While Vault is for machines, gopass is for humans #7
This issue may happen if your GPG setup is broken. On MacOS try brew link --overwrite gnupg
. You also may need to set export GPG_TTY=$(tty)
in your .bashrc
#208, #209
If the key you're trying to add is already in your keyring you may need to trust it. If this is your key run gpg --edit-key [KEYID]; trust (set to ultimate); quit
, if this is not your key run gpg --edit-key [KEYID]; lsign; save; quit
gopass is designed not to change the content of the secrets in any way except that it will add a final newline at the end of the secret if it does not have one already and the output is going to a terminal. This means that the output may mess up your terminal if it's not only text. In this case you should either encode the secret to text (e.g. base64) before inserting or use the special gopass binary
sub-command that does that for you.
KDEs klipper provides a clipboard history for your convenience. Since we currently can't figure out which entry may contain a secret copied to the clipboard, we just clear the whole history once the clipboard timer expires.
Yes, there is a repo that provides the necessary scripts and instructions.
Adding or removing recipients with gopass recipients add
or gopass recipients remove
will automatically re-encrypt all affected secrets. Further, gopass fsck
checks for missing recipients and reencrypts the secret if necessary.
When adding a recipient with gopass recipients add
, their public key will automatically be exported to the store .gpg-keys/<ID>
.
Yes, there is a gopass-based Terraform provider available.
Set the auto-expand-secmem
option in your gpg-agent.conf, if your version of GnuPG supports it.
This can be fixed by setting export TMPDIR=/tmp
(or any other suiteable location with a path shorter than 80 characters).
Old version of gpg
may fail to decode message encrypted with newer version without any message. The encrypted secret in such case is just empty and gopass will warn you about this. One case of such behaviour we have seen so far is when the encryption key generated with gpg
version 2.3.x encrypt a password that is then decrypted on gpg
version 2.2.x (default on Ubuntu 18.04). In this particular case old gpg
does not understand AEAD
encryption extension, and it fails without any error. If it is your case then follw the instructions in listed in #2283.
gopass
will refuse to add new recipients when any invalid (e.g. expired) recipients are present in a password store.
In such cases manual intervention is required. Expired keys can either be removed or extended. Unknown keys that
can not be automatically imported need to be obtained and manually imported first. These are restrictions from the underlying
crypto implementation (GPG) and we can not easily work around these.
gopass is provided as an CLI program, not as a library. While we try to make the packages usable as libraries we make no guarantees whatsoever with respect to the API stability. The gopass version only reflects changes in the CLI commands.
If you use gopass as a library, be sure to vendor it, and expect breaking changes.
- GPGTools for MacOS
- GitHub Help on GPG
- Git - the simple guide