Pass, the Standard Linux Password Manager

If you're not familiar with Pass, the Standard Linux Password Manager, let me introduce you. It is a gpg-encrypted, git-backed, command-line password manager written by Jason Donenfeld, the guy behind Wireguard VPN. I first stumbled on this around 2013. Pass was already old in spirit by then. The man page helpfully lets people know that project information can be found on the “world wide web”.

I wish I could say I was immediately hooked by the rich feature set and ease of use, but that's not true. It has none of that. What it does have is giant brass balls. The thing is called Pass because it is too cool for a googleable name! It just decides to be the standard password manager on Linux by naming itself “Standard Linux Password Manager”. It is written in bash for ultimate portability! That is rockstar cred right there.

Pass doesn't have a UI except for its command-line script. It lets you edit files and handles decrypting, passing you into your favorite editor, re-crypting, and git pushing your changes. It can show you the contents of your files or just shove the first line into the clipboard. It has other features, but you can do so much with even that minimal set! It quickly became crucial infrastructure in my life and eventually I convinced Open Tech Strategies to use it. Before that we were using one giant symmetrically encrypted text file that we would unfurl into temp dirs to access. It was bonkers in the way that ad-hoc solutions grown into company-wide infrastructure tends to be.

Pass has one other amazing feature you should know about: you can write extensions for it. The extensions let it:

• generate one time passwords, though my version of that OTP extension has less fussy syntax.
• act as a key/value store with my kv extension that just looks for a line beginning with your key and then prints everything on that line after the colon.
• Backend onto an svn repo instead of a git repo with pass-git-svn

There are other extensions, but this is an amazing feature that grants you infinite flexibility in slinging your secrets around. It is the true super power of pass that lets you integrate it with all kinds of pipelines.

Here's a taste of that power: I use direnv and my standard .envrc loads any envars it finds in .env. I can put something like this in my .env:

# This is a read-only token
GITLAB_TOKEN=$(pass kv api-token-read-only code.librehq.com)

Now, when I enter that directory, I get an envar containing my API token for code.librehq.com. Gitlab will work and my api key never touches disk. Even if I accidentally commit my .env, I haven't exposed any secrets. All this and more are described in my envrc repo.

Check out pass. Once you start using it, you will never stop. And don't get curved by that cli-only interface. Pass is so simple that there is a giant pile of implementations and UIs out there, including GUIs.

Note: pass has very specific security properties. Think carefully. It's a measure twice cut once kind of deal because pass comes with a lifetime supply of rope.