Skip to content

Latest commit

 

History

History
68 lines (37 loc) · 4.31 KB

faq.md

File metadata and controls

68 lines (37 loc) · 4.31 KB

FAQ

How does gopass relate to HashiCorp vault?

While Vault is for machines, gopass is for humans #7

gopass show secret displays Error: Failed to decrypt

This issue may happen if your GPG setup is broken. On MacOS try brew link --overwrite gnupg. You also may need to set export GPG_TTY=$(tty) in your .bashrc #208, #209

gopass recipients add fails with Warning: No matching valid key found

If the key you're trying to add is already in your keyring you may need to trust it. If this is your key run gpg --edit-key [KEYID]; trust (set to ultimate); quit, if this is not your key run gpg --edit-key [KEYID]; lsign; save; quit

How can gopass handle binary data?

gopass is designed not to change the content of the secrets in any way except that it will add a final newline at the end of the secret if it does not have one already and the output is going to a terminal. This means that the output may mess up your terminal if it's not only text. In this case you should either encode the secret to text (e.g. base64) before inserting or use the special gopass binary sub-command that does that for you.

Why does gopass delete my whole KDE klipper history?

KDEs klipper provides a clipboard history for your convenience. Since we currently can't figure out which entry may contain a secret copied to the clipboard, we just clear the whole history once the clipboard timer expires.

Can I use gopass as an token helper for Vault?

Yes, there is a repo that provides the necessary scripts and instructions.

Does gopass support re-encryption?

Adding or removing recipients with gopass recipients add or gopass recipients remove will automatically re-encrypt all affected secrets. Further, gopass fsck checks for missing recipients and reencrypts the secret if necessary.

gopass can automatically import missing recipient keys, but can it export them as well?

When adding a recipient with gopass recipients add, their public key will automatically be exported to the store .gpg-keys/<ID>.

Can gopass be used with Terraform?

Yes, there is a gopass-based Terraform provider available.

How can I fix "gpg: decryption failed: No secret key" errors?

Set the auto-expand-secmem option in your gpg-agent.conf, if your version of GnuPG supports it.

I'm getting Path too long for Unix domain socket errors, usually on MacOS.

This can be fixed by setting export TMPDIR=/tmp (or any other suiteable location with a path shorter than 80 characters).

Empty secret?

Old version of gpg may fail to decode message encrypted with newer version without any message. The encrypted secret in such case is just empty and gopass will warn you about this. One case of such behaviour we have seen so far is when the encryption key generated with gpg version 2.3.x encrypt a password that is then decrypted on gpg version 2.2.x (default on Ubuntu 18.04). In this particular case old gpg does not understand AEAD encryption extension, and it fails without any error. If it is your case then follw the instructions in listed in #2283.

Expired recipients

gopass will refuse to add new recipients when any invalid (e.g. expired) recipients are present in a password store. In such cases manual intervention is required. Expired keys can either be removed or extended. Unknown keys that can not be automatically imported need to be obtained and manually imported first. These are restrictions from the underlying crypto implementation (GPG) and we can not easily work around these.

API Stability

gopass is provided as an CLI program, not as a library. While we try to make the packages usable as libraries we make no guarantees whatsoever with respect to the API stability. The gopass version only reflects changes in the CLI commands.

If you use gopass as a library, be sure to vendor it, and expect breaking changes.

Further Reading