GPG secured passwords in git using pass

It might happen that for your working environment you need to store passwords securely. Nowadays many people is using ‘cloud’ solutions – but as you do well know cloud is nothing else than ‘someone’s else computer’ 😉 . Having that said that limits options you have available. As this is point of preference I will try not to get into discussion of ‘the best solution’ but will just show you what I have been using and what I really liked a lot.

Solution is called pass and is available on the website https://www.passwordstore.org/

So let’s go ahead and install this on our machine – installation steps are nicely outlined on the product page so here I will just focus on CentOs

sudo yum install pass

As you might have seen from documentation you will need your GPG key(s) – for this demo I have created dummy one

[[email protected] ~]# gpg --list-keys
pub   2048R/5CBDFF98 2016-10-30
uid                  RafPe <[email protected]>
sub   2048R/B3B34661 2016-10-30

[[email protected] ~]#


Let’s go ahead and initialise our pass with GPG key I have created.

[[email protected] ~]# pass init 5CBDFF98
mkdir: created directory ‘/root/.password-store/’
Password store initialized for 5CBDFF98


Once the above is completed we can start adding passwords to our safe – simply by issuing

[[email protected] ~]# pass insert Business/serviceA/systemA
mkdir: created directory ‘/root/.password-store/Business’
mkdir: created directory ‘/root/.password-store/Business/serviceA’


Listing password then becomes really intuitive

[[email protected] ~]# pass ls
Password Store
└── Business
    └── serviceA
        ├── systemA
        └── systemB


To recover password we will just call the tree value

[[email protected] ~]# pass Business/serviceA/systemA

Now we will be asked for our GPG passphrase key in order to retrieve it.



Here we would now would like to make our password safe more reliable by using GIT to store our secrets. I’m using Gogs (GoGitAsService) which is a lightweight version available.

By issuing the following commmands we get our pass to store secrets in git :


# Initialize 
[[email protected] ~]# pass git init

Add remote repository ( here you would need to adjust your remote repository to match – I’m using local docker instance )

[[email protected] ~]# pass git remote add origin

Commit all changes

[[email protected] ~]# pass git push -u --all
Username for '': rafpe
Password for 'http://[email protected]:10080':
Counting objects: 7, done.
Compressing objects: 100% (5/5), done.
Writing objects: 100% (7/7), 1.05 KiB | 0 bytes/s, done.
Total 7 (delta 0), reused 0 (delta 0)
 * [new branch]      master -> master
Branch master set up to track remote branch master from origin.
[[email protected] ~]#


Once thats done we can take a peak on our repo which now has encrypted passwords for our specified items.




From now on whenever I would be making changes I can just push them nicely to GIT and I have everything under control! Documentation has a lot to offer so be sure to check it – more detailed https://git.zx2c4.com/password-store/about/


I personally think the product is good – especially in environments where you should not store passwords in ‘clouds’ due to security constraints which may apply.


Leave a Reply

Your email address will not be published. Required fields are marked *