command module
Version: v0.0.0-...-e5de224 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Aug 10, 2019 License: MIT Imports: 15 Imported by: 0


Build Status


stores, retrieves, generates, and synchronizes passwords and files securely and is written in Go! It is inspired by but has a few key differences. The most important difference is passgo is not GPG based. Instead it uses a master password to securely store your passwords. It also supports encrypting arbitrary files.

passgo is meant to be secure enough that you can publicly post your vault. I've started publishing my passwords here.

Getting started with passgo

First make sure you have installed golang and set up your $GOPATH.

It's recommend that you add $GOPATH/bin to your $PATH. This will make any golang executables available as commands in bash for you to use. Add the following to ~/.bashrc and restart your terminal:

export PATH=$PATH:$GOPATH/bin

Then you can download gopass, its dependencies and install them all with one command:

go get

Next create a vault to store passwords in and a master password:

passgo init

Finally, to learn more you can either read about the commands listed in this README or run:

passgo usage



This basic command is used to print out the contents of your password vault. It doesn't require you to enter your master password.

$ passgo
|  └──
passgo init

Init should only be run one time, before running any other command. It is used for generating your master public private keypair.

$ passgo init
passgo insert group/pass-name

Adding a site is easy. If you wish to group multiple entries together, it can be accomplished by prepending a group name followed by a slash to the pass-name. Here we are adding to the password store.

$ passgo insert

Here we are adding to the password store, but more specifically to the money group. Now, will be grouped with other sites in the money group.

$ passgo insert mney/
passgo insertfile group/file-name filepath

Adding a file works almost the same as insert. Instead it has an extra argument. The file that you want to add to your vault is the final argument. Grouping works the same way with insertfile as insert.

$ passgo insertfile money/moneyfile.txt expenses.txt
passgo show group/pass-name

Show is used to display a password in standard out. Previously it was possible to display a password using passgo group/pass-name but this is no longer supported.

$ passgo show mney/
Enter master password:
passgo rename group/pass-name

If we add a site and wish to change the name of the site later it is simple to do. Here we rename our site after misspelling the group name.

$ passgo rename mney/
Enter new site name for mney/ money/
passgo edit group/pass-name

If you want to securely update a password for an already existing site, the edit command is helpful.

$ passgo edit money/
Enter new password for money/
passgo generate

passgo can also create randomly generated passwords. The default length of passgo generated passwords is 24 characters. This length can be changed by passing a length to the generate subcommand.

$ passgo generate
$ passgo generate 123   
passgo find sub-name

find can be used to search for all sites that contain a particular substring. It's good for printing out groups of sites as well. passgo ls is an alias of passgo find.

 $ passgo find money
 $ passgo ls money
passgo remove group/pass-name

remove is used for removing sites from the password vault. passgo rm is an alias of passgo remove.

$ passgo
|  └──ff
|  └──
$ passgo remove bb/ff
$ passgo
|  └──
passgo removefile group/file-name

removefile is used for removing files from the password vault. passgo rmfile is an alias of passgo removefile. removefile works the same way as remove, except it only works on file entries in your vault.

$ passgo rmfile money/moneyfile.txt
passgo integrity

The integrity subcommand is used to manually generate and save the integrity hash of the site vault. Sometimes git issues arise and some manual intervention is necessary. Run this command first.

passgo remote git-url

passgo can sync your password store to a remote git repository. The remote subcommand is used to add a git remote to your local passgo git repository.

$ passgo remote
$ passgo insert work/email
Enter password for work/email:
$ passgo push
passgo push

Sync your local changes to your remote git repository.

passgo pull

Sync your local passgo directory with your remote git repository.

$ passgo
$ passgo pull
$ passgo
|  └──bb
passgo clone git-url

Clone a remote passgo git repository and set it as your local password store.

$ passgo clone
$ passgo
|  └──bb
passgo usage

Print basic usage information. passgo help is also an alias of passgo usage.

passgo version

Print basic version information.


Password Store Initialization.

passgo only uses AEADs for encrypting data. When passgo init is run, users are prompted for a master password. A random salt is generated and the master password along with the salt are passed to the Scrypt algorithm to generate a symmetric master key.

A master public/private keypair is generated when passgo init is run. The symmetric master password is used to encrypt the master private key, while the master public key is left in plaintext.

Generating Passwords.

Password generation takes place in the pc package by using the GeneratePassword function. GeneratePassword creates a random password by reading a large amount of randomness using the func Read([]byte) (int, error) function in the crypto/rand package.

The block of randomness is then read byte-by-byte. Printable characters that match the desired password specification (uppercase, lowercase, symbols, and digits) are then included in the generated password.

Adding A Site.

When a site is added to the password store, a new public private key pair is generated. The newly generated private key, the user's master public key, and a securely generated nonce are used to encrypt the sites data.

The encryption and key computation are done using the package which uses Curve25519, XSalsa20, and Poly1305 to encrypt and authenticate the site's data.

After the site information is added, the site's generated private key is thrown away.

Protecting Your Public Key.

Syncing a plaintext public key that is used for encrypting new site data to a remote server is risky if the remote server is malicious. Because of this, an HMAC of your public key is calculated with a separate key than your symmetric master key, based on your master password and a separate 32 byte salt.

Threat model

The threat model of passgo assumes there are no attackers on your local machine. The passgo vault also protects itself from the remote git server by maintaining a keyed integrity hash of the password vault. The git server is unable to change site information, decrypt site information, or read passwords. Remote git servers can delete commits and changes without being detected when cloning or pulling a passwords vault. Fixing this is not possible by any password manager.


The Go Gopher

There is no documentation for this package.

Source Files


Path Synopsis
Package edit provides functionality to edit sites that have already been added to the password store.
Package edit provides functionality to edit sites that have already been added to the password store.
Package insert handles adding a new site to the password store.
Package insert handles adding a new site to the password store.
Package pc provides crypto functions for use by passgo.
Package pc provides crypto functions for use by passgo.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL