gopass OTP: Adding TOTP Secrets

Identify Your Secret Format

Format Looks Like Action

Format	Looks Like	Action
Base32 (common)	`ABCD EFGH IJKL MNOP` (A-Z, 2-7)	Paste directly, spaces auto-removed
Hex (rare)	`DE AD BE EF 12 34` (0-9, A-F only)	Convert to Base32

Base32 (common)

ABCD EFGH IJKL MNOP (A-Z, 2-7)

Paste directly, spaces auto-removed

Hex (rare)

DE AD BE EF 12 34 (0-9, A-F only)

Convert to Base32

Template: Base32 Key (Most Sites)

GitLab, GitHub, AWS give Base32. Paste the spaced key directly into KEY=:

# Fill these in - paste spaced key directly
SITE="GitLab"
USER="user@example.com"
GOPASS_PATH="v3/personal/social/gitlab/username-otp"
KEY="ABCD EFGH IJKL MNOP QRST UVWX YZ23 4567"

# Removes spaces automatically
SECRET="${KEY// /}"

gopass insert -m "$GOPASS_PATH" << EOF
otpauth://totp/${SITE}:${USER}?secret=${SECRET}&issuer=${SITE}
EOF

Template: Hex Key (Rare)

Only use this if the site gives you hex (0-9, A-F characters only):

HEX="DEAD BEEF 1234 5678 9ABC DEF0"
SITE="LegacyService"
USER="admin"
GOPASS_PATH="v3/domains/d000/servers/legacy-otp"

SECRET=$(echo "$HEX" | tr -d ' ' | xxd -r -p | base32 | tr -d '=')
gopass insert -m "$GOPASS_PATH" << EOF
otpauth://totp/${SITE}:${USER}?secret=${SECRET}&issuer=${SITE}
EOF

Generate Code

gopass otp v3/personal/social/gitlab/username-otp

Troubleshooting: Invalid OTP Code

TOTP requires accurate system time. If codes are rejected, check NTP sync:

timedatectl status

If System clock synchronized: no or NTP service: inactive:

sudo timedatectl set-ntp true

Verify sync is active:

timedatectl status
# Should show: System clock synchronized: yes
# Should show: NTP service: active

Codex: gopass