gopass — Team Password Manager for the Command Line

Introduction

gopass extends the UNIX pass password manager with team collaboration, multiple backends, and a more robust CLI. It stores secrets as GPG-encrypted files in Git repositories, enabling version-controlled, auditable secret management.

What gopass Does

• Stores secrets as GPG-encrypted files organized in a directory hierarchy
• Syncs password stores via Git for team sharing and version history
• Supports multiple mount points to separate personal and team stores
• Generates random passwords with configurable length and character sets
• Integrates with browsers via the gopass-bridge extension

Architecture Overview

gopass encrypts each secret with one or more GPG public keys and stores the ciphertext in a Git repository. Multiple stores can be mounted under a unified namespace. The tool supports age as an alternative to GPG for encryption. Recipients are managed per subtree, allowing granular access control within a shared store.

Self-Hosting & Configuration

• Install via Homebrew, system packages, or from source with go install
• Initialize with gopass init to create a store linked to your GPG key
• Add team members with gopass recipients add <GPG-ID>
• Mount additional stores with gopass mounts add team /path/to/repo
• Configure the age backend as a lighter alternative to GPG

Key Features

• Multiple encryption backends: GPG and age
• Git-based sync with automatic push and pull
• Per-subtree recipient management for fine-grained access control
• REPL mode for interactive secret browsing
• YAML and key-value structured secret support

Comparison with Similar Tools

• pass — the original UNIX password manager; gopass adds team features, mounts, and age support
• Bitwarden/Vaultwarden — server-based; gopass is fully decentralized via Git
• HashiCorp Vault — enterprise secret management; gopass is a lightweight developer-focused alternative
• 1Password CLI — commercial; gopass is open source with no subscription

FAQ

Q: Can gopass replace pass? A: Yes. gopass is backwards-compatible with pass and can use existing pass stores.

Q: How does team sharing work? A: Secrets are encrypted for multiple GPG keys. Adding a recipient re-encrypts all secrets they should access.

Q: Does gopass support 2FA/TOTP? A: Yes. Store TOTP secrets and retrieve codes with gopass otp.

Q: What platforms does gopass support? A: Linux, macOS, and Windows. Browser extensions work with Chrome and Firefox.

Sources

• https://github.com/gopasspw/gopass
• https://www.gopass.pw/