While Vault is for machines, gopass is for humans #7
Yes, gopass is a drop-in replacement for pass. It has a similar command structure and is compatible with the pass storage format. However, gopass offers additional features like multiple stores, mounts, and structured secrets, while pass has a more flexible plugin system.
This issue may happen if your GPG setup is broken. On MacOS try brew link --overwrite gnupg. You also may need to set export GPG_TTY=$(tty) in your .bashrc #208, #209
If the key you're trying to add is already in your keyring you may need to trust it. If this is your key run gpg --edit-key [KEYID]; trust (set to ultimate); quit, if this is not your key run gpg --edit-key [KEYID]; lsign; save; quit
gopass is designed not to change the content of the secrets in any way except that it will add a final newline at the end of the secret if it does not have one already and the output is going to a terminal. This means that the output may mess up your terminal if it's not only text. In this case you should either encode the secret to text (e.g. base64) before inserting or use the special gopass binary sub-command that does that for you.
KDEs klipper provides a clipboard history for your convenience. Since we currently can't figure out which entry may contain a secret copied to the clipboard, we just clear the whole history once the clipboard timer expires.
Yes, there is a repo that provides the necessary scripts and instructions.
Adding or removing recipients with gopass recipients add or gopass recipients remove will automatically re-encrypt all affected secrets. Further, gopass fsck checks for missing recipients and reencrypts the secret if necessary.
When adding a recipient with gopass recipients add, their public key will automatically be exported to the store .public-keys/<ID>.
Yes, there is a gopass-based Terraform provider available.
Set the auto-expand-secmem option in your gpg-agent.conf, if your version of GnuPG supports it.
This can be fixed by setting export TMPDIR=/tmp (or any other suiteable location with a path shorter than 80 characters).
Old version of gpg may fail to decode message encrypted with newer version without any message. The encrypted secret in such case is just empty and gopass will warn you about this. One case of such behaviour we have seen so far is when the encryption key generated with gpg version 2.3.x encrypt a password that is then decrypted on gpg version 2.2.x (default on Ubuntu 18.04). In this particular case old gpg does not understand AEAD encryption extension, and it fails without any error. If it is your case then follw the instructions in listed in #2283.
gopass will refuse to add new recipients when any invalid (e.g. expired) recipients are present in a password store.
In such cases manual intervention is required. Expired keys can either be removed or extended. Unknown keys that
can not be automatically imported need to be obtained and manually imported first. These are restrictions from the underlying
crypto implementation (GPG) and we can not easily work around these.
This repository primarily delivers gopass as a command-line interface (CLI) tool. While the underlying Go packages might be importable, we explicitly state that semantic versioning applies solely to changes in the CLI. We offer no API stability guarantees for the Go packages within this repository, and breaking changes may occur without a major version bump of gopass itself.
If you choose to utilize gopass packages as libraries, it is strongly recommended to vendor them to mitigate potential integration issues arising from non-backward-compatible updates.
Should specific Go packages within this project prove valuable for independent use, we encourage you to request their extraction into separate repositories. In such dedicated repositories, we will adhere to strict semantic versioning principles, ensuring predictable API stability for those packages.
- GPGTools for MacOS
- GitHub Help on GPG
- Git - the simple guide