Gopass is a password-manager suitable for teams. It provides features as:
Gopass stores all secrets in separate files in a directory structure. The files are encrypted for certain gpg-ids. The gpg-ids used for the encryption are stored in a
.gpg-id file. More precisely, a
.gpg-id file contains all public gpg-ids (actually their fingerprints) which encrypt all the files in the respective folder and the subfolders. If there is another
.gpg-id file in a subfolder, it "overwrites" the
.gpg-id of the superfolder.
A simple gopass folder tree might look like:
gopass (gopass root) ├─ team | ├─ .public-keys (contains the team members' public keys) | | └─ 8C6B83F071FBF4D45232FE9D4700C1 (contains public key; filename is fingerprint of key) | ├─ .gpg-id (contains the team's gpg ids) | └─ server-pw └─ personal ├─ .gpg-id (contains only the personal id or ids) └─ email-pw
The default root folder is:
Gopass stores its configuration in a
config.yml file, in Linux it is usually found in folder
~/.config/gopass/ This config-file can be handy for checking some config details, or - at own risk (!) - to make manual config changes.
The public keys of the recipients are stored in folder
.public-keys/ in each store/mount.
sudo apt install gpg
gpg -kfor existing keys
gpg --full-gen-key, for details see the corresponding paragraph below.
sudo apt-get install gopasswithout having ensured that gopass refers to the intended one.)
gopass init <gpg-id>, where
<gpg-id>is the fingerprint of your public gpg-key.
gopass init <-p folder> <gpg-id>
If you have installed gopass with a package manager, you can use the same package manager to update gopass. If gopass has been installed manually, you'd need to re-install with a newer version in order to update.
For an overview of all commands, use gopass help:
List secrets of a particular store or subfolder (lists secret names, not the encrypted values)
Example: gopass personal
gopass insert <secret> Example: gopass insert personal/email-pw
gopass edit <secret> Example: gopass edit personal/email-pw
gopass <secret> Example: gopass personal/email-pw
gopass -c <secret> Example: gopass -c personal/email-pw
gopass rm <secret> Example: gopass rm personal/email-pw
gopass mv <secret> Example: gopass mv personal/mailpassword otherfolder/email-pw
Search for secrets (i.e. for secret names, not for the private secret values). Search is case-insensitive.
gopass search <part of secret name> Example: gopass search mail
Search within encrypted secrets. It can only find secrets which you are able to decrypt (you will be prompted for the passphrase of your private key):
gopass grep <word to find> Example: gopass search mail
Gopass supports multiple folder trees resp. repositories. They are called stores. Stores are very handy, e.g. if you have different git repositories containing different secret-stores.
A store (repository) can be mounted (means added to gopass) by:
gopass init --store <store-name> --path <path> Example: gopass init --store personal --path ~/personal-path
Or mount a store directly from a remote git repo:
gopass clone [git-url] [store-name] --sync gitcli Example: gopass clone firstname.lastname@example.org/myRepo/credentials.git personal --sync gitcli
gopass mounts unmount <store-name> Example: gopass mounts unmount personal
Check the members for whom the secrets are encrypted:
gopass recipients gopass recipients --store <store name>
Shows the recipients for each store resp. for a specific store.
Only shows "top-level" recipients, does not show recipients of a subfolder, if other recipients were defined in a subfolder's .gpg-id file.
For example for a new team member. A team member, who has already access to the gopass store, can add the new key by:
gopass recipients add [FINGERPRINT]
If several stores exist, gopass will prompt to select a store.
Determine the fingerprint for the key by:
gpg --fingerprint [keyname]
or list all keys incl. fingerprint:
gpg --list-public-keys --with-fingerprint --with-colons
When adding a recipient with
gopass recipients add their public key will automatically be exported to the store in
The other team members can retrieve all changes by
E.g. if a team member left the team. Remove the key fingerprint from the .gpg-id file.
gopass recipients rm [FINGERPRINT]
Generate a new key as described above. A team member with a valid key can add the new key and remove the old one by:
gopass recipients add [NEW FINGERPRINT] gopass recipients rm [OLD FINGERPRINT]
After that, the other team members need to import the new key: