1 .TH PASS 1 "2014 March 18" ZX2C4 "Password Store"
4 pass - stores, retrieves, generates, and synchronizes passwords securely
19 is a very simple password store that keeps passwords inside
21 encrypted files inside a simple directory tree residing at
22 .IR ~/.password-store .
25 utility provides a series of commands for manipulating the password store,
26 allowing the user to add, remove, edit, synchronize, generate, and manipulate
29 If no COMMAND is specified, COMMAND defaults to either
33 depending on the type of specifier in ARGS. Alternatively, if \fIPASSWORD_STORE_ENABLE_EXTENSIONS\fP
34 is set to "true", and the file \fI.extensions/COMMAND.bash\fP exists inside the
35 password store and is executable, then it is sourced into the environment,
36 passing any arguments and environment variables. Extensions existing in a
37 system-wide directory, only installable by the administrator, are always enabled.
39 Otherwise COMMAND must be one of the valid commands listed below.
41 Several of the commands below rely on or provide additional functionality if
42 the password store directory is also a git repository. If the password store
43 directory is a git repository, all password store modification commands will
44 cause a corresponding git commit. Sub-directories may be separate nested git
45 repositories, and pass will use the inner-most directory relative to the
46 current password. See the \fIEXTENDED GIT EXAMPLE\fP section for a detailed
47 description using \fBinit\fP and
50 The \fBinit\fP command must be run before other commands in order to initialize
51 the password store with the correct gpg key id. Passwords are encrypted using
52 the gpg key set with \fBinit\fP.
54 There is a corresponding bash completion script for use with tab completing
61 \fBinit\fP [ \fI--path=sub-folder\fP, \fI-p sub-folder\fP ] \fIgpg-id...\fP
62 Initialize new password storage and use
64 for encryption. Multiple gpg-ids may be specified, in order to encrypt each
65 password with multiple ids. This command must be run first before a password
66 store can be used. If the specified \fIgpg-id\fP is different from the key
67 used in any existing files, these files will be reencrypted to use the new id.
70 is recommended so that the batch decryption does not require as much user
71 intervention. If \fI--path\fP or \fI-p\fP is specified, along with an argument,
72 a specific gpg-id or set of gpg-ids is assigned for that specific sub folder of
73 the password store. If only one \fIgpg-id\fP is given, and it is an empty string,
74 then the current \fI.gpg-id\fP file for the specified \fIsub-folder\fP (or root if
75 unspecified) is removed.
77 \fBls\fP \fIsubfolder\fP
78 List names of passwords inside the tree at
82 program. This command is alternatively named \fBlist\fP.
84 \fBgrep\fP \fIsearch-string\fP
85 Searches inside each decrypted password file for \fIsearch-string\fP, and displays line
86 containing matched string along with filename. Uses
88 for matching. Make use of the \fIGREP_OPTIONS\fP environment variable to set particular
91 \fBfind\fP \fIpass-names\fP...
92 List names of passwords inside the tree that match \fIpass-names\fP by using the
94 program. This command is alternatively named \fBsearch\fP.
96 \fBshow\fP [ \fI--clip\fP[=\fIline-number\fP], \fI-c\fP[\fIline-number\fP] ] [ \fI--qrcode\fP[=\fIline-number\fP], \fI-q\fP[\fIline-number\fP] ] \fIpass-name\fP
97 Decrypt and print a password named \fIpass-name\fP. If \fI--clip\fP or \fI-c\fP
98 is specified, do not print the password but instead copy the first (or otherwise specified)
99 line to the clipboard using
101 and then restore the clipboard after 45 (or \fIPASSWORD_STORE_CLIP_TIME\fP) seconds. If \fI--qrcode\fP
102 or \fI-q\fP is specified, do not print the password but instead display a QR code using
104 either to the terminal or graphically if supported.
106 \fBinsert\fP [ \fI--echo\fP, \fI-e\fP | \fI--multiline\fP, \fI-m\fP ] [ \fI--force\fP, \fI-f\fP ] \fIpass-name\fP
107 Insert a new password into the password store called \fIpass-name\fP. This will
108 read the new password from standard in. If \fI--echo\fP or \fI-e\fP is \fInot\fP specified,
109 disable keyboard echo when the password is entered and confirm the password by asking
110 for it twice. If \fI--multiline\fP or \fI-m\fP is specified, lines will be read until
111 EOF or Ctrl+D is reached. Otherwise, only a single line from standard in is read. Prompt
112 before overwriting an existing password, unless \fI--force\fP or \fI-f\fP is specified. This
113 command is alternatively named \fBadd\fP.
115 \fBedit\fP \fIpass-name\fP
116 Insert a new password or edit an existing password using the default text editor specified
117 by the environment variable \fIEDITOR\fP or using
119 as a fallback. This mode makes use of temporary files for editing, but care is taken to
120 ensure that temporary files are created in \fI/dev/shm\fP in order to avoid writing to
121 difficult-to-erase disk sectors. If \fI/dev/shm\fP is not accessible, fallback to
122 the ordinary \fITMPDIR\fP location, and print a warning.
124 \fBgenerate\fP [ \fI--no-symbols\fP, \fI-n\fP ] [ \fI--clip\fP, \fI-c\fP ] [ \fI--in-place\fP, \fI-i\fP | \fI--force\fP, \fI-f\fP ] \fIpass-name [pass-length]\fP
125 Generate a new password using \fB/dev/urandom\fP of length \fIpass-length\fP
126 (or \fIPASSWORD_STORE_GENERATED_LENGTH\fP if unspecified) and insert into
127 \fIpass-name\fP. If \fI--no-symbols\fP or \fI-n\fP is specified, do not use
128 any non-alphanumeric characters in the generated password. The character sets used
129 in generating passwords can be changed with the \fIPASSWORD_STORE_CHARACTER_SET\fP and
130 \fIPASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS\fP environment variables, described below.
131 If \fI--clip\fP or \fI-c\fP is specified, do not print the password but instead copy
132 it to the clipboard using
134 and then restore the clipboard after 45 (or \fIPASSWORD_STORE_CLIP_TIME\fP) seconds. If \fI--qrcode\fP
135 or \fI-q\fP is specified, do not print the password but instead display a QR code using
137 either to the terminal or graphically if supported. Prompt before overwriting an existing password,
138 unless \fI--force\fP or \fI-f\fP is specified. If \fI--in-place\fP or \fI-i\fP is
139 specified, do not interactively prompt, and only replace the first line of the password
140 file with the new generated password, keeping the remainder of the file intact.
142 \fBrm\fP [ \fI--recursive\fP, \fI-r\fP ] [ \fI--force\fP, \fI-f\fP ] \fIpass-name\fP
143 Remove the password named \fIpass-name\fP from the password store. This command is
144 alternatively named \fBremove\fP or \fBdelete\fP. If \fI--recursive\fP or \fI-r\fP
145 is specified, delete pass-name recursively if it is a directory. If \fI--force\fP
146 or \fI-f\fP is specified, do not interactively prompt before removal.
148 \fBmv\fP [ \fI--force\fP, \fI-f\fP ] \fIold-path\fP \fInew-path\fP
149 Renames the password or directory named \fIold-path\fP to \fInew-path\fP. This
150 command is alternatively named \fBrename\fP. If \fI--force\fP is specified,
151 silently overwrite \fInew-path\fP if it exists. If \fInew-path\fP ends in a
152 trailing \fI/\fP, it is always treated as a directory. Passwords are selectively
153 reencrypted to the corresponding keys of their new destination.
155 \fBcp\fP [ \fI--force\fP, \fI-f\fP ] \fIold-path\fP \fInew-path\fP
156 Copies the password or directory named \fIold-path\fP to \fInew-path\fP. This
157 command is alternatively named \fBcopy\fP. If \fI--force\fP is specified,
158 silently overwrite \fInew-path\fP if it exists. If \fInew-path\fP ends in a
159 trailing \fI/\fP, it is always treated as a directory. Passwords are selectively
160 reencrypted to the corresponding keys of their new destination.
162 \fBgit\fP \fIgit-command-args\fP...
163 If the password store is a git repository, pass \fIgit-command-args\fP as arguments to
165 using the password store as the git repository. If \fIgit-command-args\fP is \fBinit\fP,
166 in addition to initializing the git repository, add the current contents of the password
167 store to the repository in an initial commit. If the git config key \fIpass.signcommits\fP
168 is set to \fItrue\fP, then all commits will be signed using \fIuser.signingkey\fP or the
169 default git signing key. This config key may be turned on using:
170 .B `pass git config --bool --add pass.signcommits true`
176 Show version information.
181 Initialize password store
184 mkdir: created directory \[u2018]/home/zx2c4/.password-store\[u2019]
188 List existing passwords in store
189 .B zx2c4@laptop ~ $ pass
193 \[u251C]\[u2500]\[u2500] Business
195 \[u2502] \[u251C]\[u2500]\[u2500] some-silly-business-site.com
197 \[u2502] \[u2514]\[u2500]\[u2500] another-business-site.net
199 \[u251C]\[u2500]\[u2500] Email
201 \[u2502] \[u251C]\[u2500]\[u2500] donenfeld.com
203 \[u2502] \[u2514]\[u2500]\[u2500] zx2c4.com
205 \[u2514]\[u2500]\[u2500] France
207 \[u251C]\[u2500]\[u2500] bank
209 \[u251C]\[u2500]\[u2500] freebox
211 \[u2514]\[u2500]\[u2500] mobilephone
215 Alternatively, "\fBpass ls\fP".
217 Find existing passwords in store that match .com
218 .B zx2c4@laptop ~ $ pass find .com
222 \[u251C]\[u2500]\[u2500] Business
224 \[u2502] \[u251C]\[u2500]\[u2500] some-silly-business-site.com
226 \[u2514]\[u2500]\[u2500] Email
228 \[u251C]\[u2500]\[u2500] donenfeld.com
230 \[u2514]\[u2500]\[u2500] zx2c4.com
234 Alternatively, "\fBpass search .com\fP".
236 Show existing password
237 .B zx2c4@laptop ~ $ pass Email/zx2c4.com
241 Copy existing password to clipboard
242 .B zx2c4@laptop ~ $ pass -c Email/zx2c4.com
246 Add password to store
247 .B zx2c4@laptop ~ $ pass insert Business/cheese-whiz-factory
249 Enter password for Business/cheese-whiz-factory: omg so much cheese what am i gonna do
251 Add multiline password to store
252 .B zx2c4@laptop ~ $ pass insert -m Business/cheese-whiz-factory
254 Enter contents of Business/cheese-whiz-factory and press Ctrl+D when finished:
270 Generate new password
271 .B zx2c4@laptop ~ $ pass generate Email/jasondonenfeld.com 15
273 The generated password to Email/jasondonenfeld.com is:
277 Generate new alphanumeric password
278 .B zx2c4@laptop ~ $ pass generate -n Email/jasondonenfeld.com 12
280 The generated password to Email/jasondonenfeld.com is:
284 Generate new password and copy it to the clipboard
285 .B zx2c4@laptop ~ $ pass generate -c Email/jasondonenfeld.com 19
287 Copied Email/jasondonenfeld.com to clipboard. Will clear in 45 seconds.
289 Remove password from store
290 .B zx2c4@laptop ~ $ pass remove Business/cheese-whiz-factory
292 rm: remove regular file \[u2018]/home/zx2c4/.password-store/Business/cheese-whiz-factory.gpg\[u2019]? y
294 removed \[u2018]/home/zx2c4/.password-store/Business/cheese-whiz-factory.gpg\[u2019]
296 .SH EXTENDED GIT EXAMPLE
297 Here, we initialize new password store, create a git repository, and then manipulate and sync passwords. Make note of the arguments to the first call of \fBpass git push\fP; consult
299 for more information.
303 mkdir: created directory \[u2018]/home/zx2c4/.password-store\[u2019]
307 .B zx2c4@laptop ~ $ pass git init
309 Initialized empty Git repository in /home/zx2c4/.password-store/.git/
311 [master (root-commit) 998c8fd] Added current contents of password store.
313 1 file changed, 1 insertion(+)
315 create mode 100644 .gpg-id
317 .B zx2c4@laptop ~ $ pass git remote add origin kexec.com:pass-store
321 mkdir: created directory \[u2018]/home/zx2c4/.password-store/Amazon\[u2019]
325 1 file changed, 0 insertions(+), 0 deletions(-)
331 <5m,_BrZY`antNDxKN<0A
333 .B zx2c4@laptop ~ $ pass git push -u --all
335 Counting objects: 4, done.
337 Delta compression using up to 2 threads.
339 Compressing objects: 100% (3/3), done.
341 Writing objects: 100% (4/4), 921 bytes, done.
343 Total 4 (delta 0), reused 0 (delta 0)
345 To kexec.com:pass-store
347 * [new branch] master -> master
349 Branch master set up to track remote branch master from origin.
357 1 file changed, 0 insertions(+), 0 deletions(-)
371 1 file changed, 0 insertions(+), 0 deletions(-)
375 .B zx2c4@laptop ~ $ pass git push
377 Counting objects: 9, done.
379 Delta compression using up to 2 threads.
381 Compressing objects: 100% (5/5), done.
383 Writing objects: 100% (7/7), 1.25 KiB, done.
385 Total 7 (delta 0), reused 0 (delta 0)
387 To kexec.com:pass-store
393 The default password storage directory.
395 .B ~/.password-store/.gpg-id
396 Contains the default gpg key identification used for encryption and decryption.
397 Multiple gpg keys may be specified in this file, one per line. If this file
398 exists in any sub directories, passwords inside those sub directories are
399 encrypted using those keys. This should be set using the \fBinit\fP command.
401 .B ~/.password-store/.extensions
402 The directory containing extension files.
404 .SH ENVIRONMENT VARIABLES
407 .I PASSWORD_STORE_DIR
408 Overrides the default password storage directory.
410 .I PASSWORD_STORE_KEY
411 Overrides the default gpg key identification set by \fBinit\fP. Keys must not
412 contain spaces and thus use of the hexadecimal key signature is recommended.
413 Multiple keys may be specified separated by spaces.
415 .I PASSWORD_STORE_GPG_OPTS
416 Additional options to be passed to all invocations of GPG.
418 .I PASSWORD_STORE_X_SELECTION
419 Overrides the selection passed to \fBxclip\fP, by default \fIclipboard\fP. See
423 .I PASSWORD_STORE_CLIP_TIME
424 Specifies the number of seconds to wait before restoring the clipboard, by default
427 .I PASSWORD_STORE_UMASK
428 Sets the umask of all files modified by pass, by default \fI077\fP.
430 .I PASSWORD_STORE_GENERATED_LENGTH
431 The default password length if the \fIpass-length\fP parameter to \fBgenerate\fP
434 .I PASSWORD_STORE_CHARACTER_SET
435 The character set to be used in password generation for \fBgenerate\fP. This value
436 is to be interpreted by \fBtr\fP. See
440 .I PASSWORD_STORE_CHARACTER_SET_NO_SYMBOLS
441 The character set to be used in no-symbol password generation for \fBgenerate\fP,
442 when \fI--no-symbols\fP, \fI-n\fP is specified. This value is to be interpreted
447 .I PASSWORD_STORE_ENABLE_EXTENSIONS
448 This environment variable must be set to "true" for extensions to be enabled.
450 .I PASSWORD_STORE_EXTENSIONS_DIR
451 The location to look for executable extension files, by default
452 \fIPASSWORD_STORE_DIR/.extensions\fP.
454 .I PASSWORD_STORE_SIGNING_KEY
455 If this environment variable is set, then all \fB.gpg-id\fP files and non-system extension files
456 must be signed using a detached signature using the GPG key specified by the full 40 character
457 upper-case fingerprint in this variable. If multiple fingerprints are specified, each
458 separated by a whitespace character, then signatures must match at least one.
459 The \fBinit\fP command will keep signatures of \fB.gpg-id\fP files up to date.
462 The location of the text editor used by \fBedit\fP.
476 For updates and more information, a project page is available on the
477 .UR http://\:www.passwordstore.org/
482 This program is free software; you can redistribute it and/or
483 modify it under the terms of the GNU General Public License
484 as published by the Free Software Foundation; either version 2
485 of the License, or (at your option) any later version.
487 This program is distributed in the hope that it will be useful,
488 but WITHOUT ANY WARRANTY; without even the implied warranty of
489 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
490 GNU General Public License for more details.
492 You should have received a copy of the GNU General Public License
493 along with this program; if not, write to the Free Software
494 Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.