Introduction

pass team is an extension for pass - the standard unix password manager.

pass team allows team members to share passwords among themselves using Role-based Access Control.

# Create a new role in your team
pass team role create   dev

# Assign your team members
pass team role assign   dev   ali@example.org   mia@example.org

# Share passwords with them
pass team share set     dir/in/my/password-store   dev

See Examples for extensive usage examples.

Current Features

• Initialize a team with team managers pass team init ([--trusted] <gpg-id>)...
  • normal team managers can manage roles and shares.
  • Optionally, trusted team managers additionally have read-access to all passwords.
• Manage roles (list/add/remove/assign/unassign). pass team role ...
• Manage shared directories (list/add/remove) pass team share
• Automatically reencrypt passwords after roles or shares have been changed.

For more information about the available commands see the Man Page.

Vision, Goals, Roadmap and Releases

pass team is still work-in-progress. It’s first official release is version 0.1.0. It covers basic Role-based Access Control features.

Warning: pass team has not been tested with a git setup yet. It is planned for the future release 0.2 to test this and add convenient .gitignore and config settings for sharing pass team data over git repositories.

See the Roadmap and the Vision and Goals for more information.

Concepts

pass team implements Role-based Access Control for passwords in the password store.

1. Team members are identified by their gpg public keys and have roles.
2. Directories in the password store can be shared with team members by assigning roles to the shares.
3. Passwords in the shared directories are being encrypted for all users who have the correct roles.
4. “Pass team managers” are privileged team members who can manage the roles of the team members and the shared directories.

See a more technical description in concepts.md.