home / skills / openclaw / skills / pass
This skill helps you manage passwords with the pass CLI, including setup, generation, storage, and Git synchronization.
npx playbooks add skill openclaw/skills --skill passReview the files below or copy the command above to add this skill to your agents.
---
name: pass
description: >
Complete guide for using pass, the standard Unix password manager. Use this
skill whenever the user asks about pass, password-store, managing passwords
from the terminal, GPG-encrypted passwords, setting up pass for the first
time, inserting or generating passwords, syncing a password store with git,
using pass-otp for TOTP codes, importing passwords from another manager, or
any task involving the `pass` CLI. Trigger on phrases like "set up pass",
"add a password to pass", "sync my password store", "generate a password",
"pass git", "pass-otp", "pass-import", or any variation.
---
# pass — The Standard Unix Password Manager
Each password is a GPG-encrypted file under `~/.password-store/`. The store is
plain files in a folder hierarchy; no proprietary formats, no daemon.
---
## 1. Installation
### Linux
| Distro | Command |
|------------------|--------------------------------|
| Arch / Manjaro | `pacman -S pass` |
| Debian / Ubuntu | `apt install pass` |
| Fedora / RHEL | `dnf install pass` |
| openSUSE | `zypper in password-store` |
### macOS
```bash
brew install pass
```
---
## 2. GPG Key Setup
pass requires a GPG key. Skip this block if you already have one.
```bash
# Generate a new key (use RSA 4096 or ed25519)
gpg --full-generate-key
# List your keys — note the key ID or email
gpg --list-secret-keys --keyid-format LONG
```
The key ID looks like `3AA5C34371567BD2` or you can use the email you registered.
---
## 3. Initialise the Store
```bash
pass init "[email protected]"
# or using the key ID:
pass init 3AA5C34371567BD2
```
This creates `~/.password-store/` and a `.gpg-id` file.
Multiple GPG IDs are supported (for team use):
```bash
pass init [email protected] [email protected]
```
Use `-p` to scope a different GPG key to a subfolder (useful for shared stores):
```bash
pass init -p work/ [email protected]
```
Running `pass init` on an existing store re-encrypts all entries with the new key(s).
---
## 4. Data Organisation Convention
Store each entry as a **multiline file** with this structure:
```
<password>
url: https://example.com
username: [email protected]
notes: anything extra
```
- **First line is always the password.** `pass -c` and clipboard tools only
copy line 1.
- Use lowercase keys (`url:`, `username:`, `notes:`) for compatibility with
browser extensions and `pass-import`.
- Organise with folders that mirror context, not the URL structure:
```
~/.password-store/
├── email/
│ ├── gmail
│ └── fastmail
├── dev/
│ ├── github
│ └── npm
└── finance/
├── bank-hsbc
└── revolut
```
---
## 5. Daily Usage
### List the store
```bash
pass # full tree
pass email/ # subtree
pass ls email/ # explicit alias
```
### Find entries by name
```bash
pass find github # lists all entries whose path matches "github"
```
### Read a password
```bash
pass email/gmail # print all lines to stdout
pass -c email/gmail # copy line 1 to clipboard (clears after 45s)
pass -c2 email/gmail # copy line 2 (e.g. the username) to clipboard
```
### Search inside decrypted content
```bash
pass grep username # grep across all decrypted entries
pass grep -i "amazon" # case-insensitive; accepts any grep option
```
### Insert an existing password
```bash
pass insert email/gmail # prompted twice for confirmation
pass insert -e email/gmail # echo password as you type (single prompt)
pass insert -m email/gmail # multiline (recommended, ends with Ctrl-D)
pass insert -f email/gmail # overwrite without prompt
```
### Generate a new password
```bash
pass generate email/gmail # 25-char password (default length)
pass generate email/gmail 20 # custom length
pass generate -n email/gmail 20 # no symbols
pass generate -c email/gmail 20 # copy to clipboard instead of printing
pass generate -i email/gmail 20 # replace only line 1, keep rest of file
pass generate -f email/gmail 20 # overwrite without prompt
```
### Edit an entry
```bash
pass edit email/gmail # opens $EDITOR; creates entry if it doesn't exist
```
### Remove an entry
```bash
pass rm email/gmail
pass rm -r email/ # remove a folder recursively
pass rm -f email/gmail # no confirmation prompt
```
### Move / copy
```bash
pass mv email/gmail email/gmail-old
pass mv -f email/gmail email/gmail-old # overwrite without prompt
pass cp email/gmail backup/gmail
pass cp -f email/gmail backup/gmail # overwrite without prompt
```
---
## 6. Git Sync
Initialise git inside the store:
```bash
pass git init
pass git remote add origin [email protected]:you/pass-store.git
```
Every `pass insert`, `generate`, `edit`, `rm` automatically creates a git
commit. Push and pull manually:
```bash
pass git push
pass git pull
```
To clone the store on another machine:
```bash
# Import your GPG key first:
gpg --import private-key.asc
gpg --edit-key [email protected] # then: trust → 5 → quit
# Clone the store:
git clone [email protected]:you/pass-store.git ~/.password-store
```
---
## 7. Extensions
### pass-otp (TOTP / 2FA codes)
```bash
# Install
pacman -S pass-otp # Arch
brew install pass-otp # macOS
# Add a TOTP secret (use the otpauth:// URI from your provider)
pass otp insert totp/github
# paste: otpauth://totp/GitHub:[email protected]?secret=BASE32SECRET&issuer=GitHub
# Generate a code
pass otp totp/github
# Copy to clipboard
pass otp -c totp/github
```
### pass-import (migrate from another manager)
```bash
pip install pass-import # or: pacman -S pass-import
# Import from Bitwarden (JSON export)
pass import bitwarden bitwarden-export.json
# Import from 1Password (1PUX export)
pass import 1password export.1pux
# List all supported formats
pass import --list
```
### pass-update
```bash
# Install
git clone https://github.com/roddhjav/pass-update ~/.password-store/.extensions/update.bash
# Update a password interactively
pass update email/gmail
```
---
## 8. Shell Completion
```bash
# bash — add to ~/.bashrc
source /usr/share/bash-completion/completions/pass
# zsh — add to ~/.zshrc
autoload -U compinit && compinit
# fish — works out of the box after install
```
---
## 9. Useful Environment Variables
| Variable | Purpose |
|-----------------------------------|----------------------------------------------|
| `PASSWORD_STORE_DIR` | Override default `~/.password-store` |
| `PASSWORD_STORE_KEY` | Default GPG key ID |
| `PASSWORD_STORE_GIT` | Override git directory |
| `PASSWORD_STORE_CLIP_TIME` | Seconds before clipboard clears (default 45) |
| `PASSWORD_STORE_ENABLE_EXTENSIONS`| Set to `true` to enable user extensions |
| `EDITOR` | Editor used by `pass edit` |
---
## 10. Troubleshooting
**`gpg: decryption failed: No secret key`**
Your GPG key is not available. Import it with `gpg --import` and set trust.
**`gpg-agent` keeps asking for passphrase**
Add to `~/.gnupg/gpg-agent.conf`:
```
default-cache-ttl 3600
max-cache-ttl 14400
```
Then restart: `gpgconf --kill gpg-agent`
**Clipboard does not clear on Wayland**
Install `wl-clipboard` and set `PASSWORD_STORE_CLIP_TOOL=wl-copy` or pass `-c`
with `wl-clipboard` in PATH.
**pass git shows dirty tree after clone**
Run `pass git status`; if only `.gpg-id` is untracked, run `pass git add .`
and `pass git commit -m "add gpg-id"`.
This skill is a complete, practical guide for using pass—the standard Unix password manager. It covers installation, GPG key setup, initializing and organizing your password store, daily commands for creating/reading/updating entries, syncing with git, and useful extensions like pass-otp and pass-import. The content focuses on concrete commands, common workflows, and troubleshooting tips for terminal-centric password management.
pass stores each entry as a GPG-encrypted file under ~/.password-store/, where the first line is the password and subsequent lines hold url:, username:, notes:, etc. It performs file-level encryption with your GPG key, tracks changes with a built-in git wrapper, and supports extensions (TOTP, imports, updates). The skill explains how pass encrypts, organizes, and synchronizes entries and how to use clipboard and editor integrations safely.
What if I get 'gpg: decryption failed: No secret key'?
Import your private key with gpg --import private-key.asc, set trust via gpg --edit-key [email protected] and then trust → 5 → quit.
Clipboard does not clear on Wayland. How to fix it?
Install wl-clipboard and set PASSWORD_STORE_CLIP_TOOL=wl-copy or ensure wl-copy is in PATH before using pass -c.