pass - the standard unix password manager

2019/06/22 by Paulo Pereira

~/categories/Linux #Linux #Arch Linux #pass

I’ve been using pass as my password manager for the last months.

In Linux, Android and Windows.

Here’s how I set it up and the apps that can be used.


Arch Linux

I installed pass, pass-otp for one time password support, dmenu for an easy way to copy your passwords to the clipboard and if you prefer qtpass foi a gui application.

sudo pacman -S pass pass-otp dmenu qtpass

You can use the command passmenu to open a list of your passwords using dmenu. For convenience you can assign it to a keyboard shortcut.

In XFCE you can go to XFCE > Keyboard > Application Shortcut:

passmenu | Ctrl+Super+P


pass encrypts your passwords with a gpg key, so you’ll need an app to manage your key and an app compatible with pass.

I’m using OpenKeychain and Password Store.


You’ll need to install passff-host and the passff extension.

You can follow the instructions here.


You can use QtPass or just use the pass script in a bash terminal.

I use the bash shell from git for windows and download the pass script here.

Create a new password store

I will be using git to keep my passwords. This is optional. See more in the pass homepage.

gpg --full-generate-key
pass init
git init --bare ~/.password-store
pass git init
pass git config --global --edit

pass git commit --amend --reset-author
pass git remote add origin your_user@server:~/.password-store
pass git push -u --all

pass insert test/test3
pass git push

pass git log --pretty=format:"%h - %ae, %cr - %s" -5
git clone your_user@server:~/.password-store

GPG tips

Here’s cheetsheet for GPG.

Configuration files

Just some configurations I tuned.

vi ~/.gnupg/gpg.conf
	###+++--- GPGConf ---+++###
	#debug-level basic
cat ~/.gnupg/gpg-agent.conf
debug-level basic
log-file socket:///home/your_user/.gnupg/log-socket
pinentry-program /usr/bin/pinentry-gtk-2
default-cache-ttl 1800
gpg-connect-agent reloadagent /bye

Reset cached passwords

echo RELOADAGENT | gpg-connect-agent

Transfer GPG keys between machines

  1. Export to file using a temporary random password
# list gpg private keys
gpg -K
# generate random password
gpg --armor --gen-random 1 20
# export *private* key
gpg --armor --export-secret-keys | gpg --armor --symmetric --output yourkey.asc
# export public key
gpg --armor --export | gpg --armor --symmetric --output yourkey.gpg
  1. Send to another device

Example for Android:

Example in another computer with access to you main machine and using the random password generated:

Managing passwords

Here some examples, be sure to check pass homepage.

# insert a new password (multiple lines)
# firt line always the password
pass insert -m banking/bank
	user: ------
	url: https://------
	email: @---.---
# edit a password (vi like)
pass edit banking/bank
# remove a password
pass rm banking/bank
# push local changes to keybase
pass git push
# check last 5 commits
pass git log --pretty=format:"%h - %ae, %cr - %s" -5
	851fc19 -, 4 hours ago - Add given password for banking/bank to store.
# show the commit changes (q for quit)
pass git show 851fc19
# show commits from a specific dir
pass git log --follow banking
# your password are individual gpg files
ls .password-store/banking
# copy your passwords to the clipboard
pass -c banking/bank
# generate passwords for new sites (with 25 characters for example)
pass generate banking/bank 25
# generate passwords for existing passwords
pass generate --in-place banking/bank 25
# support for one time passwords
pass edit banking/bank
	user: ------
	url: https://------
	email: @---.---
pass otp banking/bank