PASS(1) Password Store PASS(1)NAMEpass - stores, retrieves, generates, and synchronizes passwords
securely
SYNOPSISpass [ COMMAND ] [ OPTIONS ]... [ ARGS ]...
DESCRIPTIONpass is a very simple password store that keeps passwords inside
gpg2(1) encrypted files inside a simple directory tree residing at
~/.password-store. The pass utility provides a series of commands for
manipulating the password store, allowing the user to add, remove,
edit, synchronize, generate, and manipulate passwords.
If no COMMAND is specified, COMMAND defaults to either show or ls,
depending on the type of specifier in ARGS. Otherwise COMMAND must be
one of the valid commands listed below.
The init command must be run before other commands in order to initial‐
ize the password store with the correct gpg key id. Passwords are
encrypting using the gpg key set with init.
There is a corresponding bash completion script for use with tab com‐
pleting password names in bash(1).
COMMANDS
init [ --path=sub-folder, -p sub-folder ] gpg-id...
Initialize new password storage and use gpg-id for encryption.
Multiple gpg-ids may be specified, in order to encrypt each
password with multiple ids. This command must be run first
before a password store can be used. If the specified gpg-id is
different from the key used in any existing files, these files
will be reencrypted to use the new id. Note that use of gpg-
agent(1) is recommended so that the batch decryption does not
require as much user intervention. If --path or -p is specified,
along with an argument, a specific gpg-id or set of gpg-ids is
assigned for that specific sub folder of the password store. If
only one gpg-id is given, and it is an empty string, then the
current .gpg-id file for the specified sub-folder (or root if
unspecified) is removed.
ls subfolder
List names of passwords inside the tree at subfolder by using
the tree(1) program. This command is alternatively named list.
grep search-string
Searches inside each decrypted password file for search-string,
and displays line containing matched string along with filename.
Uses grep(1) for matching. Make use of the GREP_OPTIONS environ‐
ment variable to set particular options.
find pass-names...
List names of passwords inside the tree that match pass-names by
using the tree(1) program. This command is alternatively named
search.
show pass-name
Decrypt and print a password named pass-name.
insert [ --echo, -e | --multiline, -m ] [ --force, -f ] pass-name
Insert a new password into the password store called pass-name.
This will read the new password from standard in. If --echo or
-e is not specified, disable keyboard echo when the password is
entered and confirm the password by asking for it twice. If
--multiline or -m is specified, lines will be read until EOF or
Ctrl+D is reached. Otherwise, only a single line from standard
in is read. Prompt before overwriting an existing password,
unless --force or -f is specified.
edit pass-name
Insert a new password or edit an existing password using the
default text editor specified by the environment variable EDITOR
or using vi(1) as a fallback. This mode makes use of temporary
files for editing, but care is taken to ensure that temporary
files are created in /dev/shm in order to avoid writing to dif‐
ficult-to-erase disk sectors. If /dev/shm is not accessible,
fallback to the ordinary TMPDIR location, and print a warning.
generate [ --no-symbols, -n ] [ --in-place, -i | --force, -f ] pass-
name pass-length
Generate a new password using pwgen(1) of length pass-length and
insert into pass-name. If --no-symbols or -n is specified, do
not use any non-alphanumeric characters in the generated pass‐
word. Prompt before overwriting an existing password, unless
--force or -f is specified. If --in-place or -i is specified, do
not interactively prompt, and only replace the first line of the
password file with the new generated password, keeping the
remainder of the file intact.
rm [ --recursive, -r ] [ --force, -f ] pass-name
Remove the password named pass-name from the password store.
This command is alternatively named remove or delete. If
--recursive or -r is specified, delete pass-name recursively if
it is a directory. If --force or -f is specified, do not inter‐
actively prompt before removal.
mv [ --force, -f ] old-path new-path
Renames the password or directory named old-path to new-path.
This command is alternatively named rename. If --force is speci‐
fied, silently overwrite new-path if it exists. If new-path ends
in a trailing /, it is always treated as a directory. Passwords
are selectively reencrypted to the corresponding keys of their
new destination.
cp [ --force, -f ] old-path new-path
Copies the password or directory named old-path to new-path.
This command is alternatively named copy. If --force is speci‐
fied, silently overwrite new-path if it exists. If new-path ends
in a trailing /, it is always treated as a directory. Passwords
are selectively reencrypted to the corresponding keys of their
new destination.
help Show usage message.
version
Show version information.
SIMPLE EXAMPLES
Initialize password store
zx2c4@laptop ~ $ pass init Jason@zx2c4.com
mkdir: created directory ‘/home/zx2c4/.password-store’
Password store initialized for Jason@zx2c4.com.
List existing passwords in store
zx2c4@laptop ~ $ pass
Password Store
├── Business
│ ├── some-silly-business-site.com
│ └── another-business-site.net
├── Email
│ ├── donenfeld.com
│ └── zx2c4.com
└── France
├── bank
├── freebox
└── mobilephone
Alternatively, "pass ls".
Find existing passwords in store that match .com
zx2c4@laptop ~ $ pass find .com
Search Terms: .com
├── Business
│ ├── some-silly-business-site.com
└── Email
├── donenfeld.com
└── zx2c4.com
Alternatively, "pass search .com".
Show existing password
zx2c4@laptop ~ $ pass Email/zx2c4.com
sup3rh4x3rizmynam3
Add password to store
zx2c4@laptop ~ $ pass insert Business/cheese-whiz-factory
Enter password for Business/cheese-whiz-factory: omg so much
cheese what am i gonna do
Add multiline password to store
zx2c4@laptop ~ $ pass insert -m Business/cheese-whiz-factory
Enter contents of Business/cheese-whiz-factory and press Ctrl+D
when finished:
Hey this is my
awesome
multi
line
passworrrrrrrrd.
^D
Generate new password
zx2c4@laptop ~ $ pass generate Email/jasondonenfeld.com 15
The generated password to Email/jasondonenfeld.com is:
$(-QF&Q=IN2nFBx
Generate new alphanumeric password
zx2c4@laptop ~ $ pass generate -n Email/jasondonenfeld.com 12
The generated password to Email/jasondonenfeld.com is:
YqFsMkBeO6di
Generate new password
zx2c4@laptop ~ $ pass generate Email/jasondonenfeld.com 19
Remove password from store
zx2c4@laptop ~ $ pass remove Business/cheese-whiz-factory
rm: remove regular file ‘/home/zx2c4/.password-store/Busi‐
ness/cheese-whiz-factory.gpg’? y
removed ‘/home/zx2c4/.password-store/Business/cheese-whiz-fac‐
tory.gpg’
FILES
~/.password-store
The default password storage directory.
~/.password-store/.gpg-id
Contains the default gpg key identification used for encryption
and decryption. Multiple gpg keys may be specified in this
file, one per line. If this file exists in any sub directories,
passwords inside those sub directories are encrypted using those
keys. This should be set using the init command.
ENVIRONMENT VARIABLES
PASSWORD_STORE_DIR
Overrides the default password storage directory.
PASSWORD_STORE_KEY
Overrides the default gpg key identification set by init. Keys
must not contain spaces and thus use of the hexidecimal key sig‐
nature is recommended. Multiple keys may be specified separated
by spaces.
PASSWORD_STORE_UMASK
Sets the umask of all files modified by pass, by default
077.
EDITOR The location of the text editor used by edit.
SEE ALSOgpg2(1), pwgen(1),
AUTHORpass was written by Jason A. Donenfeld ⟨Jason@zx2c4.com⟩. For
updates and more information, a project page is available on the
World Wide Web ⟨http://www.passwordstore.org/⟩.
COPYING
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 2 of
the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public
License along with this program; if not, write to the Free Soft‐
ware Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
MA 02110-1301, USA.
ZX2C4 2014 March 18 PASS(1)