gopass

Operational gopass patterns for the domus credential store.

Store Operations

List all entries in tree format
gopass ls
List entries flat — one per line, scriptable
gopass ls -f
Count all secrets in the store
gopass ls -f | wc -l

Reading Secrets

Show a secret — first line is the password, rest is metadata
gopass show infra/db/prod
Copy password to clipboard — auto-clears after 45 seconds
gopass show -c infra/db/prod
Show only the password — first line, no metadata
gopass show -o infra/db/prod
Extract a specific YAML key from an entry
gopass show -f infra/db/prod username
Output binary or multiline content — no metadata parsing
gopass cat infra/certs/ca.pem
Copy binary entry to filesystem — certificates, keys
gopass fscopy infra/certs/cert.pem /tmp/cert.pem

Writing Secrets

Insert a new secret interactively
gopass insert infra/db/staging
Generate a 32-character random password at path
gopass generate infra/tokens/api 32
Generate with symbols
gopass generate -s infra/tokens/api 32
Edit an entry in $EDITOR
gopass edit infra/db/prod
Interactive wizard — generates password with category and name prompts
gopass create

Search

Search entry names matching a pattern
gopass find db
Search entry contents — decrypts all entries, slow on large stores
gopass grep "admin"

Organization

Move or rename an entry
gopass mv infra/old infra/new
Copy an entry to a new path
gopass cp infra/db/prod infra/db/staging
Delete an entry
gopass rm infra/db/deprecated

Mounted Stores

gopass supports multiple sub-stores, each with its own GPG recipients and git repo. This is how you separate personal, work, and team secrets.

List all mounted stores
gopass mounts
Mount a shared team password store
gopass mounts add team /path/to/team-store
List recipients who can decrypt the store
gopass recipients
Add a recipient — re-encrypts all secrets for the new key
gopass recipients add <GPG-ID>
Remove a recipient
gopass recipients rm <GPG-ID>

Sync & Audit

Sync all mounted stores — git pull and push
gopass sync
Audit all passwords — checks weakness, duplicates, age
gopass audit

OTP

Generate and copy TOTP code from stored secret
gopass otp infra/service -c

Scripting Patterns

Extract a password for use in a script — suppresses all metadata
DB_PASS=$(gopass show -o infra/db/prod)
Pipe a certificate to openssl for inspection
gopass cat infra/certs/server.pem | openssl x509 -noout -subject -dates
Bulk export paths for backup verification
gopass ls -f | awk '/^infra\//{print}' | while read -r path; do
    echo "$path: $(gopass show -o "$path" | wc -c) bytes"
done