pass

Initialize (or re-encrypt) the storage using one or more GPG IDs

$ pass init [gpg_id_1] [gpg_id_2]

$ pass insert [[-m|--multiline]] [path/to/data]

$ pass edit [path/to/data]

$ pass [[-c|--clip]] [path/to/data]

$ pass

$ pass generate [[-c|--clip]] [path/to/data] [num]

$ pass git init

$ pass git [command]

pass [options] command [arguments]

Common commands:
pass init [gpg-id...]
pass ls [path]
pass show [-c|-q|-p] [path]
pass insert [-e|-m] [path]
pass generate [-s size] [-n] [path]
pass rm [-r|-f] [path]
pass cp [-r|-f] old-path new-path
pass mv [-r|-f] old-path new-path
pass find search-string
pass grep search-string
pass edit [path]
pass git git-command [git-args]
pass help [command]
pass version

-c, --clip
    Used primarily with show. Copies the first line (the password) to the clipboard instead of printing it to standard output. The clipboard is cleared after a short configurable delay.

-q, --quiet
    Used primarily with show. Suppresses all output to standard output, often used in conjunction with -c when only clipboard copying is desired without displaying the password on screen.

-p, --password
    Used primarily with show. Only prints the first line (the password) to standard output, omitting any subsequent lines or metadata stored in the password file.

-e, --echo
    Used with insert. Echos the password back to standard output after it has been inserted, useful for scripting or confirmation in non-interactive environments.

-m, --multiline
    Used with insert. Allows for multiline input for the password. The first line is treated as the password, and subsequent lines are stored as notes or additional information.

-s size
    Used with generate. Specifies the desired length for the randomly generated password. The default length is 24 characters if this option is not provided.

-n, --no-symbols
    Used with generate. Instructs pass to generate a password composed only of letters (uppercase and lowercase) and numbers, excluding special symbols.

-r, --recursive
    Used with commands like rm, cp, and mv. Performs the operation recursively on directories, affecting all contents within the specified path.

-f, --force
    Used with commands like rm, cp, and mv. Bypasses confirmation prompts, allowing for non-interactive execution of commands, which can be useful in scripts.

The pass command is a lightweight, command-line based password manager that adheres to the Unix philosophy of doing one thing well. It stores passwords in individual GnuPG encrypted files, organized in a simple plaintext directory tree. This structure allows for easy management using standard file system utilities and optional version control with Git.

By leveraging GnuPG for robust encryption and Git for history and synchronization, pass provides a secure, flexible, and highly scriptable solution for managing sensitive credentials. It supports core functionalities like adding, retrieving, generating, editing, searching, copying, moving, and synchronizing passwords across multiple devices.

The security of pass is inherently tied to the security of your GnuPG private key and its passphrase. A compromised GnuPG key means compromised passwords.

While passwords are encrypted at rest, they are decrypted into memory and may be written to temporary files during operations like editing or display. This temporary exposure could potentially leave sensitive data accessible to forensic analysis.

When using the clipboard option (-c), be aware that clipboard managers might retain sensitive data longer than intended or make it accessible to other applications. Ensure your clipboard manager's security practices align with your risk tolerance.

Regular backups of your password store (especially when integrated with Git) are crucial for data integrity and recovery in case of system failures or accidental deletion.

pass recognizes several environment variables that can alter its behavior. The most commonly used include PASSWORD_STORE_DIR to specify an alternative location for the password store (default: ~/.password-store), and PASSWORD_STORE_GPG_OPTS to pass additional options directly to GnuPG commands used by pass.

pass is designed to be highly extensible. Users can place custom scripts in the ~/.password-store/.extensions directory. These scripts are then invokable as pass subcommands (e.g., a script named `foo` becomes `pass foo`), allowing for automation of complex tasks or integration with other utilities.

The pass utility was created by Jason A. Donenfeld and first publicly released in 2012. Its development was driven by the desire for a simple, standards-compliant password manager that leverages existing, robust Unix tools like GnuPG for encryption and Git for version control. It quickly gained popularity within the Unix and open-source communities for its minimalist design, scriptability, and adherence to the 'Keep It Simple, Stupid' (KISS) principle.

gpg(1), git(1), xclip(1), wl-copy(1), pwgen(1)