I have been managing passwords with pass, the standard UNIX password manager, for a while now, and I cannot recommend it enough. This particular password manager excels in its simplicity: one password is stored in one file, encrypted by GnuPG, inside of a Git repository. Categories of passwords are elegantly represented by the directory structure of the password store. pass has a simple command line interface, which allows for easy interfacing with other software, such as dmenu or rofi, through shell scripting.

Synchronization across different devices can be be achieved by a simple git push or a git pull. This way you will not have to trust a company like LastPass to synchronize your passwords for you - especially if you host your own Git server! You will be able to access and manage your passwords on any device, as there are great clients available for many different platforms.

Let’s get started.


pass is available in the standard repositories of most Linux distributions. Installing should be as simple as:

  • Debian/Ubuntu: apt install pass
  • Fedora: yum install pass
  • OpenSUSE: zypper in password-store
  • Gentoo: emerge -av pass
  • Arch: pacman -S pass



To encrypt and decrypt your passwords, pass uses GnuPG (GPG for short). You will need a GPG keypair before creating your password store. If you do not have one yet, run:

gpg --full-generate-key

This will create a new GPG keypair in ~/.gnupg, by default. Make sure to enter a strong password when prompted; this is the master password that will be needed to decrypt the passwords in your password store. To view your new public GPG key, run:

gpg --list-keys

The output will look something like this:

pub   rsa4096 2022-11-05 [SC]
uid           [ultimate] Test User <test@testuser.com>
sub   rsa4096 2022-11-05 [E]

Creating the password store

We are now ready to create a new password store! Run the command below. Substitute <your-gpg-id> with your GPG ID; this is the long alphanumeric string in the output of gpg --list-keys (in my case, it is: BC7F6D5FD6DD8DEC1F108221D8C7A6C84D1E6029).

pass init <your-gpg-id>

That’s it! You have now set up your password store. A directory has been created in your home directory: ~/.password-store. This is where all your encrypted passwords will be stored.

Managing passwords

Let’s add some existing passwords to the password store. pass supports directories, which lets you organize passwords into (nested) categories. Below, we add a password for our Google account in the root of our password store, and one for GitLab in the ‘work’ folder.

pass insert google
pass insert work/gitlab

You will be prompted to enter and confirm the passwords. You can then list the passwords in your password store by running:


The output will look like this:

Password Store
├── google
└── work
    └── gitlab

To retrieve the password, use one of the following:

pass google 	# Output to terminal; or
pass -c google	# Copy to your clipboard

This will decrypt the file ~/.password-store/google.gpg, containing your password, and output it to your terminal or copy it to your clipboard if you pass the -c flag. Decrypting requires the password to your GPG key, which you will be prompted for.

Instead of continuing to use your old passwords (which you might re-use in several places), it is better to use randomly generated passwords for every account! To generate a new random password for my-account, use the pass generate:

pass generate my-account	# Generate password with 25 characters
pass generate -n my-account	# Do not use symbols in the password
pass generate my-account 15	# Generate a password with 15 characters

You can also update existing passwords this way; if the password already exists, you will be asked for confirmation to overwrite the existing password. Don’t worry, since pass uses Git, and every change to the password store is marked by a new commit, you can always revert back to previous versions of your passwords.

Of course, you can also manually edit passwords:

pass edit my-account

… and rename passwords:

pass mv my-account my-renamed-account

… and much more! For a full list of commands and options, simply type:

pass help

or check the man-page:

man pass

Pass and dmenu

pass comes installed with a handy script, passmenu, that allows you to query your passwords through dmenu, a powerful menu application. To select a password in dmenu and copy it to your clipboard, run:


passmenu can also type the password out for you. Binding the command below to a key combination is very powerful: simply click wherever you need to enter your password, hit the key combination, select the password you need, and passmenu will fill it in for you. This is much more powerful than using, for example, a browser plugin, as this approach works in any application; not just the browser!

passmenu --type

One-time passwords

One-time passwords (OTP) are commonly used for multi-factor authentication. They are mostly used through mobile apps, such as Google Authenticator or Microsoft Authenticator. A six-digit code is typically retrieved through such an app, which has to be entered as a second step during authentication.

You will be glad to learn that pass also supports OTP through the pass-otp extension. You will likely find it in the standard repositories of your Linux distribution.

Most websites that support OTP will show you a QR code that would normally have to be scanned by a smartphone app. Instead, download the image to your computer. I will assume you saved it to qr.png. You will need to install zbar, which should also be available in the standard repositories of your Linux distro, to decode the QR code.

Use the following command to decode the QR code, which contains the OTP secret, and append it to the password file of my-account:

zbarimg -q --raw qr.png | pass otp append my-account

You can also scan the QR code using your webcam:

zbarcam -q --raw | pass otp append my-account

If you now run pass my-account, you will see that an additional line has been added with the OTP secret, starting with otpauth://totp/.

Now, to retrieve an OTP token, simply run:

pass otp my-account

And you will see a six-digit OTP code being printed to your terminal. Pretty cool, right?

Unfortunately, no passmenu-otp script is packaged with pass-otp to use it in combination with dmenu, but it is very simple to create one yourself. Simply copy the passmenu script to a location in your $PATH, for example:

cp "$(which passmenu)" ~/.local/bin/passmenu-otp

Edit the script such that pass otp is called instead of just pass. The bottom five lines should now look like this:

if [[ $typeit -eq 0 ]]; then
	pass otp show -c "$password" 2>/dev/null
	pass otp show "$password" | { IFS= read -r pass; printf %s "$pass"; } | $xdotool

Once that’s done, just bind passmenu-otp to a key combination of your choice, and using one-time passwords will have just become a whole lot easier!

Unlock your GPG keyring at login

Decrypting the passwords in your password store requires you to enter the password of your GPG key every time, if you do not perform any further configuration. This can become annoying if you have to enter many passwords per day. A solution is to use gpg-agent (a key management daemon for GPG) and set the cache timeout to a high value. This would, however, still require you to enter the password at least once after logging in to your system. There is a useful project called pam-gnupg that automatically starts gpg-agent upon login and passes on your login password to it, in order to unlock your GPG key automatically. This, of course, does require you to have the same password for your GPG key and your Linux user.

If you run an Arch-based distro, you can install pam-gnupg trough the AUR. Otherwise, manual installation is also quite painless:

git clone 'https://github.com/cruegge/pam-gnupg'
cd pam-gnupg
sudo make install

Once installed, you need to edit the PAM configuration of your display manager. PAM is a framework for user authentication within Linux. I currently use lightdm, so in my case, I had to edit /etc/pam.d/lightdm, and add the following lines at the end:

auth     optional  pam_gnupg.so store-only
session  optional  pam_gnupg.so

To let gpg-agent accept the password passed on by pam-gnupg, add the following line to ~/.gnupg/gpg-agent.conf:


You probably also want to set the cache timeout to a large value, so that you will not be bothered with password prompts anyway, after the initial cached password times out. Add the following line to the same file to set the timeout to 86400 seconds, i.e., 24 hours:

max-cache-ttl 86400

Finally, you need to let pam-gnupg know which key to unlock. First, run:

gpg --list-secret-keys --with-keygrip

This will give you output similar to this:

sec   rsa4096 2022-11-05 [SC]
      Keygrip = CC63EC89672E3F8FDD0F2A24323BE34BA0D7317D
uid           [ultimate] Test User <test@testuser.com>
ssb   rsa4096 2022-11-05 [E]
      Keygrip = 3A4D0CF6F136972948B8370956002C4EA7EBF9BF

Copy the keygrip marked with [E], in my case 3A4D0CF6F136972948B8370956002C4EA7EBF9BF, and write it to ~/.pam-gnupg:

echo '3A4D0CF6F136972948B8370956002C4EA7EBF9BF' > ~/.pam-gnupg

Now log out and back into your system, and your GPG key should be automatically unlocked, freeing you from password prompts!

Clients on different platforms

There are several nice clients for pass on different platforms. To start with, there is a Qt-based cross-platform GUI front-end for called QtPass, which works on Linux, BSD, macOS and Windows. It is a full-fledged client, and a great option for those who do not care for the command line or dmenu-style interface.

The client I have most experience with (apart from passmenu) is the Android app called Password Store. You can synchronize your Git repository through HTTPS or SSH, and it supports Autofill and one-time passwords, among many other features. And all of that is packaged in a clean-looking user interface. You can find it on F-Droid. Highly recommended!

It looks like there is a similar open-source app for iPad and iPhone called Pass. I have no experience with this one, but it looks good and is well reviewed.

I occasionally use Windows for my day job, so I needed a client here as well. There is QtPass, but I was looking for a dmenu-like experience that I have gotten so used to on Linux. If you are like me, you will definitely like pass-winmenu. It offers a simple pop-up menu that reminds me of rofi, which can be brought up by pressing a configurable key combination.