Complete guide for using pass, the standard Unix password manager. Use this skill whenever the user asks about pass, password-store, managing passwords from...
---
name: pass
description: >
Complete guide for using pass, the standard Unix password manager. Use this
skill whenever the user asks about pass, password-store, managing passwords
from the terminal, GPG-encrypted passwords, setting up pass for the first
time, inserting or generating passwords, syncing a password store with git,
using pass-otp for TOTP codes, importing passwords from another manager, or
any task involving the `pass` CLI. Trigger on phrases like "set up pass",
"add a password to pass", "sync my password store", "generate a password",
"pass git", "pass-otp", "pass-import", or any variation.
---
# pass — The Standard Unix Password Manager
Each password is a GPG-encrypted file under `~/.password-store/`. The store is
plain files in a folder hierarchy; no proprietary formats, no daemon.
---
## 1. Installation
### Linux
| Distro | Command |
|------------------|--------------------------------|
| Arch / Manjaro | `pacman -S pass` |
| Debian / Ubuntu | `apt install pass` |
| Fedora / RHEL | `dnf install pass` |
| openSUSE | `zypper in password-store` |
### macOS
```bash
brew install pass
```
---
## 2. GPG Key Setup
pass requires a GPG key. Skip this block if you already have one.
```bash
# Generate a new key (use RSA 4096 or ed25519)
gpg --full-generate-key
# List your keys — note the key ID or email
gpg --list-secret-keys --keyid-format LONG
```
The key ID looks like `3AA5C34371567BD2` or you can use the email you registered.
---
## 3. Initialise the Store
```bash
pass init "your@email.com"
# or using the key ID:
pass init 3AA5C34371567BD2
```
This creates `~/.password-store/` and a `.gpg-id` file.
Multiple GPG IDs are supported (for team use):
```bash
pass init alice@example.com bob@example.com
```
Use `-p` to scope a different GPG key to a subfolder (useful for shared stores):
```bash
pass init -p work/ work@company.com
```
Running `pass init` on an existing store re-encrypts all entries with the new key(s).
---
## 4. Data Organisation Convention
Store each entry as a **multiline file** with this structure:
```
<password>
url: https://example.com
username: you@example.com
notes: anything extra
```
- **First line is always the password.** `pass -c` and clipboard tools only
copy line 1.
- Use lowercase keys (`url:`, `username:`, `notes:`) for compatibility with
browser extensions and `pass-import`.
- Organise with folders that mirror context, not the URL structure:
```
~/.password-store/
├── email/
│ ├── gmail
│ └── fastmail
├── dev/
│ ├── github
│ └── npm
└── finance/
├── bank-hsbc
└── revolut
```
---
## 5. Daily Usage
### List the store
```bash
pass # full tree
pass email/ # subtree
pass ls email/ # explicit alias
```
### Find entries by name
```bash
pass find github # lists all entries whose path matches "github"
```
### Read a password
```bash
pass email/gmail # print all lines to stdout
pass -c email/gmail # copy line 1 to clipboard (clears after 45s)
pass -c2 email/gmail # copy line 2 (e.g. the username) to clipboard
```
### Search inside decrypted content
```bash
pass grep username # grep across all decrypted entries
pass grep -i "amazon" # case-insensitive; accepts any grep option
```
### Insert an existing password
```bash
pass insert email/gmail # prompted twice for confirmation
pass insert -e email/gmail # echo password as you type (single prompt)
pass insert -m email/gmail # multiline (recommended, ends with Ctrl-D)
pass insert -f email/gmail # overwrite without prompt
```
### Generate a new password
```bash
pass generate email/gmail # 25-char password (default length)
pass generate email/gmail 20 # custom length
pass generate -n email/gmail 20 # no symbols
pass generate -c email/gmail 20 # copy to clipboard instead of printing
pass generate -i email/gmail 20 # replace only line 1, keep rest of file
pass generate -f email/gmail 20 # overwrite without prompt
```
### Edit an entry
```bash
pass edit email/gmail # opens $EDITOR; creates entry if it doesn't exist
```
### Remove an entry
```bash
pass rm email/gmail
pass rm -r email/ # remove a folder recursively
pass rm -f email/gmail # no confirmation prompt
```
### Move / copy
```bash
pass mv email/gmail email/gmail-old
pass mv -f email/gmail email/gmail-old # overwrite without prompt
pass cp email/gmail backup/gmail
pass cp -f email/gmail backup/gmail # overwrite without prompt
```
---
## 6. Git Sync
Initialise git inside the store:
```bash
pass git init
pass git remote add origin git@github.com:you/pass-store.git
```
Every `pass insert`, `generate`, `edit`, `rm` automatically creates a git
commit. Push and pull manually:
```bash
pass git push
pass git pull
```
To clone the store on another machine:
```bash
# Import your GPG key first:
gpg --import private-key.asc
gpg --edit-key your@email.com # then: trust → 5 → quit
# Clone the store:
git clone git@github.com:you/pass-store.git ~/.password-store
```
---
## 7. Extensions
### pass-otp (TOTP / 2FA codes)
```bash
# Install
pacman -S pass-otp # Arch
brew install pass-otp # macOS
# Add a TOTP secret (use the otpauth:// URI from your provider)
pass otp insert totp/github
# paste: otpauth://totp/GitHub:you@example.com?secret=BASE32SECRET&issuer=GitHub
# Generate a code
pass otp totp/github
# Copy to clipboard
pass otp -c totp/github
```
### pass-import (migrate from another manager)
```bash
pip install pass-import # or: pacman -S pass-import
# Import from Bitwarden (JSON export)
pass import bitwarden bitwarden-export.json
# Import from 1Password (1PUX export)
pass import 1password export.1pux
# List all supported formats
pass import --list
```
### pass-update
```bash
# Install
git clone https://github.com/roddhjav/pass-update ~/.password-store/.extensions/update.bash
# Update a password interactively
pass update email/gmail
```
---
## 8. Shell Completion
```bash
# bash — add to ~/.bashrc
source /usr/share/bash-completion/completions/pass
# zsh — add to ~/.zshrc
autoload -U compinit && compinit
# fish — works out of the box after install
```
---
## 9. Useful Environment Variables
| Variable | Purpose |
|-----------------------------------|----------------------------------------------|
| `PASSWORD_STORE_DIR` | Override default `~/.password-store` |
| `PASSWORD_STORE_KEY` | Default GPG key ID |
| `PASSWORD_STORE_GIT` | Override git directory |
| `PASSWORD_STORE_CLIP_TIME` | Seconds before clipboard clears (default 45) |
| `PASSWORD_STORE_ENABLE_EXTENSIONS`| Set to `true` to enable user extensions |
| `EDITOR` | Editor used by `pass edit` |
---
## 10. Troubleshooting
**`gpg: decryption failed: No secret key`**
Your GPG key is not available. Import it with `gpg --import` and set trust.
**`gpg-agent` keeps asking for passphrase**
Add to `~/.gnupg/gpg-agent.conf`:
```
default-cache-ttl 3600
max-cache-ttl 14400
```
Then restart: `gpgconf --kill gpg-agent`
**Clipboard does not clear on Wayland**
Install `wl-clipboard` and set `PASSWORD_STORE_CLIP_TOOL=wl-copy` or pass `-c`
with `wl-clipboard` in PATH.
**pass git shows dirty tree after clone**
Run `pass git status`; if only `.gpg-id` is untracked, run `pass git add .`
and `pass git commit -m "add gpg-id"`.
don't have the plugin yet? install it then click "run inline in claude" again.
split original content into 6 required sections (intent, inputs, procedure with numbered steps, explicit decision points, output contract, outcome signal); added edge cases (Wayland clipboard, GPG cache TTL, git dirty tree, multi-key setup, import failures, TOTP validity windows); preserved all original commands and author attribution.
each password is a GPG-encrypted file under ~/.password-store/. the store is plain files in a folder hierarchy; no proprietary formats, no daemon.
pass is a minimal CLI password manager that stores each credential as a GPG-encrypted text file. use this skill when you need to set up or manage a Unix password store, generate or retrieve encrypted passwords, sync credentials across machines with git, handle TOTP codes, or migrate passwords from another manager. pass is for users who want passwords in version control without a centralized cloud service.
required before starting:
pass package installed via distro package manager or Homebrewwl-clipboard on Wayland systems if you need clipboard supportenvironment variables (optional, set in shell profile if needed):
PASSWORD_STORE_DIR: override default store location (default: ~/.password-store)PASSWORD_STORE_KEY: default GPG key ID or email to encrypt withPASSWORD_STORE_CLIP_TIME: clipboard clear timeout in seconds (default: 45)PASSWORD_STORE_ENABLE_EXTENSIONS: set to true to load user extensionsEDITOR: which text editor pass edit uses (default: $EDITOR or vi)PASSWORD_STORE_GIT: override git directory path (default: $PASSWORD_STORE_DIR)PASSWORD_STORE_CLIP_TOOL: clipboard command (default: xclip or pbcopy depending on OS)external connections (optional):
Linux:
pacman -S passapt install passdnf install passzypper in password-storemacOS:
brew install passoutput: pass --version prints the installed version (e.g., pass 1.7.4)
if you do not have a GPG key:
gpg --full-generate-keyif you already have a key, list it:
gpg --list-secret-keys --keyid-format LONG
output: a key ID like 3AA5C34371567BD2 or the email you registered
pass init "your@email.com" (or use the key ID instead)~/.password-store/ directory and a .gpg-id fileoptional: multi-key setup for team sharing:
pass init alice@example.com bob@example.com
this encrypts all entries so both alice and bob can decrypt.
optional: scope a different key to a subfolder:
pass init -p work/ work@company.com
output: ~/.password-store/ directory exists with .gpg-id file containing the key fingerprint(s)
create a folder hierarchy that mirrors your context, not website URLs. examples:
~/.password-store/
├── email/
│ ├── gmail
│ └── fastmail
├── dev/
│ ├── github
│ └── npm
└── finance/
├── bank-hsbc
└── revolut
convention: each entry is a multiline text file with this structure:
<password>
url: https://example.com
username: you@example.com
notes: anything extra
the first line is always the password. pass -c only copies line 1 to clipboard. use lowercase keys (url:, username:, notes:) for compatibility with browser extensions and pass-import.
output: folder structure created manually with mkdir -p ~/.password-store/<category>/
view the full tree:
pass
view a subtree:
pass email/
pass ls email/
find entries by name (fuzzy search):
pass find github
output: stdout lists entry paths, one per line
print all lines of an entry:
pass email/gmail
copy line 1 (password) to clipboard:
pass -c email/gmail
clipboard auto-clears after 45 seconds (configurable with PASSWORD_STORE_CLIP_TIME)
copy a specific line (e.g. line 2, the username):
pass -c2 email/gmail
search decrypted content across all entries:
pass grep username
pass grep -i "amazon"
output: password printed to stdout or copied to clipboard; clipboard clears after timeout
insert with confirmation prompt:
pass insert email/gmail
you are prompted to enter the password twice.
insert while echoing your input (single prompt):
pass insert -e email/gmail
insert in multiline mode (recommended for the metadata structure):
pass insert -m email/gmail
press Ctrl-D to finish.
overwrite an existing entry without prompt:
pass insert -f email/gmail
output: entry created at ~/.password-store/email/gmail.gpg
generate a 25-character random password (default):
pass generate email/gmail
generate with custom length:
pass generate email/gmail 20
generate without symbols (alphanumeric only):
pass generate -n email/gmail 20
generate and copy directly to clipboard:
pass generate -c email/gmail 20
generate and replace only the password (keep metadata):
pass generate -i email/gmail 20
generate and overwrite without prompt:
pass generate -f email/gmail 20
output: generated password printed to stdout or copied to clipboard; entry file updated
open in $EDITOR:
pass edit email/gmail
if the entry does not exist, it is created.
output: entry file updated with changes you made in the editor
remove a single entry (with confirmation):
pass rm email/gmail
remove a folder recursively:
pass rm -r email/
remove without confirmation prompt:
pass rm -f email/gmail
output: entry or folder deleted from ~/.password-store/
move an entry:
pass mv email/gmail email/gmail-old
move and overwrite without prompt:
pass mv -f email/gmail email/gmail-old
copy an entry:
pass cp email/gmail backup/gmail
copy and overwrite without prompt:
pass cp -f email/gmail backup/gmail
output: entry file moved or copied to the new path
set up git inside the store:
pass git init
pass git remote add origin git@github.com:you/pass-store.git
every pass insert, generate, edit, rm, mv, cp automatically creates a git commit.
push changes to remote:
pass git push
pull remote changes:
pass git pull
output: git repository initialized at ~/.password-store/.git; commits appear in git log
prerequisites: the remote repo is already set up and your GPG key is available
gpg --import private-key.ascgpg --edit-key your@email.com, then type trust, select 5, then quitgit clone git@github.com:you/pass-store.git ~/.password-storeoutput: ~/.password-store/ directory populated with encrypted entries; decryption works with your imported GPG key
install the extension:
pacman -S pass-otpbrew install pass-otppip install pass-otpadd a TOTP secret (use the otpauth:// URI from your provider):
pass otp insert totp/github
paste the otpauth URI: otpauth://totp/GitHub:you@example.com?secret=BASE32SECRET&issuer=GitHub
generate a code:
pass otp totp/github
copy the code to clipboard:
pass otp -c totp/github
output: TOTP entry created at ~/.password-store/totp/github.gpg; running the command outputs a 6-digit code valid for 30 seconds
install the tool:
pip install pass-import
# or: pacman -S pass-import
import from Bitwarden (JSON export):
pass import bitwarden bitwarden-export.json
import from 1Password (1PUX export):
pass import 1password export.1pux
list all supported import formats:
pass import --list
output: entries created in ~/.password-store/ with folder structure inferred from the source manager
bash , add to ~/.bashrc:
source /usr/share/bash-completion/completions/pass
zsh , add to ~/.zshrc:
autoload -U compinit && compinit
fish , works automatically after install
output: pass <TAB> completes entry names and subcommands
if you do not have a GPG key: generate one with gpg --full-generate-key before running pass init. if you already have a key, skip generation and go straight to pass init.
if you want to share the store with team members: use pass init alice@example.com bob@example.com so entries encrypt to multiple keys. if solo, use a single key.
if you plan to sync the store across machines: set up git with pass git init and push to a remote repo. if you only use pass on one machine, skip git.
if the clipboard does not work on Wayland: install wl-clipboard and ensure PASSWORD_STORE_CLIP_TOOL=wl-copy is set, or pass will try xclip and fail. on X11 or macOS, the default clipboard tools work out of the box.
if gpg-agent keeps asking for a passphrase: increase the cache TTL in ~/.gnupg/gpg-agent.conf with default-cache-ttl 3600 and max-cache-ttl 14400, then restart the agent with gpgconf --kill gpg-agent.
if you need TOTP codes for 2FA: install pass-otp and use pass otp insert to add secrets. if you only use passwords, skip this extension.
if you are migrating from Bitwarden, 1Password, LastPass, or KeePass: use pass-import to automate the migration. if starting fresh, skip this step.
if you want to update passwords interactively: install pass-update with git clone https://github.com/roddhjav/pass-update ~/.password-store/.extensions/update.bash. if you prefer editing manually, use pass edit instead.
a successful pass setup and workflow produces:
~/.password-store/ exists with a .gpg-id file at the root containing the GPG key fingerprint(s)~/.password-store/<category>/<name>.gpg as a binary-encrypted file.git/ directory exists inside ~/.password-store/ with commit history showing insert, generate, edit, and rm operationspass -c <entry> places the first line on the clipboard; the clipboard clears automatically after the timeoutpass <entry> outputs plaintext to stdout only if the GPG key is available and unlockedpass import <format> <file> creates entries with folder structure matching the source manager, or fails with an error if the format is unsupportedpass otp <entry> outputs a 6-digit code valid for 30 seconds, refreshing every 30 secondsyou know the skill worked when:
pass lists your entire password store tree with no errorspass -c <entry> copies a password to your clipboard without prompting for your GPG passphrase (if the agent cached it) or prompts once and then succeedspass generate <entry> 20 creates a new encrypted entry and prints the generated passwordpass edit <entry> opens your default text editor, you modify the entry, and save; the entry is re-encrypted and a git commit is created (if git is enabled)pass find <keyword> returns a list of matching entries instantlypass git push and pass git pull sync your store to a remote repo without auth errorspass otp <entry> outputs a valid TOTP code you can use to log in (if you set up pass-otp)pass import <format> <file> imports entries from another password manager with the correct folder structure and no decryption errorspass <entry> decrypts successfully after importing the GPG key