A `pass` extension that encrypts part of the password store tree using `gocryptfs`.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

288 lines
10 KiB

#!/usr/bin/env bash
# SPDX-License-Identifier: GPL-3.0-only
# Copyright (C) 2022 Peter Cai <peter at typeblog dot net>
readonly gocrypt_dir=".gocrypt"
readonly gocrypt_dec_dir="gocrypt"
readonly gocrypt_passwd_file="gocrypt-passwd"
readonly gocrypt_needs_passphrase_marker=".gocrypt-needs-passphrase"
readonly gocrypt_close_timeout="300"
gocrypt_sys_check() {
which gocryptfs > /dev/null || gocrypt_die "gocryptfs not found in PATH"
gocrypt_env_check() {
[ ! -d "$gocrypt_dir" ] && gocrypt_die "gocrypt plugin not initialized"
gocrypt_close_check() {
[ -f "$gocrypt_dec_dir"/.pass-gocrypt ] && gocrypt_die "gocrypt already opened"
gocrypt_open_check() {
[ ! -f "$gocrypt_dec_dir"/.pass-gocrypt ] && gocrypt_die "gocrypt not opened"
gocrypt_die() {
printf "Error: %s\n" "$1" >&2
exit 1
gocrypt_unique_task_identifier() {
echo "pass-gocrypt-$(sha256sum <<< "$PREFIX" | cut -d ' ' -f 1)"
# This file is used as a lock for all access to the encrypted password store
# so that it prevents the auto-close task from unmounting before all operations
# are completed
gocrypt_lock_file_path() {
local path="$XDG_RUNTIME_DIR"
if [ -z "$path" ] || [ ! -d "$path" ]; then
echo "$path/$(gocrypt_unique_task_identifier).lck"
gocrypt_spawn_close_task() {
which systemd-run > /dev/null || return
local task_name="$(gocrypt_unique_task_identifier)"
# Cancel any previous task that might be present
systemctl --user stop "$task_name.timer" > /dev/null 2>&1
# Create a new task
systemd-run --user --on-active=$gocrypt_close_timeout --unit="$task_name" \
/usr/bin/env flock -x "$(gocrypt_lock_file_path)" /usr/bin/env bash -c \
"fusermount -u '$PREFIX'/'$gocrypt_dec_dir' || fusermount -u -z '$PREFIX'/'$gocrypt_dec_dir'"
echo "Will close the gocryptfs mount after $gocrypt_close_timeout seconds"
_cmd_git() {
[ -d '.git' ] && cmd_git "$@"
gocrypt_init() {
local needs_passphrase=false
local passphrase=""
while [ $# -gt 0 ]; do
case "$1" in
gocrypt_die "Unexpected argument: $1"
[ $# -eq 0 ] || gocrypt_die "Unexpected argument"
if [ -d "$gocrypt_dir" ] || [ -f "$gocrypt_dir" ]; then
gocrypt_die "gocrypt plugin already initialized for your password store"
if $needs_passphrase; then
echo -n "Enter passphrase: "
read -s passphrase
local passphrase_confirm=""
echo -n "Confirm passphrase: "
read -s passphrase_confirm
[ "$passphrase" == "$passphrase_confirm" ] || gocrypt_die "Passphrase mismatch"
cmd_generate "$gocrypt_passwd_file" 32
local gocrypt_passwd="$(cmd_show "$gocrypt_passwd_file")"
# Initialize gocryptfs
mkdir "$gocrypt_dir"
if $needs_passphrase; then
touch "$gocrypt_needs_passphrase_marker"
gocryptfs -passfile /dev/stdin -init "$gocrypt_dir" <<< "$gocrypt_passwd" || gocrypt_die "Unable to initialize gocryptfs"
# Mount the gocryptfs subdirectory and initialze what is inside of it
_gocrypt_passwd="$gocrypt_passwd" gocrypt_open || gocrypt_die "Cannot open the gocryptfs we just initialized"
touch "$gocrypt_dec_dir"/.pass-gocrypt
# By default, we use the same gpg-id inside, but the user can decide to use a different one later by doing it manually
ln -s ../.gpg-id "$gocrypt_dec_dir"/.gpg-id
# Add the decrypted path to gitignore
echo >> .gitignore
echo "# Gocrypt" >> .gitignore
echo "gocrypt" >> .gitignore
_cmd_git add .gitignore
$needs_passphrase && _cmd_git add "$gocrypt_needs_passphrase_marker"
_cmd_git add "$gocrypt_dir"
_cmd_git commit -m "Initialized encrypted storage for gocrypt plugin"
gocrypt_open() {
[ $# -eq 0 ] || gocrypt_die "Unexpected argument"
mkdir -p "$gocrypt_dec_dir"
local gocrypt_passwd=""
if [ ! -z "$_gocrypt_passwd" ]; then
gocrypt_passwd="$(cmd_show "$gocrypt_passwd_file")"
if [ -f "$gocrypt_needs_passphrase_marker" ]; then
local passphrase=""
echo -n "Enter passphrase: "
read -s passphrase
gocryptfs -passfile /dev/stdin "$gocrypt_dir" "$gocrypt_dec_dir" <<< "$gocrypt_passwd" || gocrypt_die "Unable to decrypt"
gocrypt_close() {
[ $# -eq 0 ] || gocrypt_die "Unexpected argument"
# Remove the systemd task for closing if present
which systemctl > /dev/null && systemctl --user stop "$(gocrypt_unique_task_identifier).timer" > /dev/null 2>1
fusermount -u "$gocrypt_dec_dir" || fusermount -u -z "$gocrypt_dec_dir"
gocrypt_delegate() {
# Note: the caller MUST hold the lock for accessing the encrypted password store before calling
# Delegate command to another `pass` instance that manages what is inside of the mountpoint
PASSWORD_STORE_DIR="$PWD/$gocrypt_dec_dir" "$PROGRAM" "$@"
# Commit if there has been changes due to this operation
if [[ `_cmd_git status --porcelain=v1 "$gocrypt_dir"` ]]; then
_cmd_git add "$gocrypt_dir"
_cmd_git commit -m "Encrypted pass operation inside gocrypt" "$gocrypt_dir" || echo "No git commit created"
gocrypt_crypt() {
[ $# -eq 1 ] || gocrypt_die "Unexpected argument"
[ ! -f "$1.gpg" ] && gocrypt_die "Not found: $1"
cmd_show "$1" | EDITOR=tee gocrypt_delegate edit "$1"
cmd_delete -f "$1"
echo "Moved $1 into encrypted storage"
gocrypt_help() {
printf "%s" "\
$PROGRAM gocrypt - hide part of the password store in a subdirectory encrypted with gocryptfs
$PROGRAM gocrypt init [-p|--passphrase]
Initialize a encrypted subdirectory at \$PASSWORD_STORE_DIR/$gocrypt_dir. The password used by
gocryptfs will be generated by pass and stored at \$PASSWORD_STORE_DIR/$gocrypt_passwd_file.gpg.
The encrypted subdirectory, along with the generated (encrypted) password, will be committed to
the git repository managed by pass, if there is one.
By default, the .gpg-id file of the main password store will be symlinked into the encrypted
subtree. You can change this manually by mounting (opening) the directory and replacing this
symlink with a custom one.
You can optionally use an extra piece of symmetric passphrase to encrypt the subdirectory, by
passing the argument -p or --passphrase when invoking this command to initialize. In this case,
the passphrase you input will be used along with the generated password to derive the encryption
key (KEK) of the master key of gocryptfs. This second piece of passphrase will not be stored in
the password store, and you will be asked for it every time you invoke \`$PROGRAM gocrypt open\`.
This mode adds an extra layer of protection in case the gpg-encrypted master password is somehow
$PROGRAM gocrypt open
Mount the encrypted subdirectory to \$PASSWORD_STORE_DIR/$gocrypt_dec_dir.
$PROGRAM gocrypt close
Unmount the encrypted subtree, if it was opened before.
$PROGRAM gocrypt crypt <pass_name>
Move a password <pass_name> from the original password store to the encrypted subdirectory. Note
that if you use git, this will still leave a record in the git repository of the original password
$PROGRAM gocrypt help
Print this help message.
$PROGRAM gocrypt [ls|list|grep|find|search|show|insert|add|edit|generate|rm|remove|delete|mv|rename|cp|copy|git] ...
Run the provided subcommand of pass inside the encrypted subtree. This requires that the subdirectory
has been mounted. When the operation is completed, if the outer password store is a git repository, a
new commit will be created containing all the encrypted modifications done by the command inside the
subtree. The commit message will be a generic one and will not leak content inside the subtree.
You should *always* use this command when modifying the encrypted subtree. If your password store is a
git repository, operating inside a subtree behind a mountpoint (which is created by gocryptfs) will not
work properly, and may leak metadata inside the mountpoint.
TIP: You can create a nested git repository inside the encrypted subtree using \`$PROGRAM gocrypt git ...\`
commands. This way, any modification in the encrypted subtree will be tracked *both* inside and outside,
such that the commit inside will contain actual metadata about the modification, and the one outside will be
encrypted. You will only need to push the repository outside for backup purposes.
if [ $# -eq 0 ]; then
exit 1
if [ ! -d "$PREFIX" ]; then
gocrypt_die "Cannot open password store"
# cd into the password store prefix
cd "$PREFIX"
# Open the lock file
touch "$(gocrypt_lock_file_path)" || exit 1
exec {lock_fd}< "$(gocrypt_lock_file_path)" || exit 1
# Always take the exclusive lock while any command is running -- to prevent the close task from running at the same time
flock -x $lock_fd
case "$1" in
exit 0
gocrypt_init "$@"
gocrypt_open "$@"
gocrypt_crypt "$@"
gocrypt_close "$@"
# No shift here since we need to delegate these commands to another pass instance
gocrypt_delegate "$@"
gocrypt_die "Unknown command $1 for gocrypt"
# Manual unlock; not strictly necessary since exit will also release the lock
flock -u $lock_fd