Unnamed repository; edit this file 'description' to name the repository.

Clone   Log   Files   Readme


zip   older archives


* master



git clone ssh://
git clone git://


DateAuthor (GPG Key)CommitComment
2020-05-26joedoe47 (54645C2F669F1189)cbae37fkey change
2020-05-23joedoe47 (54645C2F669F1189)2752ec2change key
2020-01-08joedoe47 (D7D9DC93B1538725)32f4f3csmall change.
2019-01-13joedoe47 (D7D9DC93B1538725)d3ddc72Mon Jan 14 04:36:34 UTC 2019 see CHANGELOG for more details
2018-12-27joedoe47 (D7D9DC93B1538725)53326f7forgot to sign
2018-12-27joedoe47 ()579a726editing help display
2018-09-04joedoe47 (D7D9DC93B1538725)b990663allow for proper encryption with GPG key
2018-09-04joedoe47 (D7D9DC93B1538725)a73332fallow for proper encryption with GPG key
2018-09-04joedoe47 (D7D9DC93B1538725)f3e1bddchanging readme and git clone url
2018-09-04joedoe47 (D7D9DC93B1538725)9332a32self auditing.

File Tree

  • TODO
  • gpass




This isn't a fork of the pass app. I just got an idea to use/make something similar to pass thats easier and a bit more flexible for me to use.

it is a wrapper for gpg and uses (pgp)[] to encrypt data and it defaults to AES256 and uses sha512 to verify the file.

You will want to try this if:

Pass already exists but this is something I thought would be cool to make anyways.

This leaks less metadata because its a script that uses GPG to store multiple passwords into a file in CSV format. Where as pass will store 1 password per file and you organize these passwords using folders. Thus allowing an adversary to know that you have an account on a specific site, eg. 'facebook'. However with gpass I could have a file called "social-media.gpg" and I may or may not have my facebook accounts there.

Please do not misunderstand, pass isn't insecure or flawed in anyway; both pass and gpass, at worst case scenario an attacker knows how big an encrypted file is, what might be inside based on the name, and when it changed but not necessarily what changed. Both also use GPG.

I made gpass to lessen the amount of data an adversary can get from the name of a file (via security through obscurity), the ability to use a password or a GPG ID, and 2 other forms of password generation.

The main difference with gpass is that with gpass, you have 1 file with multiple passwords. An adversary would have a harder time figuring out what passwords are in file "X.gpg", should they somehow grab a hold of your LUKS drive or see your git server.

Naturally the larger a password file the slower sed is to find/add/delete data but you would probably need around a 900,000 passwords on a raspberry pi 3 to really notice slow downs but performance will vary depending on your hardware and what its doing.

This can be as secure or as relaxed as you want it, depending on how you use it!

How to try/install


To try:

$ bash /path/to/gpass [arguments]

if you want something more permanent you can just use an alias:

$ cd gpass && echo "alias gpass=\"$(pwd)/gpass\"" >> "$HOME/.bashrc"

every so often just do "git pull" in this directory every so often to make sure it stays up to date.


There are some configuration options that can be set via evnironment variables to tweak how gpass operates. you can add these variables to your .bashrc or .profile to properly make gpass work to your liking.

Backwards compatibility

I have tested gpass in a few environments. Debian, Fedora, Archlinux, Termux (no proot). Because these are the linux and linux-like environments I use the most. So rest assured it will work on linux mint, windows new ubuntu bash, and any operating system so long as it has gpg, bash, and coreutils.

I hate this program!

Since the program uses a simple CSV standard and uses gpg, you can switch to any alternate method of managing your passwords if you think this program isn't for you. (using a terminal only method for passwords can be an issue, I've tried to get my freinds to use this to no avail)

I hate the concept of being locked down so CSV seemed like a good choice. There are a ton of converters from CSV to keepass, lastpass, 1pass, pass, etc.

Suggested Security Practices

Updated Wed 10 Jun 2020 09:25:50 PM UTC. Back to top

© 2017-2018 Git · Privacy