一、什么是 pass
pass 自称为 "The Standard Unix Password Manager"(标准 Unix 密码管理器) ,由 Jason A. Donenfeld(zx2c4)开发。它遵循经典的 Unix 哲学:只做一件事,并把它做好。
pass 的核心设计极其简洁:每个密码都是一个独立的 gpg 加密文件,文件名即服务名称,所有文件存放在 ~/.password-store 目录下,形成一棵清晰的目录树。
这意味着你可以用任何标准的 Unix 工具来操作密码库------ls、grep、find、cp、mv、git 全部适用。没有专有数据库格式,没有复杂的 GUI,只有 GPG 加密的安全性和文件系统的灵活性。
二、核心架构与设计理念
pass 的架构可以用三个关键词概括:GPG 加密 、文件系统存储 、Git 版本控制。
#mermaid-svg-8igu368RydgFMdZn{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-8igu368RydgFMdZn .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-8igu368RydgFMdZn .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-8igu368RydgFMdZn .error-icon{fill:#552222;}#mermaid-svg-8igu368RydgFMdZn .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-8igu368RydgFMdZn .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-8igu368RydgFMdZn .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-8igu368RydgFMdZn .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-8igu368RydgFMdZn .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-8igu368RydgFMdZn .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-8igu368RydgFMdZn .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-8igu368RydgFMdZn .marker{fill:#333333;stroke:#333333;}#mermaid-svg-8igu368RydgFMdZn .marker.cross{stroke:#333333;}#mermaid-svg-8igu368RydgFMdZn svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-8igu368RydgFMdZn p{margin:0;}#mermaid-svg-8igu368RydgFMdZn .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-8igu368RydgFMdZn .cluster-label text{fill:#333;}#mermaid-svg-8igu368RydgFMdZn .cluster-label span{color:#333;}#mermaid-svg-8igu368RydgFMdZn .cluster-label span p{background-color:transparent;}#mermaid-svg-8igu368RydgFMdZn .label text,#mermaid-svg-8igu368RydgFMdZn span{fill:#333;color:#333;}#mermaid-svg-8igu368RydgFMdZn .node rect,#mermaid-svg-8igu368RydgFMdZn .node circle,#mermaid-svg-8igu368RydgFMdZn .node ellipse,#mermaid-svg-8igu368RydgFMdZn .node polygon,#mermaid-svg-8igu368RydgFMdZn .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-8igu368RydgFMdZn .rough-node .label text,#mermaid-svg-8igu368RydgFMdZn .node .label text,#mermaid-svg-8igu368RydgFMdZn .image-shape .label,#mermaid-svg-8igu368RydgFMdZn .icon-shape .label{text-anchor:middle;}#mermaid-svg-8igu368RydgFMdZn .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-8igu368RydgFMdZn .rough-node .label,#mermaid-svg-8igu368RydgFMdZn .node .label,#mermaid-svg-8igu368RydgFMdZn .image-shape .label,#mermaid-svg-8igu368RydgFMdZn .icon-shape .label{text-align:center;}#mermaid-svg-8igu368RydgFMdZn .node.clickable{cursor:pointer;}#mermaid-svg-8igu368RydgFMdZn .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-8igu368RydgFMdZn .arrowheadPath{fill:#333333;}#mermaid-svg-8igu368RydgFMdZn .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-8igu368RydgFMdZn .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-8igu368RydgFMdZn .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-8igu368RydgFMdZn .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-8igu368RydgFMdZn .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-8igu368RydgFMdZn .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-8igu368RydgFMdZn .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-8igu368RydgFMdZn .cluster text{fill:#333;}#mermaid-svg-8igu368RydgFMdZn .cluster span{color:#333;}#mermaid-svg-8igu368RydgFMdZn div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-8igu368RydgFMdZn .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-8igu368RydgFMdZn rect.text{fill:none;stroke-width:0;}#mermaid-svg-8igu368RydgFMdZn .icon-shape,#mermaid-svg-8igu368RydgFMdZn .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-8igu368RydgFMdZn .icon-shape p,#mermaid-svg-8igu368RydgFMdZn .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-8igu368RydgFMdZn .icon-shape .label rect,#mermaid-svg-8igu368RydgFMdZn .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-8igu368RydgFMdZn .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-8igu368RydgFMdZn .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-8igu368RydgFMdZn :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 存储层
加密层
用户层
pass insert/show
加密
解密
依赖
写入 .gpg 文件
版本追踪
推送/拉取
用户输入
pass CLI
GPG 加密/解密
GPG 私钥
文件系统
~/.password-store
Git 仓库
远程仓库
GitHub/GitLab/自建
2.1 存储结构
密码库本质上就是一个普通目录:
#mermaid-svg-J2KPtg7MQjhuMdqW{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-J2KPtg7MQjhuMdqW .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-J2KPtg7MQjhuMdqW .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-J2KPtg7MQjhuMdqW .error-icon{fill:#552222;}#mermaid-svg-J2KPtg7MQjhuMdqW .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-J2KPtg7MQjhuMdqW .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-J2KPtg7MQjhuMdqW .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-J2KPtg7MQjhuMdqW .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-J2KPtg7MQjhuMdqW .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-J2KPtg7MQjhuMdqW .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-J2KPtg7MQjhuMdqW .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-J2KPtg7MQjhuMdqW .marker{fill:#333333;stroke:#333333;}#mermaid-svg-J2KPtg7MQjhuMdqW .marker.cross{stroke:#333333;}#mermaid-svg-J2KPtg7MQjhuMdqW svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-J2KPtg7MQjhuMdqW p{margin:0;}#mermaid-svg-J2KPtg7MQjhuMdqW .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-J2KPtg7MQjhuMdqW .cluster-label text{fill:#333;}#mermaid-svg-J2KPtg7MQjhuMdqW .cluster-label span{color:#333;}#mermaid-svg-J2KPtg7MQjhuMdqW .cluster-label span p{background-color:transparent;}#mermaid-svg-J2KPtg7MQjhuMdqW .label text,#mermaid-svg-J2KPtg7MQjhuMdqW span{fill:#333;color:#333;}#mermaid-svg-J2KPtg7MQjhuMdqW .node rect,#mermaid-svg-J2KPtg7MQjhuMdqW .node circle,#mermaid-svg-J2KPtg7MQjhuMdqW .node ellipse,#mermaid-svg-J2KPtg7MQjhuMdqW .node polygon,#mermaid-svg-J2KPtg7MQjhuMdqW .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-J2KPtg7MQjhuMdqW .rough-node .label text,#mermaid-svg-J2KPtg7MQjhuMdqW .node .label text,#mermaid-svg-J2KPtg7MQjhuMdqW .image-shape .label,#mermaid-svg-J2KPtg7MQjhuMdqW .icon-shape .label{text-anchor:middle;}#mermaid-svg-J2KPtg7MQjhuMdqW .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-J2KPtg7MQjhuMdqW .rough-node .label,#mermaid-svg-J2KPtg7MQjhuMdqW .node .label,#mermaid-svg-J2KPtg7MQjhuMdqW .image-shape .label,#mermaid-svg-J2KPtg7MQjhuMdqW .icon-shape .label{text-align:center;}#mermaid-svg-J2KPtg7MQjhuMdqW .node.clickable{cursor:pointer;}#mermaid-svg-J2KPtg7MQjhuMdqW .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-J2KPtg7MQjhuMdqW .arrowheadPath{fill:#333333;}#mermaid-svg-J2KPtg7MQjhuMdqW .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-J2KPtg7MQjhuMdqW .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-J2KPtg7MQjhuMdqW .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-J2KPtg7MQjhuMdqW .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-J2KPtg7MQjhuMdqW .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-J2KPtg7MQjhuMdqW .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-J2KPtg7MQjhuMdqW .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-J2KPtg7MQjhuMdqW .cluster text{fill:#333;}#mermaid-svg-J2KPtg7MQjhuMdqW .cluster span{color:#333;}#mermaid-svg-J2KPtg7MQjhuMdqW div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-J2KPtg7MQjhuMdqW .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-J2KPtg7MQjhuMdqW rect.text{fill:none;stroke-width:0;}#mermaid-svg-J2KPtg7MQjhuMdqW .icon-shape,#mermaid-svg-J2KPtg7MQjhuMdqW .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-J2KPtg7MQjhuMdqW .icon-shape p,#mermaid-svg-J2KPtg7MQjhuMdqW .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-J2KPtg7MQjhuMdqW .icon-shape .label rect,#mermaid-svg-J2KPtg7MQjhuMdqW .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-J2KPtg7MQjhuMdqW .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-J2KPtg7MQjhuMdqW .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-J2KPtg7MQjhuMdqW :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} ~/.password-store
定义加密密钥
.gpg-id
github/
work/
bank/
GPG Key ID
personal.gpg
work.gpg
printer.gpg
vpn.gpg
credit-card.gpg
每个 .gpg 文件都是独立加密的文本文件,第一行是密码,后续行可以存储用户名、URL、备注等元数据。
三、安装与初始化
3.1 安装
pass 已被所有主流发行版收录:
bash
# Debian/Ubuntu
sudo apt-get install pass
# Fedora
sudo dnf install pass
# macOS
brew install pass
# Arch Linux
sudo pacman -S pass3.2 生成 GPG 密钥
pass 依赖 GPG 进行加密,首先需要生成或准备一对 GPG 密钥:
bash
gpg --full-generate-key
# 选择 RSA and RSA,4096 位,设置姓名、邮箱和强密码查看密钥 ID:
bash
gpg --list-secret-keys --keyid-format=long
# sec rsa4096/0D73297D7CB939CC 2024-01-01 [SC]
# ^^^^^^^^^^^^^^^^^^^^^^^^ 这就是 Key ID3.3 初始化密码库
bash
pass init "0D73297D7CB939CC"
# 或按邮箱/名称
pass init "Your Name <you@example.com>"这会创建 ~/.password-store 目录,并在其中写入 .gpg-id 文件,记录用于加密的 GPG 密钥标识。
四、日常使用:CRUD 操作
4.1 新增密码
手动输入:
bash
pass insert github/personal
# 提示输入密码并确认自动生成强密码:
bash
pass generate github/work 20
# 生成 20 位随机密码,包含字母、数字和符号多行内容(密码 + 元数据):
bash
pass insert -m bank/credit-card
# 第一行:密码
# 第二行:卡号
# 第三行:CVV
# 第四行:有效期4.2 读取密码
bash
# 直接显示
pass github/personal
# 复制到剪贴板(45 秒后自动清除)
pass -c github/personal
# 查看多行内容
pass show github/personal4.3 列出密码树
bash
pass
# 或
pass ls输出示例:
Password Store
├── bank
│ ├── credit-card
│ └── savings
├── github
│ ├── personal
│ └── work
└── work
├── printer
└── vpn4.4 编辑与删除
bash
# 编辑(会自动解密到临时文件,保存后重新加密)
pass edit github/personal
# 删除
pass rm github/personal
# 移动/重命名
pass mv github/personal github/main五、Git 同步:分布式密码库
pass 原生支持 Git 集成,每次增删改都会自动提交,实现版本控制和跨设备同步。
5.1 启用 Git
bash
cd ~/.password-store
pass git init
pass git remote add origin git@github.com:yourname/password-store.git
pass git push -u --all5.2 同步流程
设备 B Git 远程仓库 设备 A 设备 B Git 远程仓库 设备 A #mermaid-svg-P2qjsngkgzBJmgFB{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-P2qjsngkgzBJmgFB .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-P2qjsngkgzBJmgFB .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-P2qjsngkgzBJmgFB .error-icon{fill:#552222;}#mermaid-svg-P2qjsngkgzBJmgFB .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-P2qjsngkgzBJmgFB .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-P2qjsngkgzBJmgFB .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-P2qjsngkgzBJmgFB .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-P2qjsngkgzBJmgFB .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-P2qjsngkgzBJmgFB .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-P2qjsngkgzBJmgFB .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-P2qjsngkgzBJmgFB .marker{fill:#333333;stroke:#333333;}#mermaid-svg-P2qjsngkgzBJmgFB .marker.cross{stroke:#333333;}#mermaid-svg-P2qjsngkgzBJmgFB svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-P2qjsngkgzBJmgFB p{margin:0;}#mermaid-svg-P2qjsngkgzBJmgFB .actor{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-P2qjsngkgzBJmgFB text.actor>tspan{fill:black;stroke:none;}#mermaid-svg-P2qjsngkgzBJmgFB .actor-line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-P2qjsngkgzBJmgFB .innerArc{stroke-width:1.5;stroke-dasharray:none;}#mermaid-svg-P2qjsngkgzBJmgFB .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333;}#mermaid-svg-P2qjsngkgzBJmgFB .messageLine1{stroke-width:1.5;stroke-dasharray:2,2;stroke:#333;}#mermaid-svg-P2qjsngkgzBJmgFB #arrowhead path{fill:#333;stroke:#333;}#mermaid-svg-P2qjsngkgzBJmgFB .sequenceNumber{fill:white;}#mermaid-svg-P2qjsngkgzBJmgFB #sequencenumber{fill:#333;}#mermaid-svg-P2qjsngkgzBJmgFB #crosshead path{fill:#333;stroke:#333;}#mermaid-svg-P2qjsngkgzBJmgFB .messageText{fill:#333;stroke:none;}#mermaid-svg-P2qjsngkgzBJmgFB .labelBox{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-P2qjsngkgzBJmgFB .labelText,#mermaid-svg-P2qjsngkgzBJmgFB .labelText>tspan{fill:black;stroke:none;}#mermaid-svg-P2qjsngkgzBJmgFB .loopText,#mermaid-svg-P2qjsngkgzBJmgFB .loopText>tspan{fill:black;stroke:none;}#mermaid-svg-P2qjsngkgzBJmgFB .loopLine{stroke-width:2px;stroke-dasharray:2,2;stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);}#mermaid-svg-P2qjsngkgzBJmgFB .note{stroke:#aaaa33;fill:#fff5ad;}#mermaid-svg-P2qjsngkgzBJmgFB .noteText,#mermaid-svg-P2qjsngkgzBJmgFB .noteText>tspan{fill:black;stroke:none;}#mermaid-svg-P2qjsngkgzBJmgFB .activation0{fill:#f4f4f4;stroke:#666;}#mermaid-svg-P2qjsngkgzBJmgFB .activation1{fill:#f4f4f4;stroke:#666;}#mermaid-svg-P2qjsngkgzBJmgFB .activation2{fill:#f4f4f4;stroke:#666;}#mermaid-svg-P2qjsngkgzBJmgFB .actorPopupMenu{position:absolute;}#mermaid-svg-P2qjsngkgzBJmgFB .actorPopupMenuPanel{position:absolute;fill:#ECECFF;box-shadow:0px 8px 16px 0px rgba(0,0,0,0.2);filter:drop-shadow(3px 5px 2px rgb(0 0 0 / 0.4));}#mermaid-svg-P2qjsngkgzBJmgFB .actor-man line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;}#mermaid-svg-P2qjsngkgzBJmgFB .actor-man circle,#mermaid-svg-P2qjsngkgzBJmgFB line{stroke:hsl(259.6261682243, 59.7765363128%, 87.9019607843%);fill:#ECECFF;stroke-width:2px;}#mermaid-svg-P2qjsngkgzBJmgFB :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} pass insert work/new-pass自动 git commitpass git pushpass git pullpass show work/new-passGPG 解密(需私钥)
5.3 多设备同步的安全模型
由于密码文件已经是 GPG 加密的,即使 Git 仓库是公开的,攻击者也无法读取密码内容------他们只能看到目录结构(即你有哪些账户)。因此建议:
- 使用私有仓库(GitHub/GitLab 免费私有仓库即可)
- 避免在路径名中暴露敏感信息(如用
github/personal而非github/alice@email.com)
六、团队协作:共享密码库
pass 支持多 GPG 密钥加密,是小型团队共享凭证的理想方案。
6.1 添加团队成员
bash
# 编辑 .gpg-id,追加新成员的公钥 ID
echo "teammate@company.com" >> ~/.password-store/work/.gpg-id
# 重新加密该目录下所有密码
pass init -p work $(cat ~/.password-store/work/.gpg-id)6.2 团队架构
#mermaid-svg-1BdNpNEa4fSvZb43{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-1BdNpNEa4fSvZb43 .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-1BdNpNEa4fSvZb43 .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-1BdNpNEa4fSvZb43 .error-icon{fill:#552222;}#mermaid-svg-1BdNpNEa4fSvZb43 .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-1BdNpNEa4fSvZb43 .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-1BdNpNEa4fSvZb43 .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-1BdNpNEa4fSvZb43 .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-1BdNpNEa4fSvZb43 .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-1BdNpNEa4fSvZb43 .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-1BdNpNEa4fSvZb43 .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-1BdNpNEa4fSvZb43 .marker{fill:#333333;stroke:#333333;}#mermaid-svg-1BdNpNEa4fSvZb43 .marker.cross{stroke:#333333;}#mermaid-svg-1BdNpNEa4fSvZb43 svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-1BdNpNEa4fSvZb43 p{margin:0;}#mermaid-svg-1BdNpNEa4fSvZb43 .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-1BdNpNEa4fSvZb43 .cluster-label text{fill:#333;}#mermaid-svg-1BdNpNEa4fSvZb43 .cluster-label span{color:#333;}#mermaid-svg-1BdNpNEa4fSvZb43 .cluster-label span p{background-color:transparent;}#mermaid-svg-1BdNpNEa4fSvZb43 .label text,#mermaid-svg-1BdNpNEa4fSvZb43 span{fill:#333;color:#333;}#mermaid-svg-1BdNpNEa4fSvZb43 .node rect,#mermaid-svg-1BdNpNEa4fSvZb43 .node circle,#mermaid-svg-1BdNpNEa4fSvZb43 .node ellipse,#mermaid-svg-1BdNpNEa4fSvZb43 .node polygon,#mermaid-svg-1BdNpNEa4fSvZb43 .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-1BdNpNEa4fSvZb43 .rough-node .label text,#mermaid-svg-1BdNpNEa4fSvZb43 .node .label text,#mermaid-svg-1BdNpNEa4fSvZb43 .image-shape .label,#mermaid-svg-1BdNpNEa4fSvZb43 .icon-shape .label{text-anchor:middle;}#mermaid-svg-1BdNpNEa4fSvZb43 .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-1BdNpNEa4fSvZb43 .rough-node .label,#mermaid-svg-1BdNpNEa4fSvZb43 .node .label,#mermaid-svg-1BdNpNEa4fSvZb43 .image-shape .label,#mermaid-svg-1BdNpNEa4fSvZb43 .icon-shape .label{text-align:center;}#mermaid-svg-1BdNpNEa4fSvZb43 .node.clickable{cursor:pointer;}#mermaid-svg-1BdNpNEa4fSvZb43 .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-1BdNpNEa4fSvZb43 .arrowheadPath{fill:#333333;}#mermaid-svg-1BdNpNEa4fSvZb43 .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-1BdNpNEa4fSvZb43 .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-1BdNpNEa4fSvZb43 .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-1BdNpNEa4fSvZb43 .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-1BdNpNEa4fSvZb43 .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-1BdNpNEa4fSvZb43 .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-1BdNpNEa4fSvZb43 .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-1BdNpNEa4fSvZb43 .cluster text{fill:#333;}#mermaid-svg-1BdNpNEa4fSvZb43 .cluster span{color:#333;}#mermaid-svg-1BdNpNEa4fSvZb43 div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-1BdNpNEa4fSvZb43 .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-1BdNpNEa4fSvZb43 rect.text{fill:none;stroke-width:0;}#mermaid-svg-1BdNpNEa4fSvZb43 .icon-shape,#mermaid-svg-1BdNpNEa4fSvZb43 .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-1BdNpNEa4fSvZb43 .icon-shape p,#mermaid-svg-1BdNpNEa4fSvZb43 .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-1BdNpNEa4fSvZb43 .icon-shape .label rect,#mermaid-svg-1BdNpNEa4fSvZb43 .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-1BdNpNEa4fSvZb43 .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-1BdNpNEa4fSvZb43 .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-1BdNpNEa4fSvZb43 :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 成员 GPG 密钥
团队密码库
可解密
可解密
可解密
仅可解密
.password-store/
work/.gpg-id
Alice, Bob, Charlie
personal/.gpg-id
Alice only
Alice 私钥
Bob 私钥
Charlie 私钥
每个子目录可以有独立的 .gpg-id,实现细粒度的访问控制。
七、扩展生态
pass 的社区非常活跃,围绕它发展出了丰富的扩展和客户端:
7.1 常用扩展
| 扩展 | 功能 | 安装 |
|---|---|---|
pass-otp |
TOTP 两步验证码生成 | apt install pass-extension-otp |
pass-import |
从 1Password/LastPass/Keepass 导入 | pass import |
pass-update |
批量更新密码 | pass update |
pass-tomb |
将密码库放入加密容器(LUKS/tomb) | pass tomb |
7.2 跨平台客户端
#mermaid-svg-DxKopm7xHZeRX9YV{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-DxKopm7xHZeRX9YV .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-DxKopm7xHZeRX9YV .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-DxKopm7xHZeRX9YV .error-icon{fill:#552222;}#mermaid-svg-DxKopm7xHZeRX9YV .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-DxKopm7xHZeRX9YV .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-DxKopm7xHZeRX9YV .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-DxKopm7xHZeRX9YV .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-DxKopm7xHZeRX9YV .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-DxKopm7xHZeRX9YV .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-DxKopm7xHZeRX9YV .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-DxKopm7xHZeRX9YV .marker{fill:#333333;stroke:#333333;}#mermaid-svg-DxKopm7xHZeRX9YV .marker.cross{stroke:#333333;}#mermaid-svg-DxKopm7xHZeRX9YV svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-DxKopm7xHZeRX9YV p{margin:0;}#mermaid-svg-DxKopm7xHZeRX9YV .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-DxKopm7xHZeRX9YV .cluster-label text{fill:#333;}#mermaid-svg-DxKopm7xHZeRX9YV .cluster-label span{color:#333;}#mermaid-svg-DxKopm7xHZeRX9YV .cluster-label span p{background-color:transparent;}#mermaid-svg-DxKopm7xHZeRX9YV .label text,#mermaid-svg-DxKopm7xHZeRX9YV span{fill:#333;color:#333;}#mermaid-svg-DxKopm7xHZeRX9YV .node rect,#mermaid-svg-DxKopm7xHZeRX9YV .node circle,#mermaid-svg-DxKopm7xHZeRX9YV .node ellipse,#mermaid-svg-DxKopm7xHZeRX9YV .node polygon,#mermaid-svg-DxKopm7xHZeRX9YV .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-DxKopm7xHZeRX9YV .rough-node .label text,#mermaid-svg-DxKopm7xHZeRX9YV .node .label text,#mermaid-svg-DxKopm7xHZeRX9YV .image-shape .label,#mermaid-svg-DxKopm7xHZeRX9YV .icon-shape .label{text-anchor:middle;}#mermaid-svg-DxKopm7xHZeRX9YV .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-DxKopm7xHZeRX9YV .rough-node .label,#mermaid-svg-DxKopm7xHZeRX9YV .node .label,#mermaid-svg-DxKopm7xHZeRX9YV .image-shape .label,#mermaid-svg-DxKopm7xHZeRX9YV .icon-shape .label{text-align:center;}#mermaid-svg-DxKopm7xHZeRX9YV .node.clickable{cursor:pointer;}#mermaid-svg-DxKopm7xHZeRX9YV .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-DxKopm7xHZeRX9YV .arrowheadPath{fill:#333333;}#mermaid-svg-DxKopm7xHZeRX9YV .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-DxKopm7xHZeRX9YV .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-DxKopm7xHZeRX9YV .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-DxKopm7xHZeRX9YV .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-DxKopm7xHZeRX9YV .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-DxKopm7xHZeRX9YV .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-DxKopm7xHZeRX9YV .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-DxKopm7xHZeRX9YV .cluster text{fill:#333;}#mermaid-svg-DxKopm7xHZeRX9YV .cluster span{color:#333;}#mermaid-svg-DxKopm7xHZeRX9YV div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-DxKopm7xHZeRX9YV .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-DxKopm7xHZeRX9YV rect.text{fill:none;stroke-width:0;}#mermaid-svg-DxKopm7xHZeRX9YV .icon-shape,#mermaid-svg-DxKopm7xHZeRX9YV .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-DxKopm7xHZeRX9YV .icon-shape p,#mermaid-svg-DxKopm7xHZeRX9YV .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-DxKopm7xHZeRX9YV .icon-shape .label rect,#mermaid-svg-DxKopm7xHZeRX9YV .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-DxKopm7xHZeRX9YV .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-DxKopm7xHZeRX9YV .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-DxKopm7xHZeRX9YV :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} pass 生态
Git 同步
Git 同步
Git 同步
Git 同步
本地调用
pass CLI
Linux/macOS
QtPass
Linux/macOS/Windows
Pass for iOS
iPhone/iPad
Password Store
Android
Browserpass
Chrome/Firefox
Git 仓库
- QtPass:跨平台 GUI,适合非技术用户
- Android Password Store:支持 Git 同步和 OpenKeychain GPG
- Pass for iOS:与 iOS 密码自动填充集成
- Browserpass:浏览器插件,自动填充网页密码
八、安全最佳实践
8.1 GPG 密钥安全
- 使用 4096 位 RSA 或 Ed25519 密钥
- 为 GPG 主密钥设置强密码短语
- 考虑使用硬件安全密钥(YubiKey、Nitrokey)存储 GPG 私钥
- 定期备份 GPG 私钥到离线介质(如 paperkey 生成的二维码)
8.2 密码库安全
#mermaid-svg-oYegTrevgbLv8prK{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-oYegTrevgbLv8prK .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-oYegTrevgbLv8prK .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-oYegTrevgbLv8prK .error-icon{fill:#552222;}#mermaid-svg-oYegTrevgbLv8prK .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-oYegTrevgbLv8prK .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-oYegTrevgbLv8prK .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-oYegTrevgbLv8prK .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-oYegTrevgbLv8prK .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-oYegTrevgbLv8prK .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-oYegTrevgbLv8prK .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-oYegTrevgbLv8prK .marker{fill:#333333;stroke:#333333;}#mermaid-svg-oYegTrevgbLv8prK .marker.cross{stroke:#333333;}#mermaid-svg-oYegTrevgbLv8prK svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-oYegTrevgbLv8prK p{margin:0;}#mermaid-svg-oYegTrevgbLv8prK .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-oYegTrevgbLv8prK .cluster-label text{fill:#333;}#mermaid-svg-oYegTrevgbLv8prK .cluster-label span{color:#333;}#mermaid-svg-oYegTrevgbLv8prK .cluster-label span p{background-color:transparent;}#mermaid-svg-oYegTrevgbLv8prK .label text,#mermaid-svg-oYegTrevgbLv8prK span{fill:#333;color:#333;}#mermaid-svg-oYegTrevgbLv8prK .node rect,#mermaid-svg-oYegTrevgbLv8prK .node circle,#mermaid-svg-oYegTrevgbLv8prK .node ellipse,#mermaid-svg-oYegTrevgbLv8prK .node polygon,#mermaid-svg-oYegTrevgbLv8prK .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-oYegTrevgbLv8prK .rough-node .label text,#mermaid-svg-oYegTrevgbLv8prK .node .label text,#mermaid-svg-oYegTrevgbLv8prK .image-shape .label,#mermaid-svg-oYegTrevgbLv8prK .icon-shape .label{text-anchor:middle;}#mermaid-svg-oYegTrevgbLv8prK .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-oYegTrevgbLv8prK .rough-node .label,#mermaid-svg-oYegTrevgbLv8prK .node .label,#mermaid-svg-oYegTrevgbLv8prK .image-shape .label,#mermaid-svg-oYegTrevgbLv8prK .icon-shape .label{text-align:center;}#mermaid-svg-oYegTrevgbLv8prK .node.clickable{cursor:pointer;}#mermaid-svg-oYegTrevgbLv8prK .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-oYegTrevgbLv8prK .arrowheadPath{fill:#333333;}#mermaid-svg-oYegTrevgbLv8prK .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-oYegTrevgbLv8prK .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-oYegTrevgbLv8prK .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-oYegTrevgbLv8prK .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-oYegTrevgbLv8prK .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-oYegTrevgbLv8prK .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-oYegTrevgbLv8prK .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-oYegTrevgbLv8prK .cluster text{fill:#333;}#mermaid-svg-oYegTrevgbLv8prK .cluster span{color:#333;}#mermaid-svg-oYegTrevgbLv8prK div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-oYegTrevgbLv8prK .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-oYegTrevgbLv8prK rect.text{fill:none;stroke-width:0;}#mermaid-svg-oYegTrevgbLv8prK .icon-shape,#mermaid-svg-oYegTrevgbLv8prK .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-oYegTrevgbLv8prK .icon-shape p,#mermaid-svg-oYegTrevgbLv8prK .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-oYegTrevgbLv8prK .icon-shape .label rect,#mermaid-svg-oYegTrevgbLv8prK .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-oYegTrevgbLv8prK .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-oYegTrevgbLv8prK .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-oYegTrevgbLv8prK :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 缓解
缓解
缓解
缓解
安全威胁
物理设备丢失
Git 仓库泄露
GPG 密钥泄露
剪贴板残留
全磁盘加密
LUKS/BitLocker
密码已 GPG 加密
元数据泄露最小化
硬件密钥
密钥分离存储
pass -c 45秒自动清除
剪贴板管理工具
8.3 GPG Agent 配置
配置 GPG Agent 缓存时间,平衡安全与便利:
bash
# ~/.gnupg/gpg-agent.conf
default-cache-ttl 28800 # 8 小时
max-cache-ttl 28800
# 重载配置
gpgconf --kill gpg-agent
gpg-agent --daemon九、完整工作流程示例
#mermaid-svg-rBiYwpBpTU0D1bPB{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;fill:#333;}@keyframes edge-animation-frame{from{stroke-dashoffset:0;}}@keyframes dash{to{stroke-dashoffset:0;}}#mermaid-svg-rBiYwpBpTU0D1bPB .edge-animation-slow{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 50s linear infinite;stroke-linecap:round;}#mermaid-svg-rBiYwpBpTU0D1bPB .edge-animation-fast{stroke-dasharray:9,5!important;stroke-dashoffset:900;animation:dash 20s linear infinite;stroke-linecap:round;}#mermaid-svg-rBiYwpBpTU0D1bPB .error-icon{fill:#552222;}#mermaid-svg-rBiYwpBpTU0D1bPB .error-text{fill:#552222;stroke:#552222;}#mermaid-svg-rBiYwpBpTU0D1bPB .edge-thickness-normal{stroke-width:1px;}#mermaid-svg-rBiYwpBpTU0D1bPB .edge-thickness-thick{stroke-width:3.5px;}#mermaid-svg-rBiYwpBpTU0D1bPB .edge-pattern-solid{stroke-dasharray:0;}#mermaid-svg-rBiYwpBpTU0D1bPB .edge-thickness-invisible{stroke-width:0;fill:none;}#mermaid-svg-rBiYwpBpTU0D1bPB .edge-pattern-dashed{stroke-dasharray:3;}#mermaid-svg-rBiYwpBpTU0D1bPB .edge-pattern-dotted{stroke-dasharray:2;}#mermaid-svg-rBiYwpBpTU0D1bPB .marker{fill:#333333;stroke:#333333;}#mermaid-svg-rBiYwpBpTU0D1bPB .marker.cross{stroke:#333333;}#mermaid-svg-rBiYwpBpTU0D1bPB svg{font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:16px;}#mermaid-svg-rBiYwpBpTU0D1bPB p{margin:0;}#mermaid-svg-rBiYwpBpTU0D1bPB .label{font-family:"trebuchet ms",verdana,arial,sans-serif;color:#333;}#mermaid-svg-rBiYwpBpTU0D1bPB .cluster-label text{fill:#333;}#mermaid-svg-rBiYwpBpTU0D1bPB .cluster-label span{color:#333;}#mermaid-svg-rBiYwpBpTU0D1bPB .cluster-label span p{background-color:transparent;}#mermaid-svg-rBiYwpBpTU0D1bPB .label text,#mermaid-svg-rBiYwpBpTU0D1bPB span{fill:#333;color:#333;}#mermaid-svg-rBiYwpBpTU0D1bPB .node rect,#mermaid-svg-rBiYwpBpTU0D1bPB .node circle,#mermaid-svg-rBiYwpBpTU0D1bPB .node ellipse,#mermaid-svg-rBiYwpBpTU0D1bPB .node polygon,#mermaid-svg-rBiYwpBpTU0D1bPB .node path{fill:#ECECFF;stroke:#9370DB;stroke-width:1px;}#mermaid-svg-rBiYwpBpTU0D1bPB .rough-node .label text,#mermaid-svg-rBiYwpBpTU0D1bPB .node .label text,#mermaid-svg-rBiYwpBpTU0D1bPB .image-shape .label,#mermaid-svg-rBiYwpBpTU0D1bPB .icon-shape .label{text-anchor:middle;}#mermaid-svg-rBiYwpBpTU0D1bPB .node .katex path{fill:#000;stroke:#000;stroke-width:1px;}#mermaid-svg-rBiYwpBpTU0D1bPB .rough-node .label,#mermaid-svg-rBiYwpBpTU0D1bPB .node .label,#mermaid-svg-rBiYwpBpTU0D1bPB .image-shape .label,#mermaid-svg-rBiYwpBpTU0D1bPB .icon-shape .label{text-align:center;}#mermaid-svg-rBiYwpBpTU0D1bPB .node.clickable{cursor:pointer;}#mermaid-svg-rBiYwpBpTU0D1bPB .root .anchor path{fill:#333333!important;stroke-width:0;stroke:#333333;}#mermaid-svg-rBiYwpBpTU0D1bPB .arrowheadPath{fill:#333333;}#mermaid-svg-rBiYwpBpTU0D1bPB .edgePath .path{stroke:#333333;stroke-width:2.0px;}#mermaid-svg-rBiYwpBpTU0D1bPB .flowchart-link{stroke:#333333;fill:none;}#mermaid-svg-rBiYwpBpTU0D1bPB .edgeLabel{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-rBiYwpBpTU0D1bPB .edgeLabel p{background-color:rgba(232,232,232, 0.8);}#mermaid-svg-rBiYwpBpTU0D1bPB .edgeLabel rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-rBiYwpBpTU0D1bPB .labelBkg{background-color:rgba(232, 232, 232, 0.5);}#mermaid-svg-rBiYwpBpTU0D1bPB .cluster rect{fill:#ffffde;stroke:#aaaa33;stroke-width:1px;}#mermaid-svg-rBiYwpBpTU0D1bPB .cluster text{fill:#333;}#mermaid-svg-rBiYwpBpTU0D1bPB .cluster span{color:#333;}#mermaid-svg-rBiYwpBpTU0D1bPB div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:"trebuchet ms",verdana,arial,sans-serif;font-size:12px;background:hsl(80, 100%, 96.2745098039%);border:1px solid #aaaa33;border-radius:2px;pointer-events:none;z-index:100;}#mermaid-svg-rBiYwpBpTU0D1bPB .flowchartTitleText{text-anchor:middle;font-size:18px;fill:#333;}#mermaid-svg-rBiYwpBpTU0D1bPB rect.text{fill:none;stroke-width:0;}#mermaid-svg-rBiYwpBpTU0D1bPB .icon-shape,#mermaid-svg-rBiYwpBpTU0D1bPB .image-shape{background-color:rgba(232,232,232, 0.8);text-align:center;}#mermaid-svg-rBiYwpBpTU0D1bPB .icon-shape p,#mermaid-svg-rBiYwpBpTU0D1bPB .image-shape p{background-color:rgba(232,232,232, 0.8);padding:2px;}#mermaid-svg-rBiYwpBpTU0D1bPB .icon-shape .label rect,#mermaid-svg-rBiYwpBpTU0D1bPB .image-shape .label rect{opacity:0.5;background-color:rgba(232,232,232, 0.8);fill:rgba(232,232,232, 0.8);}#mermaid-svg-rBiYwpBpTU0D1bPB .label-icon{display:inline-block;height:1em;overflow:visible;vertical-align:-0.125em;}#mermaid-svg-rBiYwpBpTU0D1bPB .node .label-icon path{fill:currentColor;stroke:revert;stroke-width:revert;}#mermaid-svg-rBiYwpBpTU0D1bPB :root{--mermaid-font-family:"trebuchet ms",verdana,arial,sans-serif;} 新增
读取
更新
删除
是
否
开始
安装 pass + GPG
生成 GPG 密钥对
pass init 初始化
pass git init
关联远程仓库
日常使用
pass insert/generate
pass -c 复制到剪贴板
pass edit
pass rm
自动 git commit
pass git push/pull
多设备同步
团队协作?
添加成员 GPG 公钥
pass init 重新加密
结束
十、优缺点总结
优点
- 极简 Unix 哲学:无专有格式,纯文本 + GPG + 文件系统
- 完全离线:不依赖任何第三方云服务
- 透明可审计 :每个密码是独立加密文件,可手动
gpg -d解密验证 - Git 原生支持:版本历史、分支、diff、团队协作一应俱全
- 跨平台生态:CLI、GUI、移动端、浏览器插件全覆盖
- 免费开源:GPLv3 协议,社区活跃
缺点
- GPG 学习曲线:新手需要理解公钥/私钥、信任模型等概念
- 元数据泄露:目录结构(有哪些账户)未加密,Git 仓库暴露会泄露这部分信息
- 无自动填充:需配合 Browserpass 等插件,不如商业密码管理器无缝
- 冲突解决:多人同时修改同一密码时,需要手动处理 Git 冲突
结语
pass 不是为所有人设计的密码管理器。如果你追求"开箱即用"和"全自动",1Password 或 Bitwarden 可能更合适。但如果你信奉 Unix 哲学,希望完全掌控自己的数据,理解每一层加密原理,并且已经在日常使用 Git 和 GPG------那么 pass 就是那个最纯粹、最透明、最 Unix 的选择。
它用最简单的抽象解决了最复杂的问题:你的密码,用你自己的密钥,存在你自己的文件里,同步到你自己的 Git 仓库。没有黑盒,没有订阅费,没有厂商锁定。这就是 pass 的魅力所在。