Gopass is a password-manager suitable for teams. It provides features as:
Gopass stores all secrets in separate files in a directory structure. The files are encrypted for certain gpg-ids. The gpg-ids used for the encryption are stored in a .gpg-id
file. More precisely, a .gpg-id
file contains all public gpg-ids (actually their fingerprints) which encrypt all the files in the respective folder and the subfolders. If there is another .gpg-id
file in a subfolder, it "overwrites" the .gpg-id
of the superfolder.
A simple gopass folder tree might look like:
gopass (gopass root)
├─ team
| ├─ .public-keys (contains the team members' public keys)
| | └─ 8C6B83F071FBF4D45232FE9D4700C1 (contains public key; filename is fingerprint of key)
| ├─ .gpg-id (contains the team's gpg ids)
| └─ server-pw
└─ personal
├─ .gpg-id (contains only the personal id or ids)
└─ email-pw
The default root folder is: /.password-store/
Gopass stores its configuration in a config.yml
file, in Linux it is usually found in folder ~/.config/gopass/
This config-file can be handy for checking some config details, or - at own risk (!) - to make manual config changes.
The public keys of the recipients are stored in folder .public-keys/
in each store/mount.
sudo apt install gpg
gpg -k
for existing keysgpg --full-gen-key
, for details see the corresponding paragraph below.sudo apt-get install gopass
without having ensured that gopass refers to the intended one.)~/.password-store/
with: gopass init <gpg-id>
, where <gpg-id>
is the fingerprint of your public gpg-key.gopass init <-p folder> <gpg-id>
If you have installed gopass with a package manager, you can use the same package manager to update gopass. If gopass has been installed manually, you'd need to re-install with a newer version in order to update.
For an overview of all commands, use gopass help:
gopass -h
gopass
List secrets of a particular store or subfolder (lists secret names, not the encrypted values)
Example: gopass personal
gopass insert <secret>
Example: gopass insert personal/email-pw
gopass edit <secret>
Example: gopass edit personal/email-pw
gopass <secret>
Example: gopass personal/email-pw
gopass -c <secret>
Example: gopass -c personal/email-pw
gopass rm <secret>
Example: gopass rm personal/email-pw
gopass mv <secret>
Example: gopass mv personal/mailpassword otherfolder/email-pw
Search for secrets (i.e. for secret names, not for the private secret values). Search is case-insensitive.
gopass search <part of secret name>
Example: gopass search mail
Search within encrypted secrets. It can only find secrets which you are able to decrypt (you will be prompted for the passphrase of your private key):
gopass grep <word to find>
Example: gopass search mail
Gopass supports multiple folder trees resp. repositories. They are called stores. Stores are very handy, e.g. if you have different git repositories containing different secret-stores.
gopass mounts
A store (repository) can be mounted (means added to gopass) by:
gopass init --store <store-name> --path <path>
Example: gopass init --store personal --path ~/personal-path
Or mount a store directly from a remote git repo:
gopass clone [git-url] [store-name] --sync gitcli
Example: gopass clone git@gitserver.com/myRepo/credentials.git personal --sync gitcli
gopass mounts unmount <store-name>
Example: gopass mounts unmount personal
Check the members for whom the secrets are encrypted:
gopass recipients
gopass recipients --store <store name>
Shows the recipients for each store resp. for a specific store.
Only shows "top-level" recipients, does not show recipients of a subfolder, if other recipients were defined in a subfolder's .gpg-id file.
For example for a new team member. A team member, who has already access to the gopass store, can add the new key by:
gopass recipients add [FINGERPRINT]
If several stores exist, gopass will prompt to select a store.
Determine the fingerprint for the key by:
gpg --fingerprint [keyname]
or list all keys incl. fingerprint:
gpg --list-public-keys --with-fingerprint --with-colons
When adding a recipient with gopass recipients add
their public key will automatically be exported to the store in .gpg-keys/<ID>
.
The other team members can retrieve all changes by gopass sync
.
E.g. if a team member left the team. Remove the key fingerprint from the .gpg-id file.
gopass recipients rm [FINGERPRINT]
Generate a new key as described above. A team member with a valid key can add the new key and remove the old one by:
gopass recipients add [NEW FINGERPRINT]
gopass recipients rm [OLD FINGERPRINT]
After that, the other team members need to import the new key:
gopass sync
https://github.com/gopasspw/gopass/blob/master/docs/faq.md
https://woile.github.io/posts/sharing-team-secrets/
https://blog.codecentric.de/en/2019/02/manage-team-passwords-gopass/
https://github.com/gopasspw/gopass/blob/master/docs/config.md