gopass Taxonomy & Architecture
Design Principles
| Principle | Rationale |
|---|---|
Context-first hierarchy |
Top level separates by ownership/domain (work vs personal vs shared) |
Employer portability |
Work credentials isolated per employer - easy offboarding |
Type consistency |
Same sub-structure across all contexts (ad/, network/, servers/, etc.) |
Metadata-rich entries |
Support for URL, username, TOTP, notes, tags for migration compatibility |
Latin naming preserved |
Maintains existing ARCANA, COMMERCIA, PERSONAE aesthetic |
Import-friendly |
Structure maps cleanly from 1Password, Bitwarden, LastPass exports |
Top-Level Taxonomy
gopass/
│
├── OPUS/ # Work (employer-specific, portable)
│ ├── chla/ # Current employer
│ ├── <future>/ # Future employers
│ └── contracts/ # Contract/consulting work
│
├── DOMUS/ # Personal infrastructure (domusdigitalis.dev)
│ ├── ad/ # Active Directory
│ ├── network/ # Network devices
│ ├── servers/ # Server credentials
│ ├── storage/ # NAS, backup systems
│ ├── wifi/ # Wireless networks
│ └── services/ # Self-hosted services
│
├── ARCANA/ # Secrets & keys (non-login credentials)
│ ├── crypto/ # Encryption keys, passphrases
│ ├── api/ # API keys and tokens
│ ├── ssh/ # SSH key passphrases
│ ├── certificates/ # PKI-related secrets
│ └── recovery/ # Recovery codes, backup keys
│
├── COMMERCIA/ # Financial & business
│ ├── banking/ # Bank accounts
│ ├── cards/ # Credit/debit cards
│ ├── investments/ # Brokerage, retirement
│ ├── taxes/ # Tax services
│ ├── insurance/ # Insurance portals
│ └── licenses/ # Software licenses
│
├── PERSONAE/ # Personal accounts & identity
│ ├── identity/ # SSN, passport, IDs
│ ├── medical/ # Healthcare portals
│ ├── email/ # Email accounts
│ ├── social/ # Social media
│ ├── shopping/ # E-commerce
│ ├── gaming/ # Gaming platforms
│ ├── streaming/ # Media services
│ ├── travel/ # Airlines, hotels
│ └── web/ # Miscellaneous web logins
│
└── COMMUNIS/ # Shared/family credentials
├── household/ # Shared home services
├── subscriptions/ # Family subscriptions
└── emergency/ # Emergency access infoOPUS (Work) - Detailed Structure
Isolated per employer for clean offboarding. Mirror structure across all employers.
OPUS/
├── chla/ # Children's Hospital Los Angeles
│ ├── ad/ # Active Directory
│ │ ├── erosado # Primary AD account
│ │ ├── chlxsbg # Service/secondary account
│ │ └── admin # Privileged admin (if separate)
│ ├── network/ # Network infrastructure
│ │ ├── tacacs # TACACS+ credentials
│ │ ├── ise-admin # ISE GUI
│ │ ├── wlc-admin # Wireless controller
│ │ └── dnac # DNA Center
│ ├── servers/ # Server access
│ │ └── jumpbox
│ ├── cloud/ # Cloud services
│ │ ├── azure-ad
│ │ └── aws-console
│ ├── api/ # API credentials
│ │ ├── ise-ers
│ │ └── servicenow
│ ├── vpn/ # VPN credentials
│ │ └── globalprotect
│ └── apps/ # Work applications
│ ├── servicenow
│ ├── workday
│ └── outlook
│
├── <future-employer>/ # Same structure
│ ├── ad/
│ ├── network/
│ └── ...
│
└── contracts/ # Consulting/contract work
└── <client-name>/
└── ...Offboarding: When leaving an employer, export OPUS/<employer>/ and securely delete.
DOMUS (Personal Infrastructure) - Detailed Structure
DOMUS/ # inside.domusdigitalis.dev
├── ad/ # Active Directory accounts
│ ├── administrator # Built-in admin (emergency only)
│ ├── evanusmodestus # Primary admin account
│ ├── gabriel # Secondary/family account
│ └── dsrm # Directory Services Restore Mode
│
├── network/ # Network devices
│ ├── pfsense/
│ │ ├── admin # Web UI
│ │ └── ssh # SSH access
│ ├── switch/
│ │ ├── 9300-core
│ │ └── 2960-access
│ ├── wlc/
│ │ ├── 9800-admin
│ │ └── mobility-express
│ └── ap/
│ └── default-credentials
│
├── servers/ # Server credentials
│ ├── vault-01/
│ │ ├── root
│ │ └── deploy-user
│ ├── ise-02/
│ │ ├── admin
│ │ └── cli
│ ├── keycloak-01/
│ │ └── admin
│ ├── kvm-01/
│ │ └── root
│ ├── gitea/
│ │ └── admin
│ └── ipsk-mgr-01/
│ └── admin
│
├── storage/ # Storage systems
│ ├── synology/
│ │ ├── admin
│ │ ├── api-token
│ │ └── quickconnect
│ └── truenas/ # Future
│ └── admin
│
├── wifi/ # Wireless networks
│ ├── domus-secure # Primary SSID (WPA3-Enterprise)
│ ├── domus-iot # IoT SSID (iPSK)
│ └── domus-guest # Guest network
│
├── services/ # Self-hosted services
│ ├── vaultwarden/ # If using
│ │ └── admin
│ ├── nextcloud/
│ │ └── admin
│ └── home-assistant/
│ └── admin
│
└── devices/ # Standalone devices
├── ipmi-01 # IPMI/iLO/iDRAC
├── ups-01 # UPS management
└── printer-01ARCANA (Secrets & Keys) - Detailed Structure
Non-login secrets, organized by type and context.
ARCANA/
├── crypto/ # Encryption keys & passphrases
│ ├── domus/ # Personal infra encryption
│ │ ├── age-primary # Primary age key
│ │ ├── age-backup # Backup age key
│ │ ├── luks-modestus-razer # LUKS passphrase per device
│ │ ├── luks-modestus-p50
│ │ ├── luks-modestus-aw
│ │ ├── borg-passphrase # Borg backup encryption
│ │ ├── borg-key # Borg key file content
│ │ ├── gocryptfs-vault # Gocryptfs vault password
│ │ ├── veracrypt-portable # Portable encrypted drive
│ │ ├── seagate-ssd-1 # Tier 3 backup drive
│ │ └── seagate-ssd-2
│ └── personal/ # Personal encryption
│ └── gpg-master # GPG master key passphrase
│
├── api/ # API keys and tokens
│ ├── domus/ # Personal infra APIs
│ │ ├── ise-ers # ISE ERS API
│ │ ├── ise-dataconnect # ISE DataConnect
│ │ ├── vault-root-token # Vault root token
│ │ ├── vault-unseal-keys # Vault unseal keys
│ │ ├── cloudflare-dns # Cloudflare API
│ │ └── pfsense-api
│ ├── cloud/ # Cloud provider APIs
│ │ ├── aws-access-key
│ │ ├── azure-service-principal
│ │ ├── digitalocean
│ │ └── vultr
│ └── services/ # Third-party service APIs
│ ├── github-pat # GitHub Personal Access Token
│ ├── gitlab-pat
│ └── openai
│
├── ssh/ # SSH key passphrases
│ ├── personal/ # Personal keys
│ │ ├── id_ed25519 # Default key passphrase
│ │ ├── id_ed25519_github
│ │ ├── id_ed25519_gitlab
│ │ └── id_ed25519_deploy
│ └── yubikey/ # YubiKey-resident keys
│ └── sk-ed25519 # Security key passphrase/PIN
│
├── certificates/ # PKI-related secrets
│ ├── domus/
│ │ ├── root-ca-key # Root CA private key passphrase
│ │ ├── issuing-ca-key # Issuing CA key passphrase
│ │ └── code-signing-key
│ └── personal/
│ └── s-mime-key # S/MIME email cert
│
├── radius/ # RADIUS shared secrets
│ └── domus/
│ ├── ise-to-switch
│ ├── ise-to-wlc
│ └── ise-to-pfsense
│
├── recovery/ # Recovery codes & backup keys
│ ├── 2fa-backup/ # 2FA recovery codes
│ │ ├── github
│ │ ├── google
│ │ ├── microsoft
│ │ └── cloudflare
│ └── account-recovery/ # Account recovery keys
│ ├── apple-recovery-key
│ └── google-recovery
│
└── totp-seeds/ # TOTP secret seeds (if not in auth app)
└── (store only if needed for backup)Entry Metadata Format
Each entry should support these fields for migration compatibility:
# Example: DOMUS/servers/ise-02/admin
password: <password>
---
url: https://ise-02.inside.domusdigitalis.dev/admin
username: admin
totp: <TOTP-secret> # Optional
notes: |
ISE 3.3 admin GUI
CLI access via SSH uses separate credential
tags: infrastructure, ise, cisco
created: 2026-02-09
modified: 2026-02-09gopass supports YAML metadata after the password line with --- separator.
Migration from Other Password Managers
1Password Export
# Export from 1Password CLI
op export --format=csv > 1password-export.csv
# Map categories to gopass paths:
# Login -> PERSONAE/web/<name>
# Server -> DOMUS/servers/<name> or OPUS/<employer>/servers/<name>
# API Credential -> ARCANA/api/<name>
# Credit Card -> COMMERCIA/cards/<name>Bitwarden Export
# Export from Bitwarden
bw export --format json --output bitwarden-export.json
# Use gopass-jsonapi or custom script to importImport Script Template
#!/bin/bash
# import-passwords.sh - Template for importing from CSV
while IFS=, read -r name url username password notes; do
# Determine category based on URL or name patterns
if [[ "$url" =~ chla\.usc\.edu ]]; then
path="OPUS/chla/apps/${name}"
elif [[ "$url" =~ domusdigitalis\.dev ]]; then
path="DOMUS/services/${name}"
else
path="PERSONAE/web/${name}"
fi
# Insert with metadata
echo -e "${password}\n---\nurl: ${url}\nusername: ${username}\nnotes: ${notes}" | \
gopass insert -m "${path}"
done < export.csvScaling Considerations
| Scenario | Structure Change | Notes |
|---|---|---|
New employer |
Add |
Copy template, populate |
Contract work |
Add |
Time-boxed, easy cleanup |
Home expansion (new site) |
Add |
e.g., vacation home, rental property |
Family members |
Expand |
Consider separate gopass store for isolation |
Team sharing |
Mount shared gopass store |
|
Store Architecture
~/.local/share/gopass/
├── stores/
│ ├── root/ # Primary personal store (this taxonomy)
│ ├── work-chla/ # Optional: separate store for work
│ └── family/ # Optional: shared family storeFor maximum isolation, consider separate stores:
# Initialize work as separate store
gopass init --store work-chla
# Mount it
gopass mounts add work ~/.local/share/gopass/stores/work-chla
# Access: gopass show work/ad/erosadoQuick Reference
| Need | Path |
|---|---|
Work AD password |
|
Home AD password |
|
pfSense admin |
|
ISE DataConnect API |
|
Bank login |
|
GitHub 2FA recovery |
|
Netflix shared password |
|