gopass Password Manager

Overview

gopass is a GPG-encrypted password manager (compatible with pass). Credentials are stored in a git-backed directory structure with automatic encryption/decryption.

Credential Organization

Use separate entries, not combined.

ADMINISTRATIO/servers/home-dc01/
├── Administrator     # Just the password
├── dsrm              # Just the DSRM password
└── meta              # Metadata (hostname, IP, etc.)

Each credential type gets its own entry. This allows:

Individual retrieval with clipboard
Better scripting
Cleaner git history

Basic Operations

List Entries

gopass ls
gopass ls ADMINISTRATIO/servers

Show Password

# Show password (prompts for GPG key)
gopass show ADMINISTRATIO/servers/home-dc01/Administrator

# Copy to clipboard (auto-clears after 45s)
gopass show -c ADMINISTRATIO/servers/home-dc01/Administrator

# Output only (no newline) - for scripts
gopass show -o ADMINISTRATIO/servers/home-dc01/Administrator

Generate Password

# Generate 32-character password
gopass generate ADMINISTRATIO/servers/home-dc01/Administrator 32

# Without symbols
gopass generate -s ADMINISTRATIO/servers/home-dc01/Administrator 32

# Copy to clipboard
gopass generate -c ADMINISTRATIO/servers/home-dc01/Administrator 32

Insert Entry

Single Line (Password Only)

# Interactive
gopass insert ADMINISTRATIO/servers/home-dc01/Administrator

# From stdin (scripting)
echo "MyPassword123" | gopass insert ADMINISTRATIO/servers/home-dc01/Administrator

Multi-Line with Heredoc

Heredoc is the preferred method for metadata entries.

gopass insert ADMINISTRATIO/servers/home-dc01/meta << 'EOF'
hostname: home-dc01
ip: 10.50.1.50
os: Windows Server 2025 Core
domain: inside.domusdigitalis.dev
roles: AD DS, DNS
deployed: 2026-02-09
notes: New forest, replaced old dc-01
EOF

The << 'EOF' syntax:

<< starts heredoc
'EOF' with quotes prevents variable expansion
Everything until EOF is input
EOF on its own line ends input

Edit Entry

# Opens in $EDITOR
gopass edit ADMINISTRATIO/servers/home-dc01/meta

Delete Entry

gopass rm ADMINISTRATIO/servers/home-dc01/old-entry

# Recursive (directory)
gopass rm -r ADMINISTRATIO/servers/decommissioned/

# Force (no confirmation)
gopass rm -f ADMINISTRATIO/servers/home-dc01/old-entry

Move/Rename

gopass mv ADMINISTRATIO/servers/old-name ADMINISTRATIO/servers/new-name

Clipboard Operations

With gopass

gopass show -c ADMINISTRATIO/servers/home-dc01/Administrator

With wl-copy (Wayland)

# Copy to Wayland clipboard
gopass show -o ADMINISTRATIO/servers/home-dc01/Administrator | wl-copy

# Paste from clipboard
wl-paste

Search

# Search entry names
gopass find home-dc01

# Search entry contents (decrypts all - slow!)
gopass grep "10.50.1.50"

# List and filter
gopass ls | grep -i server

Git Sync

gopass stores are git repositories:

# Sync with remote
gopass sync

# Git status
gopass git status

# Manual operations
gopass git pull
gopass git push

Server Deployment Example

Generate Credentials

# Administrator password
gopass generate ADMINISTRATIO/servers/home-dc01/Administrator 32

# DSRM password (for Domain Controllers)
gopass generate ADMINISTRATIO/servers/home-dc01/dsrm 32

Store Metadata

gopass insert ADMINISTRATIO/servers/home-dc01/meta << 'EOF'
hostname: home-dc01
ip: 10.50.1.50
os: Windows Server 2025 Core
domain: inside.domusdigitalis.dev
roles: AD DS, DNS
deployed: 2026-02-09
EOF

Retrieve for Use

# Copy Administrator password
gopass show -o ADMINISTRATIO/servers/home-dc01/Administrator | wl-copy

# Use in script
PASSWORD=$(gopass show -o ADMINISTRATIO/servers/home-dc01/Administrator)

Recommended Structure

ADMINISTRATIO/
├── servers/
│   ├── home-dc01/
│   │   ├── Administrator
│   │   ├── dsrm
│   │   └── meta
│   ├── ise-01/
│   │   └── admin
│   └── pfsense/
│       └── admin
├── services/
│   ├── vault/
│   │   ├── root-token
│   │   └── unseal-keys
│   └── ise/
│       ├── admin
│       └── ers-api
└── network/
    ├── switches/
    │   └── admin
    └── wlc/
        └── admin

Troubleshooting

GPG Key Not Found

# Check available keys
gpg --list-keys

# Check store's GPG ID
cat ~/.local/share/gopass/stores/root/.gpg-id

YubiKey Not Detected

# Check YubiKey
ykman info

# Check GPG card
gpg --card-status

# Restart GPG agent
gpgconf --kill gpg-agent
gpg --card-status

Quick Reference

Operation Command

Operation	Command
List all	`gopass ls`
Show password	`gopass show path`
Copy to clipboard	`gopass show -c path`
Output only	`gopass show -o path`
Generate password	`gopass generate path 32`
Insert (interactive)	`gopass insert path`
Insert (heredoc)	`gopass insert path << 'EOF' … EOF`
Edit	`gopass edit path`
Delete	`gopass rm path`
Search	`gopass find pattern`
Sync	`gopass sync`

List all

gopass ls

Show password

gopass show path

Copy to clipboard

gopass show -c path

Output only

gopass show -o path

Generate password

gopass generate path 32

Insert (interactive)

gopass insert path

Insert (heredoc)

gopass insert path << 'EOF' … EOF

Edit

gopass edit path

Delete

gopass rm path

gopass find pattern

Sync

gopass sync