Linux Mac

How to Use Pass, the Ultimate Open-Source Password Manager

Matthew Hughes 23-08-2016

One of the simplest ways to stay safe online is to practice good password hygiene. For each service and site you use, you should make sure that you use a different password which contains a combination of numbers and special characters, and isn’t based on any dictionary words.


Where possible, you should back this up with sturdy two-factor authentication.

Probably the biggest reason why people reuse the same weak passwords is because it’s hard to remember different complex ones. It’s for this reason why there’s a flourishing market for password managers How Password Managers Keep Your Passwords Safe Passwords that are hard to crack are also hard to remember. Want to be safe? You need a password manager. Here's how they work and how they keep you safe. Read More , with companies like LastPass, LogMeOnce, and DashLane all thriving. Consumers are becoming increasingly conscious of how password managers can protect them online You Need to Start Using a Password Manager Right Now By now, everyone should be using a password manager. In fact, not using a password manager puts you at greater risk of being hacked! Read More .

But what if you want an open-source password manager for Linux, Mac, and Windows? Well, you’re in luck. Pass is free, based on sturdy encryption standards, and super easy to use.

The Fundamentals of Pass

Pass is a simple, command-line based password manager. What makes it unique is that passwords are stored inside GPG encrypted files. These are the filename of the website or resource that needs the password. These are then organized in a hierarchical tree structure located under ~/.password-store.

This simplistic philosophy is beneficial for users, because it means that passwords can be manipulated using standard Linux command tools. You can, for example, grab your password and pipe it to another Linux utility. Since passwords are flat files, you can move them from computer to computer simply by transferring them. This makes it super portable.


Pass is even capable of temporarily storing passwords on the clipboard, and changes can be tracked using the Git versioning system.

To get it, just tell your package manager Which Linux Package Manager (and Distro) Is Right for You? A key difference between the main Linux distros is the package manager; the differences are strong enough that it can influence your choice of distro. Let's look at how the various package managers work. Read More to install Pass. On Ubuntu or Debian, run

sudo apt-get install pass.

On Fedora, it’s

sudo yum install pass

(I’m installing it on my Mac, so I typed brew install pass.)



Once it’s installed, you can start to build up your collection of passwords.

It’s worth emphasizing  that Pass doesn’t specify any kind of requirements on the data it stores. While the name suggests it’s just a password manager, it doesn’t dictate any particular kind of schema. It’s just a flat text file. This means you can store anything from PIN numbers, to metadata. Even poems.

How to Use Pass

When you first install Pass, your password store will be empty and there will be some configuration that needs to be done before you can start to use it.



Thankfully, Pass handles this for you. Just run:

pass init

This creates the folders where your passwords will be created. For this to work, the text in-between quotation marks has to be your GPG private key ID.



If you don’t already have one, you’ll have to create one. To do this, run

gpg --gen-key

…and follow the instructions. They’re pretty straightforward. To test that your password has been successfully created, run:

gpg --list-keys


If everything goes well, you’ll see something like this when you run Pass.


Now you can start to fill pass with information. This follows a really simple convention.

To insert a password, just run pass insert Servicetype/ServiceName. So, if you were adding your personal email account, you’d run:

pass insert email/personal

…and then follow the instructions in the terminal prompt.


Running Pass again will show you the hierarchy of  your password collection. Here, you’ll see my collection of passwords are getting bigger and bigger.


If you want to see a password, you’ll have to run something like:

pass social/twitter

You’ll be prompted for your GPG passphrase. Please note that my real Twitter password isn’t “password”.


You can also copy passwords to the clipboard. If I wanted to copy my Twitter password to the clipboard, I’d use:

pass -c social/twitter

For security reasons, Pass will remove this after 45 minutes to prevent them from falling into the wrong hands.


Pass can also generate strong passwords using the pwgen utility. If I wanted to generate myself a 30-character password for LinkedIn, I’d run:

pass generate social/linkedin 30

If you want to remove a password, you just need to run the equivalent of

pass rm social/twitter


It’s worth pointing out that password managers are only secure as the people who use them. For some useful tips on how to effectively use them, check out this piece from Dann Albright Are You Making These 6 Password Manager Security Mistakes? Password managers can only be as secure as you want them to be, and if you're making any of these six basic mistakes, you're going to end up compromising your online security. Read More .

Migrating to Pass From Other Services

If you’re already using a different password manager, but are tempted by Pass, you’ll be delighted to hear that the Pass community has written a number of scripts to port passwords. These are primarily written in Ruby, but also in Python, Perl, and Shell. They can migrate passwords from the following services:

  • 1Password
  • KeepassX
  • Keepass2
  • Figaro
  • LastPass
  • Ked
  • Revelation
  • Gorilla
  • PWSafe
  • KWallet
  • Roboform

To download these, visit the Pass website and scroll all the way to the bottom.

It’s also worth emphasizing that if you’re not keen on using Pass on the command line, the community has create a number of GUI interfaces for it. The most gorgeous is GoPass, which is written in Google’s Go programing language. This can only be used to view passwords though, and not remove or inserting them.


There’s also one written in Python, called Pext. This plugs into a number of Linux services, including Pass, and makes it easy for you to search for items.

How Do You Keep Your Passwords Secure on Linux?

Do you use Pass, or is there another service you prefer to use? I want to hear about it. Drop me a comment below, and we’ll chat.

Related topics: Linux, Password Manager.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. parobalth
    October 25, 2016 at 8:26 am

    Please correct "For security reasons, Pass will remove this after 45 minutes [...]" to 45 seconds.

  2. Anonymous
    August 24, 2016 at 5:47 pm

    The password generator as you describe it is very basic: you can only define the number of characters, but not the type of characters. Neither does it seem t be able to generate passphrases.
    I use KeePass2, which does both of those things & much more, including auto-type which is a real godsend.

  3. Anonymous
    August 24, 2016 at 4:45 am

    This is quite nifty if you do a lot of scripting in the terminal. But those days are behind me now. I just want a simple GUI password manager and KeePass2 does the trick for me.

    • Nez
      August 24, 2016 at 5:47 am

      Ditto to that.

  4. Anonymous
    August 23, 2016 at 11:32 pm

    Great. Thanks again!

    • Anonymous
      August 23, 2016 at 11:33 pm

      Oops, posted reply in wrong area. Please ignore.

      • Anonymous
        August 24, 2016 at 8:24 am

        Are you a bot ?

  5. HildyJ
    August 23, 2016 at 11:22 pm

    For a universal (as far as I can see from their extensive list of ports), Free and Open Source Software (FOSS) password manager, I would highly recommend KeePass.I run it on Windows and Android and store the single encrypted password file on Dropbox to keep them synced. While you lose piping, you get a super secure database that also supports and encrypts notes.

  6. Anonymous
    August 23, 2016 at 7:51 pm

    Shucks, no Android?

    • Anonymous
      August 23, 2016 at 9:19 pm

      Yeah without Android support I couldn't use it either. I use SafeInCloud instead. It's really great and works for PC, Android, and iOS

      • Anonymous
        August 23, 2016 at 11:10 pm

        Thanks, Paul. Does SafeinCloud's android version auto populate the fields in Android's Google browser? Or does it require middle steps of copying/pasting?

        • Anonymous
          August 23, 2016 at 11:31 pm

          It has auto fill if you use Chrome for your browser

        • Anonymous
          August 23, 2016 at 11:32 pm

          Great! Thanks again, Paul.