PLASS(1) General Commands Manual PLASS(1)

plassmanage passwords

plass [-h] command [argument ...]

plass is a simple password manager. Passwords are stored as a directory tree where every password is a file encrypted with gpg(1).

A password store is a got(1) repository with a worktree checked out at ~/.password-store (or PLASS_STORE). The only restriction is that a special file called .gpg-id containing the GPG recipient must exist in the root of the directory tree for most plass commands to work.

Password entries can be referenced using the path relative to the store directory. The file extension “.gpg” is optional.

plass provides global and command-specific options. Global options must precede the command name, and are as follows:

Display usage information and exit immediately.

The following commands are available:

entries ...
Decrypt and print the content of entries in the given order.
Print the entries of the store one per line, optionally filtered by pattern.
[-nq] [-c chars] [-l length] entry
Generate and persist a password for the given entry in the store. -c can be used to control the characters allowed in the password (by default “!-~” i.e. all the printable ASCII characters) and -l the length (32 by default). Unless the -q flag is provided, print the generated password. If the -n flag is given the password won't be persisted and the entry argument is optional.
from to
Rename a password entry, doesn't work with directories. from must exist and to mustn't.
entries ...
Remove the given entries from the store.
[-q] entry
Persist the data read from standard input into the store under the given entry name and the print it again on the standard output unless the -q option is given.

default range of characters to use to generate passwords.
Path to the got(1) executable.
Path to the gpg(1) executable.
Default length for the generated passwords.
Path to the password store directory tree.

Password store used by default.
File containing the GPG recipient used to encrypt the passwords.

The plass utility exits 0 on success, and >0 if an error occurs.

A got repository and password store can be initialized as follows:

$ mkdir ~/.password-store
$ echo > ~/.password-store/.gpg-id
$ gotadmin init ~/git/pass.git
$ got import -r ~/git/pass.git -m 'initial import' ~/.password-store
$ got checkout -E ~/git/pass.git ~/.password-store

see got(1) for more information.

To migrate from pass(1), delete ~/.password-store and check out it again using got(1).

To generate a temporary random password use

$ plass gen -n

Display the entries matching ‘key’ arranged comfortably for reading in a terminal window:

$ plass find key | rs

got(1), gpg(1), pass(1)

plass was heavily influenced by pass(1) in the design, but it's a different implementation that prioritizes ease of use and composability.

The plass utility was written by Omar Polo <>.

plass find output format isn't designed to handle files containing newlines. Use find(1) -print0 or similar if it's a concern.

plass mv is not able to move directory trees, only file entries.

There isn't a init sub-command, the store initialization must be performed manually.

October 5, 2022 OpenBSD 7.2