pass, the CLI Password Manager

pass is a command line utility to manage your passwords.

It creates a simple file/folder structure under your $PASSWORD_STORE_DIR (by default ~/.password-store) where every file is encrypted with your gpg key.

You can organize that hierarchy as you see fit. For instance something like sites/ is a common way of doing it.

Those files are not limited to contain simply a password, they can contain anything. But is recommended that the password goes alone in the first line, so you can benefit from the -c option which copies that to the clipboard directly.

There is bash, zsh and fish command line completion available and all can be tracked using git. So it's really convenient.


This is simple, just one command (assuming you have your GnuPG key ready). GPG-ID is the hex id of your key.

$ pass init GPG-ID
    mkdir: created directory ‘/home/user/.password-store’
    Password store initialized for GPG-ID

Basic Usage

List all passwords "tree" style

$ pass Password Store
├── sites
│   ├──
│   │   ├── myUserName
│   │   ├── secondAccount ...

Find a password

$ pass find
Search Terms:
└── sites

See the content of a file

$ pass email/

Copy the first line to the clipboard. Clear time can be configured with $PASSWORD_STORE_CLIP_TIME

$ pass -c email/
    Copied email/ to clipboard.
    Will clear in 45 seconds.

Insert a new password. It can be multiline with -m. Remember to put the password on the first line if you want to use the clipboard function

$ pass insert sites/
    Enter password for sites/

Generate a 32 chars random password and store it. You can define the default length with $PASSWORD_STORE_GENERATED_LENGTH. With -n the password will not include symbols, but alphanumeric characters only. With -c it gets copied to the clipboard as usual.

$ pass generate sites/ 32
    The generated password to sites/ is: 

take a look at the --help option or the complete documentation on their website.

Changing Keys

If you need to change the key being used for your password files, simply navigate to the directory and re-issue pass init, but with the ID of the new key to be used. Pass will prompt for the old key's password, then automatically decrypt all keys and re-encrypt them with the new key.

$ cd ~/.password-store
$ pass init NEWGPGKEYID