Gopass is a password-manager suitable for teams. It provides features as:
Gopass stores all secrets in separate files in a directory structure. The files are encrypted for certain gpg-ids. The gpg-ids used for the encryption are stored in files named
More precisely, a file
.gpg-id contains all public gpg-ids (in fact their fingerprints) which are used to encrypt all the files in the same folder and all subfolders. If there is another
.gpg-id file in a subfolder, it "overwrites" on its turn the keys of this subfolder and sub-subfolders.
A simple gopass folder tree might look like:
gopass (gopass root) ├─ team | ├─ .public-keys (contains the team members' public keys) | | └─ 8C6B83F071FBF4D45232FE9D4700C1 (contains public key; filename is fingerprint of key) | ├─ .gpg-id (contains the team's gpg ids) | └─ server-pw └─ personal ├─ .gpg-id (contains only the personal id or ids) └─ email-pw
The default root folder is:
Gopass stores its configuration in a
config.yml file, in Linux it is usually found in folder
~/.config/gopass/ This config-file can be handy for checking some config details, or - at own risk (!) - to make manual config changes.
The public keys of the recipients are stored in folder
.public-keys/ in each store/mount.
sudo apt install gpg
gpg -kfor existing keys
gpg --full-gen-key, for details see the corresponding paragraph below.
sudo apt-get install gopass, unless you want to install the "other" gopass.)
gopass init <gpg-id>for initialization in the default location (i.e.
<gpg-id>is the fingerprint of your public gpg-key.
gopass init <-p folder> <gpg-id>
If you have installed gopass with a package manager, you can use the same package manager to update gopass. If gopass has been installed manually, you'd need to re-install with a newer version in order to update.
For an overview of all commands, use gopass help:
List secrets of a particular store or subfolder (lists secret names, not the encrypted values)
Example: gopass personal
gopass insert <secret> Example: gopass insert personal/email-pw
gopass edit <secret> Example: gopass edit personal/email-pw
gopass <secret> Example: gopass personal/email-pw
gopass -c <secret> Example: gopass -c personal/email-pw
gopass rm <secret> Example: gopass rm personal/email-pw
gopass mv <secret> Example: gopass mv personal/mailpassword otherfolder/email-pw
Search for secrets (i.e. for secret names, not for the private secret values). Search is case-insensitive.
gopass search <part of secret name> Example: gopass search mail
Search within encrypted secrets. It can only find secrets which you are able to decrypt (you will be prompted for the passphrase of your private key):
gopass grep <word to find> Example: gopass search mail
Gopass supports multiple folder trees resp. repositories. They are called stores. Stores are very handy, e.g. if you have different git repositories containing different secret-stores.
A store (repository) can be created and mounted (i.e. added to gopass) by:
gopass init --store <store-name> --path <path> Example: gopass init --store personal --path ~/personal-path
Or mount a store directly from a remote git repo:
gopass clone [git-url] [store-name] --sync gitcli Example: gopass clone email@example.com/myRepo/credentials.git personal --sync gitcli
Or you can mount an already existing local store:
gopass mounts add [store name] [path to local store] Example: gopass mounts add mystore ~/repo/personal/store
gopass mounts unmount <store-name> Example: gopass mounts unmount personal
Check the members for whom the secrets are encrypted:
gopass recipients gopass recipients --store <store name>
Shows the recipients for each store resp. for a specific store.
Only shows "top-level" recipients, does not show recipients of a subfolder, if other recipients were defined in a subfolder's .gpg-id file.
To add a new member you need to ensure that the new member's public key is already imported in gpg. If this is not the case, import the key e.g. by
gpg --import michaels_key.pub.asc
Add the new key to gopass by (executed by a team member, who has already access to the gopass store):
gopass recipients add [EMAIL or FINGERPRINT]
If several stores exist, gopass will prompt to select a store.
You can get the fingerprint of a key by:
gpg --fingerprint [keyname]
or list all keys including the fingerprints:
gpg --list-public-keys --with-fingerprint --with-colons
When adding a recipient with
gopass recipients add their public key will automatically be exported to the store in
The other team members can retrieve all changes by
E.g. if a team member left the team. Remove the key fingerprint from the .gpg-id file.
gopass recipients rm [FINGERPRINT]
Generate a new key as described above. A team member with a valid key can add the new key and remove the old one by:
gopass recipients add [NEW FINGERPRINT] gopass recipients rm [OLD FINGERPRINT]
After that, the other team members need to import the new key:
echo "source <(gopass completion bash)" >> ~/.bashrc
Update May 2021
If you are already using gopass for storing your passwords, Gopass Bridge is a handy tool for easy entering passwords into webpages.
In order to use the Gopass Bridge you need
Use the steps below to install and configure gopass-jsonapi and Gopass Bridge for Ubuntu per cli.
(alternatively follow the description on: https://github.com/gopasspw/gopass-jsonapi/blob/main/README.md)
gopass -version) by:
curl -L https://github.com/gopasspw/gopass-jsonapi/releases/download/v1.11.1/gopass-jsonapi_1.11.1_linux_amd64.deb --output jsonapi.deb
sudo dpkg -i jsonapi.deb
gopass-jsonapi configureand answer the subsequent questions.
<password> --- username: <username>
Click on Gopass Bridge Icon in your browser and enter the credential name, e.g. if the password has been stored in path
/web/personal/github just enter
git or another substring in order to search.