There are many Password applications out there, most require a fee. But what about self-hosting? There are many self-hosted Password managers and a few of those require a fee. But what about a password manager that is command-line based? Let's install and try Password Store.


Use Brew on a Mac

brew update && brew upgrade && brew install pass pass-otp

On Debian/Ubuntu

apt install pass pass-extension-otp

On Redhat/CentOS

dnf install pass pass-otp

In most cases, bash, zsh and fsh completion will be setup.


Notes from:


GPG keys

Create a new GPG Key

gpg --gen-key

Answer a few questions and you will have a new key to encrypt and decrypt your password files. (You can use your real name or make something up.) After a bit you will have a Key ID -- a long alphanumeric string. Keep that and if you need to see it again, just run

gpg -K

One thing you will see is the expiration date. If you want it to never expire, run

gpg --edit-key

and invoke the expire command.

Create the password store

Create the store using the Key ID

pass init 2B2BF3...3A0E8C

Let's also make it a git repo so we can sync

pass git init

With a couple to steps, we now have a password store on our local machine.

Add some passwords

The pass command allows you to insert a password, generate a password, and delete. It uses a name for the password that is stored in plaintext on the disk so make sure you are careful you don't leak credentials by using an email address.

# insert a password for github
pass insert github

# Generate a password
pass generate gitlab

# Generate a password in a folder for organization
pass generate gitlab/work

To delete, it is just as easy

pass rm github/work


# Search based on the name
pass find github

But how do you search for an email or a note? (Again don't use email as name - you can leak credentials as the filename is not encrypted.) You can add metadata or other fields to the file.


pass edit github/work

You can then grep for fields or emails

pass grep "email:"

Using the passwords

To show the passwords use

pass show github

# copy the password to your clipboard
pass show -c github

Git and fixing things

Suppose you accidentally delete a password. You can, using git, restore from the repo.

pass git revert HEAD

Adding a remote origin

(I am using a service called which is a ssh-based filesystem. My exmaples will use that, but you can also use a GitHub or GitLab repo.)

Here I'll create a fresh repo

ssh git init --bare  Git/passwordstore

Then I'll add it as the origin, set the upstream and push

pass git remote add origin
pass git push --set-upstream origin main

Export your gpg keys

To use this on a different host, you'll need to export your keys and copy them to a new host.

gpg --output public.gpg --armor --export
gpg --output private.gpg --armor --export-secret-key

Copy the keys and then import

gpg --import private.gpg

# also this if it tried to open a dialog window
gpg --import --pinentry-mode loopback private.gpg
gpg --import public.gpg

# edit the trust so you can encrypt passwords on this machine

gpg edit 2B2BF3...3A0E8C

Pulling down the repo

pass init 2B2BF3...3A0E8C
pass git init
pass git clone--single-branch --branch main

How to use this in the terminal

You can view and copy and paste, but with variables and functions, you can pull secrets out of the store.

export GITHUB_TOKEN=$(pass show github/api/mytoken)

alias aws="AWS_ACCESS_KEY_ID=$(pass show aws/access_id) AWS_SECRET_ACCESS_KEY=$(pass show aws/access_key) aws"

Using Pass outside of the terminal

Pass has other plugins and apps available. Check the Pass Webpage and look at Extensions and Clients.

Sharing with Others

This tutorial won't go into this, but using .gpg-id you can encrypt items for others. You will just need the public.key.

From the man page:


Contains the default gpg key identification used for encryption and decryption. Multiple gpg keys may be specified in this file, one per line. If this file exists in any sub directories, passwords inside those sub directories are encrypted using those keys. This should be set using the init command.

Previous Post