Back to Stories|Home
SecurityPaolo Castro

Own Your Passwords with Pass and GPG

Take control of your passwords with pass, a Unix password manager that uses GPG encryption and Git for synchronization. No cloud subscriptions, no vendor lock-in, just encrypted files you own.

#security#gpg#passwords#privacy#git

Password managers are essential in today's world, but most popular solutions come with a catch: your passwords live on someone else's servers, behind a subscription paywall, locked in proprietary formats. While these services are generally secure, they require trust in the vendor and ongoing fees.

What if you could have the same convenience with complete ownership of your data? That's where pass comes in — a Unix password manager built on battle-tested technologies: GPG for encryption and Git for synchronization.

Why Pass?

The standard Unix password manager (pass, also known as password-store) takes a refreshingly simple approach: each password lives in a GPG-encrypted file, organized in a directory structure that makes sense to you. No databases, no proprietary formats, just encrypted text files.

GPG (GNU Privacy Guard) has been securing communications and data for decades. It's the same technology used to sign software packages, encrypt emails, and verify identities across the open-source ecosystem. If it's good enough for kernel maintainers and security researchers, it's good enough for your passwords.

The key advantages:

  • Complete ownership: Your encrypted passwords live where you want them
  • Time-tested encryption: GPG has been scrutinized by cryptographers for over 20 years
  • Version control: Every password change is tracked via Git
  • Cross-platform: Works on macOS, Linux, BSD, and even mobile devices
  • No subscriptions: Free and open-source
  • Team-friendly: Can be shared securely with a development team (more on this in a future post)

Setting Up GPG

Before using pass, we need a GPG key pair. If you already have one, feel free to skip to the next section.

Generating Your Key Pair

hljs bash
# Generate a new GPG key
gpg --full-generate-key

# You'll be prompted for:
# - Key type: Choose (1) RSA and RSA
# - Key size: 4096 bits recommended
# - Expiration: 0 = key does not expire (or set an expiration date)
# - Your name and email
# - A strong passphrase

Trusting Your Key

By default, GPG won't fully trust your own key. Let's fix that:

hljs bash
# List your keys to get the key ID
gpg --list-secret-keys --keyid-format=long

# You'll see something like:
# sec   rsa4096/ABCD1234EFGH5678 2022-07-22 [SC]

# Edit the key (replace with your key ID)
gpg --edit-key ABCD1234EFGH5678

# In the GPG prompt, type:
gpg> trust
# Your decision? 5 (ultimate trust)
gpg> quit

Exporting Your Keys (For Backup and Mobile)

It's crucial to back up your private key — without it, you can't decrypt your passwords. You'll also need to export your keys if you want to use them on mobile devices:

hljs bash
# Export your private key (keep this VERY secure!)
gpg --export-secret-keys --armor ABCD1234EFGH5678 > gpg-private-key.asc

# Export your public key
gpg --export --armor ABCD1234EFGH5678 > gpg-public-key.asc

# Store these safely - consider encrypting the backup itself
# or storing it on encrypted media

To import these keys on another machine or mobile device:

hljs bash
# Import the keys
gpg --import gpg-private-key.asc
gpg --import gpg-public-key.asc

# Trust the imported key (same process as above)
gpg --edit-key ABCD1234EFGH5678
gpg> trust
# Your decision? 5
gpg> quit

Installing and Initializing Pass

Now that GPG is configured, let's set up pass.

Installation

hljs bash
# macOS
brew install pass

# Arch Linux
pacman -S pass

# Other distributions: check your package manager

Initialize Your Password Store

hljs bash
# Initialize pass with your GPG key ID
pass init ABCD1234EFGH5678

# This creates ~/.password-store/ and configures GPG encryption

Basic Usage

Using pass is straightforward and follows a consistent command pattern:

hljs bash
# Insert a new password (will prompt for password)
pass insert Email/personal-gmail

# Insert multiline content (useful for security questions, notes, etc.)
pass insert -m Banking/credit-union

# Generate a random password (20 characters)
pass generate Social/github 20

# Generate without symbols (some sites don't like them)
pass generate -n Email/work-email 16

# Retrieve a password (displays in terminal)
pass Email/personal-gmail

# Copy password to clipboard (doesn't display it)
pass -c Email/personal-gmail

# Edit a password
pass edit Email/personal-gmail

# Remove a password
pass rm Email/old-account

# Search for passwords
pass find github

# List all passwords
pass

Organization and Structure

Pass uses a simple directory structure that mirrors how you think about your passwords. Here's a structure I've found works well:

hljs text
~/.password-store/
├── Email/
│   ├── personal-gmail.gpg
│   └── work-email.gpg
├── Banking/
│   ├── credit-union.gpg
│   └── investment-account.gpg
├── Social/
│   ├── github.gpg
│   ├── twitter.gpg
│   └── linkedin.gpg
├── Work/
│   ├── aws-console.gpg
│   ├── vpn.gpg
│   └── jira.gpg
└── Development/
    ├── npm-registry.gpg
    └── docker-hub.gpg

Keep it simple and consistent. The password-store documentation recommends organizing by domain or service, which aligns well with how you actually use passwords.

Git Integration

One of pass's killer features is built-in Git support. Every change is automatically committed, giving you a complete history and easy synchronization across devices.

Setting Up a Remote Repository

hljs bash
# Initialize git in your password store
pass git init

# Create a private repository on GitHub/GitLab
# Then add it as a remote
pass git remote add origin git@github.com:<username>/password-store.git

# Push your passwords (encrypted!)
pass git push -u origin main

Syncing Across Machines

On another machine, after installing pass and importing your GPG keys:

hljs bash
# Clone your password store
git clone git@github.com:<username>/password-store.git ~/.password-store

# Now pass commands work immediately
pass Email/personal-gmail

Every time you add or modify a password, pass automatically creates a git commit. To sync changes:

hljs bash
# Pull changes from other devices
pass git pull

# Push your changes
pass git push

# Or combine them
pass git pull && pass git push

The beauty here is that everything in the repository is encrypted. Even if someone gained access to your GitHub account, they'd only see encrypted .gpg files — useless without your private key.

Mobile Access with PassForios

For iOS users, PassForios is an excellent app that integrates seamlessly with your pass setup:

  1. Install PassForios from the App Store
  2. Import your GPG keys (use the exported keys from earlier)
  3. Connect to your Git repository
  4. Access your passwords on the go

PassForios syncs with your Git repository and decrypts passwords using your GPG keys, keeping everything in sync across your phone, laptop, and any other devices you use.

Real-World Experience

I've been using this setup for several years now, and it has proven incredibly reliable:

  • Multiple devices: Seamlessly works across MacBook, Linux workstation, and iPhone
  • Never lost access: Git history means I can recover any password or revert changes
  • Cross-platform: Used the same password store when switching between macOS and Linux
  • No subscriptions: Zero ongoing costs

The initial setup takes about 15 minutes, but afterward, it's faster and more reliable than any commercial password manager I've used. The command-line interface might seem intimidating at first, but it quickly becomes second nature.

Security Considerations

A few important points to keep in mind:

Private key security: Your GPG private key is the master key to everything. Keep it secure, back it up safely, and use a strong passphrase to protect it.

Git repository visibility: Always use a private repository. While the passwords are encrypted, metadata like filenames (which often contain service names) is visible.

Clipboard security: When using pass -c, passwords are copied to your clipboard. They're automatically cleared after 45 seconds, but be mindful of clipboard managers that might store history.

Passphrase strength: Your GPG passphrase is your last line of defense. Use a strong, unique passphrase that you'll remember.

Looking Ahead

This setup isn't just for personal use. In a future post, I'll cover how to use pass with development teams to share secrets like API keys, database credentials, and deployment tokens — all encrypted and version-controlled in your team repository.

Conclusion

Pass represents a different philosophy from commercial password managers: simplicity, ownership, and transparency. It trusts you to understand the tools you're using rather than hiding everything behind a proprietary interface.

Is it for everyone? Probably not. If you're uncomfortable with the command line or managing encryption keys, a commercial solution might be better. But if you value ownership, transparency, and the peace of mind that comes from battle-tested open-source tools, pass is worth the minimal setup effort.

Your passwords are too important to trust blindly. With pass and GPG, you know exactly where they are, how they're protected, and who has access to them. That's a level of control few commercial solutions can offer.

Want to read more?

View All Stories