pass (Password Store)

chezmoi includes support for pass, the standard Unix password manager, using the pass CLI.

Setup

Install pass

brew install pass

Initialize pass

If you haven’t set up pass yet:

# Initialize with your GPG key
pass init your-gpg-id@example.com

# Or initialize with a specific GPG key ID
pass init 0x1234567890ABCDEF

Add Passwords

# Add a password
pass insert github/token

# Generate a random password
pass generate aws/secret-key 32

# Add multiline data
pass insert -m ssh/private-key

Template Functions

`pass`

Get the first line from a password entry:

{{ pass "github/token" }}

This runs pass show github/token and returns the first line.

`passFields`

Get structured data from a password entry with key-value pairs:

{{ (passFields "aws/credentials").access_key_id }}

This parses the entry as colon-separated key-value pairs.

`passRaw`

Get the complete raw output from a password entry:

{{ passRaw "ssh/private-key" }}

Useful for multiline data like SSH keys or certificates.

Usage Examples

Simple Passwords

# ~/.config/gh/config.yml.tmpl
github_token: {{ pass "github/token" }}

Git Configuration

~/.gitconfig.tmpl

[user]
    name = John Doe
    email = {{ pass "git/email" }}
    signingkey = {{ pass "git/signing-key" }}

[github]
    user = {{ pass "github/username" }}

[credential]
    helper = store

SSH Private Keys

Store SSH keys in pass:

# Add SSH key to pass
pass insert -m ssh/id_rsa < ~/.ssh/id_rsa

Use in templates:

~/.ssh/id_rsa.tmpl

{{ passRaw "ssh/id_rsa" }}

Structured Data with passFields

Store data as key-value pairs in pass:

pass insert -m aws/credentials
# Then enter:
access_key_id: AKIAIOSFODNN7EXAMPLE
secret_access_key: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
region: us-east-1

Access in templates:

~/.aws/credentials.tmpl

[default]
aws_access_key_id = {{ (passFields "aws/credentials").access_key_id }}
aws_secret_access_key = {{ (passFields "aws/credentials").secret_access_key }}
region = {{ (passFields "aws/credentials").region }}

Database Credentials

# Production database
pass insert -m db/production
# Enter:
host: db.example.com
port: 5432
username: app_user
password: super_secret_password
database: production_db

Multiple API Keys

~/.config/api-keys.env.tmpl

# Cloud Services
AWS_ACCESS_KEY_ID={{ pass "aws/access-key-id" }}
AWS_SECRET_ACCESS_KEY={{ pass "aws/secret-access-key" }}
DIGITALOCEAN_TOKEN={{ pass "digitalocean/token" }}

# Development Tools
GITHUB_TOKEN={{ pass "github/token" }}
GITLAB_TOKEN={{ pass "gitlab/token" }}
OPENAI_API_KEY={{ pass "openai/api-key" }}

# Payment Services
STRIPE_SECRET_KEY={{ pass "stripe/secret-key" }}
STRIPE_PUBLISHABLE_KEY={{ pass "stripe/publishable-key" }}

Docker Registry Credentials

# Store Docker Hub credentials
pass insert docker/username
pass insert docker/password

~/.docker/config.json.tmpl

{
  "auths": {
    "https://index.docker.io/v1/": {
      "auth": "{{ printf "%s:%s" (pass "docker/username") (pass "docker/password") | b64enc }}"
    }
  }
}

Kubernetes Config

~/.kube/config.tmpl

apiVersion: v1
kind: Config
clusters:
- cluster:
    server: {{ pass "kubernetes/server" }}
    certificate-authority-data: {{ passRaw "kubernetes/ca-cert" | b64enc }}
  name: production
contexts:
- context:
    cluster: production
    user: admin
  name: production
current-context: production
users:
- name: admin
  user:
    client-certificate-data: {{ passRaw "kubernetes/client-cert" | b64enc }}
    client-key-data: {{ passRaw "kubernetes/client-key" | b64enc }}

Configuration

Custom Command

If pass is not in your PATH:

~/.config/chezmoi/chezmoi.toml

[pass]
    command = "/custom/path/to/pass"

Custom Password Store Location

By default, pass uses ~/.password-store. To use a different location:

export PASSWORD_STORE_DIR="$HOME/.my-passwords"

Or add to your shell profile:

~/.bashrc

export PASSWORD_STORE_DIR="$HOME/.my-passwords"

Organizing Your Password Store

Use a hierarchical structure:

~/.password-store/
├── personal/
│   ├── email/
│   │   └── gmail
│   ├── github/
│   │   ├── token
│   │   └── username
│   └── ssh/
│       └── id_rsa
├── work/
│   ├── aws/
│   │   └── credentials
│   ├── github/
│   │   └── token
│   └── vpn/
│       └── password
└── shared/
    └── wifi/
        └── home

Access with:

{{ pass "personal/github/token" }}
{{ pass "work/aws/credentials" }}

Advanced Usage

Using pass with Git

pass can sync with git:

# Initialize git in password store
pass git init

# Add a remote
pass git remote add origin git@github.com:username/passwords.git

# Push passwords
pass git push -u origin master

Initialize pass for multiple GPG keys:

pass init key1@example.com key2@example.com

Everyone with these keys can decrypt the passwords.

Generating Passwords

# Generate a 32-character password
pass generate github/token 32

# Generate without symbols
pass generate -n aws/secret-key 40

Editing Passwords

# Edit a password entry
pass edit github/token

# View a password
pass show github/token

Complete Examples

Multi-Service Configuration

~/.config/services.yml.tmpl

github:
  username: {{ pass "github/username" }}
  token: {{ pass "github/token" }}
  email: {{ pass "github/email" }}

aws:
  access_key_id: {{ (passFields "aws/credentials").access_key_id }}
  secret_access_key: {{ (passFields "aws/credentials").secret_access_key }}
  region: {{ (passFields "aws/credentials").region }}

database:
  host: {{ (passFields "database/production").host }}
  port: {{ (passFields "database/production").port }}
  username: {{ (passFields "database/production").username }}
  password: {{ (passFields "database/production").password }}

smtp:
  host: {{ (passFields "email/smtp").host }}
  port: {{ (passFields "email/smtp").port }}
  username: {{ (passFields "email/smtp").username }}
  password: {{ (passFields "email/smtp").password }}

Troubleshooting

GPG Key Not Found

Ensure your GPG key is available:

gpg --list-secret-keys

If not, import it:

gpg --import private-key.asc

Password Not Found

List all passwords:

pass ls

Or search:

pass find github

Command Not Found

Ensure pass is installed:

which pass
pass --version

Testing Templates

Test template functions:

chezmoi execute-template '{{ pass "test/password" }}'

GPG Agent Issues

If GPG prompts repeatedly for your password:

# Check GPG agent
gpg-connect-agent /bye

# Restart GPG agent
gpgconf --kill gpg-agent
gpgconf --launch gpg-agent

Best Practices

Use hierarchy: Organize passwords in logical folders
Use descriptive names: Make entry names clear and searchable
Backup regularly: Keep encrypted backups of your password store
Use git: Sync your password store across machines with git
Set GPG key expiry: Use expiring GPG keys for better security
Use passFields: Structure complex data as key-value pairs
Test access: Verify passwords are accessible before using in templates

Documentation Index

​Setup

​Install pass

​Initialize pass

​Add Passwords

​Template Functions

​pass

​passFields

​passRaw

​Usage Examples

​Simple Passwords

​Git Configuration

​SSH Private Keys

​Structured Data with passFields

​Database Credentials

​Multiple API Keys

​Docker Registry Credentials

​Kubernetes Config

​Configuration

​Custom Command

​Custom Password Store Location

​Organizing Your Password Store

​Advanced Usage

​Using pass with Git

​Team Password Sharing

​Generating Passwords

​Editing Passwords

​Complete Examples

​Multi-Service Configuration

​Troubleshooting

​GPG Key Not Found

​Password Not Found

​Command Not Found

​Testing Templates

​GPG Agent Issues

​Best Practices

​See Also