

# Only you have access to personal/
echo "your-key-id" > ~/.password-store/personal/.gpg-id

# The whole team has access to shared/
echo -e "key1\nkey2\nkey3" > ~/.password-store/shared/.gpg-id

pass init

Pass extensions

Pass has an extension system. Useful extensions:

pass-otp

TOTP/HOTP support for 2FA:

# Add OTP
pass otp insert email/gmail
# Paste the otpauth:// URL

# Generate code
pass otp email/gmail
# → 482193

pass-tomb

Encrypt your entire password store in a Tomb container:

pass tomb open
# ... do your thing ...
pass tomb close

Extra layer of security if someone has physical access to your machine.

pass-update

Bulk update passwords:

pass update -l 32 work/*

The real downside: key management

And here we come to the flip side. Pass is so simple because it uses GPG. And GPG key management is… not simple.

Your GPG key is critical

If you lose your GPG private key, you lose all your passwords. Permanently. There’s no “forgot password” option, no support that can help you.

This means:

Backup your GPG key in multiple places
Remember your passphrase — consider writing it on paper in a safe
Consider a hardware key (YubiKey) for extra security

GPG can be frustrating

GPG is powerful but also notoriously unfriendly:

gpg: decryption failed: No secret key
gpg: problem with the agent: No pinentry
gpg: public key not found

If you’re not used to GPG, the learning curve can be steep. Pinentry popups that don’t work, agents that hang, keys that aren’t found.

No built-in mobile app

There’s no official pass app. There are third-party apps:

Android: Password Store — works well, syncs via git
iOS: Pass for iOS — also git sync

But it’s not as polished as 1Password or Bitwarden on mobile. You need to configure git credentials, import GPG keys… it takes setup time.

“Share this password with a colleague” is not a feature. You can use multi-key encryption, but that requires everyone to have GPG keys. For quick sharing with non-techies, pass isn’t ideal.

Sync conflicts can be tricky

Git sync is great, but if you modify a password on two machines simultaneously, you get a merge conflict. In an encrypted file. That’s… not fun to resolve.

In practice this is rarely a problem if you pass git pull before making changes. But it can happen.

When pass is perfect

Pass is ideal if:

You’re comfortable in the terminal
You already use GPG (or are willing to learn)
You want control over your data (no cloud, unless you want it)
You want to integrate it into scripts and automation
You want a simple, auditable solution (~700 lines of bash)

When you should choose something else

Choose Bitwarden or 1Password if:

You share passwords with non-techies (family, colleagues without GPG)
You want a polished mobile experience without setup
You don’t want to deal with GPG key management
Your organization requires compliance with specific password managers

My setup

For those interested, this is how I use pass:

# ~/.zshrc
export PASSWORD_STORE_DIR="$HOME/.password-store"
export PASSWORD_STORE_CLIP_TIME=30

# Fuzzy find alias
alias p='passfzf'

# Quick copy
alias pc='pass -c'

My password store is in a private GitLab repo. I sync between laptop, desktop, and phone. The GPG key is on a YubiKey, with a backup on an air-gapped machine.

Is it more setup than Bitwarden? Yes. But it fits perfectly into my workflow, I have complete control over my data, and there’s no vendor that could decide tomorrow to raise prices or sell the company.

Conclusion

Pass is the password manager for people who love Unix philosophy: do one thing, do it well, and integrate with other tools. It’s not for everyone — the GPG dependency alone makes it unsuitable for many people.

But if you have a terminal-first workflow, if you want control over your data, and if you’re willing to take the GPG learning curve: pass is a breath of fresh air after all the overengineered password managers.

It’s ~700 lines of bash. It stores files in a directory. It works with git. And it does exactly what it needs to do.

Sometimes simple is just better.

Resources:

passwordstore.org — official site
pass git repo — source code
Browserpass — browser extension
Password Store (Android) — Android app

What is pass?#

Get started in 5 minutes#

Installation#

You need a GPG key#

Initialize the password store#

Your first password#

Retrieve a password#

Why this works for me#

More than just passwords#

Git sync: the killer feature#

Browser integration#

Fuzzy finding with fzf#

Multi-key encryption#

Pass extensions#

pass-otp#

pass-tomb#

pass-update#

The real downside: key management#

Your GPG key is critical#

GPG can be frustrating#

No built-in mobile app#

No password sharing via link#

Sync conflicts can be tricky#

When pass is perfect#

When you should choose something else#

My setup#

Conclusion#