diff --git a/gocrypt.bash b/gocrypt.bash
index 11d7538..1cc40ef 100755
--- a/gocrypt.bash
+++ b/gocrypt.bash
@@ -15,6 +15,11 @@ gocrypt_env_check() {
     [ ! -d "$gocrypt_dir" ] && gocrypt_die "gocrypt plugin not initialized"
 }
 
+gocrypt_close_check() {
+    gocrypt_env_check
+    [ -f "$gocrypt_dec_dir"/.pass-gocrypt ] && gocrypt_die "gocrypt already opened"
+}
+
 gocrypt_open_check() {
     gocrypt_env_check
     [ ! -f "$gocrypt_dec_dir"/.pass-gocrypt ] && gocrypt_die "gocrypt not opened"
@@ -54,7 +59,7 @@ gocrypt_init() {
 }
 
 gocrypt_open() {
-    gocrypt_env_check
+    gocrypt_close_check
     mkdir -p "$gocrypt_dec_dir"
 
     gocryptfs -passfile /dev/stdin "$gocrypt_dir" "$gocrypt_dec_dir" <<< "$(pass show "$gocrypt_passwd_file")"
@@ -74,8 +79,50 @@ gocrypt_delegate() {
     pass git commit -m "Encrypted pass operation inside gocrypt" "$gocrypt_dir" || echo "No git commit created"
 }
 
+gocrypt_help() {
+    printf "%s" "\
+$PROGRAM gocrypt - hide part of the password store in a subdirectory encrypted with gocryptfs
+
+usage
+    $PROGRAM gocrypt init
+        Initialize a encrypted subdirectory at \$PASSWORD_STORE_DIR/$gocrypt_dir. The password used by
+        gocryptfs will be generated by pass and stored at \$PASSWORD_STORE_DIR/$gocrypt_passwd_file.gpg.
+        The encrypted subdirectory, along with the generated (encrypted) password, will be committed to
+        the git repository managed by pass, if there is one.
+
+        By default, the .gpg-id file of the main password store will be symlinked into the encrypted
+        subtree. You can change this manually by mounting (opening) the directory and replacing this
+        symlink with a custom one.
+
+    $PROGRAM gocrypt open
+        Mount the encrypted subdirectory to \$PASSWORD_STORE_DIR/$gocrypt_dec_dir.
+
+    $PROGRAM gocrypt close
+        Unmount the encrypted subtree, if it was opened before.
+
+    $PROGRAM gocrypt help
+        Print this help message.
+
+    $PROGRAM gocrypt [ls|list|grep|find|search|show|insert|add|edit|generate|rm|remove|delete|mv|rename|cp|copy|git] ...
+        Run the provided subcommand of pass inside the encrypted subtree. This requires that the subdirectory
+        has been mounted. When the operation is completed, if the outer password store is a git repository, a
+        new commit will be created containing all the encrypted modifications done by the command inside the
+        subtree. The commit message will be a generic one and will not leak content inside the subtree.
+
+        You should *always* use this command when modifying the encrypted subtree. If your password store is a
+        git repository, operating inside a subtree behind a mountpoint (which is created by gocryptfs) will not
+        work properly, and may leak metadata inside the mountpoint.
+
+        TIP: You can create a nested git repository inside the encrypted subtree using \`$PROGRAM gocrypt git ...\`
+        commands. This way, any modification in the encrypted subtree will be tracked *both* inside and outside,
+        such that the commit inside will contain actual metadata about the modification, and the one outside will be
+        encrypted. You will only need to push the repository outside for backup purposes.
+"
+}
+
 if [ $# -eq 0 ]; then
-    gocrypt_die "Unknown command for gocrypt"
+    gocrypt_help
+    exit 1
 fi
 
 if [ ! -d "$PREFIX" ]; then
@@ -86,6 +133,10 @@ fi
 cd "$PREFIX"
 
 case "$1" in
+    help)
+        gocrypt_help
+        exit 0
+        ;;
     init)
         shift
         gocrypt_init $@