Nomaan Jamaluddin

November 9, 2025
Cryptography / Tech

A Better Way To Manage Passwords

by nonan23x

This post shows why pass fits the Unix way of solving problems: simple building blocks stitched together. I’ll cover setup, daily use, GUI helpers, Windows options, trade-offs, and ideas for extending it.

TL;DR

pass is a tiny shell tool that stores each credential as a .gpg file in ~/.password-store/, uses your GPG key for encryption, and Git for syncing/versioning. Great for people who prefer transparency, scriptability and control — less great if you want click-and-forget convenience

Did you know your Linux machine can double as a self-hosted password manager?

While the internet debates which password manager is the most secure, many Unix veterans have quietly trusted a tool called pass; a lightweight shell script that turns your filesystem into an encrypted vault, Git into a synchronization engine, and your GPG keys into the ultimate gatekeeper. It doesn’t need an account, a subscription, or a cloud backend; it just leverages the tools you already have

pass takes a refreshingly transparent approach to password management. Every credential is stored as its own .gpg-encrypted text file inside ~/.password-store/. Instead of hiding your data behind proprietary databases, it lets you see exactly how your secrets are stored; encrypted using your personal GPG key, version-controlled with Git, and organized in simple directories. You own the keys, the structure, and the workflow

This design perfectly reflects the Unix philosophy: do one thing well and compose small tools for greater power. It’s elegant in its simplicity, yet flexible enough to integrate into modern workflows whether through command-line automation, fuzzy search interfaces like fzf, or friendly GUIs such as QTPass, pass-menu, and rofi-pass.

In this write-up, we’ll look at how pass works under the hood, how to set it up on Linux and Windows (via WSL or Docker), and how you can tailor it to fit your own security workflow.

Quick Setup:

# install (example for Debian/Ubuntu)
sudo apt update
sudo apt install pass gnupg git

# create or import a GPG key (skip if you already have one)
gpg --full-generate-key

# initialize pass with your key id (replace KEYID)
pass init KEYID

# add a password
pass insert github
# view it
pass show github

Each entry is a plain text file encrypted with GPG (~/.password-store/service.gpg). You can include password, username, url, notes, anything. Because files are individual and human-readable when decrypted, you can script, grep (after decryption), or version diffs with Git

Syncing and backups

pass has Git baked in. Typical flow:

cd ~/.password-store
git init
git remote add origin git@github.com:you/password-store.git
pass git push

Encrypted files can be safely stored on Git hosts or cloud storage. You still control the private key.

GUI and UX options

If you want something friendlier than the terminal:

  • qtpass: a full GUI manager with Git integration.
  • pass-menu / rofi-pass: menu-based pickers for copying passwords.
  • pass + fzf: quick fuzzy selector in terminal scripts.
    You can build custom frontends with Python GUI frameworks or integrate pass into dashboards and automation pipelines.

Pros and cons

Pros

  • Full control over your data and keys.
  • Simple, auditable system (plain files + GPG).
  • Highly scriptable and extensible.

Cons

  • Requires basic familiarity with GPG, Git and the CLI.
  • Not as user-friendly for non-technical users or teams needing shared UI and easy onboarding.
  • Manual setup of sync/collaboration compared to commercial services.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like