NAME

pass team – An extension for pass(1) which allows team members to share passwords among themselves using Role-based Access Control.

SYNOPSIS

pass team --version|--license|--help

pass team [OPTIONS] COMMANDS...

pass team init ([--trusted] <gpg-key>)...

pass team role list

pass team role (create|show|remove) <role>...

pass team role (assign|unassign) <role> <gpg key>...

pass team share list

pass team share (show|unset|reencrypt) <shared dir>

pass team share (add|set|remove) <share dir> <role>...

pass team key list

pass team key show <pattern>

DESCRIPTION

Pass team is an extension for pass - the standard unix password manager (https://www.passwordstore.org/).

Pass team allows team members to use pass as the password store for both private and shared passwords and distribute shared passwords among themselves using Role-based Access Control.

Pass team assigns one or more roles to gpg keys and shares directories of the password store with those roles. That is why the most important COMMANDS are pass team role, pass team share, and pass team key.

Pass team works without any super user who can read and change all passwords – however, you can have one, of course.

OPTIONS

--quiet|-q: Display less output which is easier to process for non-human readers. Alternatively, set the the PASSWORD_STORE_TEAM_QUIET environment variable to any value.
--help|-h: Show help and exit. When combined with COMMANDS a more detailed help is printed.
--debug|-d: Print debug messages. Can be repeated several times for more verbose debug messages. Alternatively, use the environment variable PASSWORD_STORE_TEAM_DEBUG_LEVEL=[0-3] for setting a debug level.
--licence: Show licence and exit.
--version: Show version information for this extension and exit.
--no-color: Disable colored output. Alternatively, set the NO_COLOR or PASSWORD_STORE_TEAM_NO_COLOR environment variable to any value.

COMMANDS

init ([--trusted] <gpg-key>)...

Initialize the pass team extensions and use the given gpg-key as pass team managers. The pass team managers are responsible for managing the roles and shared directories. Managers who are ’trusted’ will also be added to every share (and thus will be able to read every password). This is handy when passwords need to be reencrypted often because of changing roles or shares.

The --trusted flag always applies to the next directly following gpg-key.

role

Commands for adding, removing, assigning role and more.

list: List all known roles. When combined with the -q OPTION all roles will be printed space-separated in one line.
show <role>: Show the role and the assigned gpg-ids.
create <role>: Create a new role in the team.
remove <role>: Remove the role from the team
assign <role> <gpg-key>…: Assign the given role to all gpg-ids.
unassign <role> <gpg-key>…: Unassign the given role from all gpg-ids.

list: List all shared directories. When combined with the -q OPTION all all shared directories space-separated in one line.
show <directory>: Show all roles which have access to the given directory.
add <directory> <role>…: Add the roles to the shared directory. Same as pass team share set if the directory has not been shared previously.
set <directory> <role>…: Add the directory to the list of shared directories and share it with all of the given roles and remove any other roles from this share.
reencrypt (--all|<directory>…): Reencrypt the given directories. This command is useful after an administrator changed the role assignments or the shared directory and yet could not reencrypt the shared passwords accordingly because they were lacking the read permission for the shared directory.
remove <directory> (--all|<role>…): Remove the roles from the shared directory. --all removes the shared directory completely. If the directory is not being shared with any role anymore, the directory is removed from the list of shared directories and all passwords are reencrypted for the local password store.
unset <directory>: Alias for pass team share remove --all.

key

The key management is not fully implemented. It is planned to do so until
the 0.4.0 release (see the project's roadmap). Currently it is possible to
list the gpg keys that are used in the password store and show details for
particular keys.

list

List all keys that are used in this password store.

The list shows the fingerprint of the gpg public key and the uids.

If the list of keys says “it’s you!” the private key is available for the key in question.
If the list says “key is missing” the public key with the given fingerprint is not in the gpg keyring. You have to add it manually to gpg.
If the list says “key is expired” the public key with the given fingerprint is expired.
If the list says “key is not validated” the public key is not validated. If you try to encrypt a password for this key, gpg will say something like

Warning: Could not reencrypt ‘somedir/’. gpg: ABCDEF1234567890: There is no assurance this key belongs to the named user gpg: [stdin]: encryption failed: Unusable public key

You should validate the key in question by signing it (after you have checked the identity of the key owner and found them trustworthy, of course).
If the list says “key is ambiguous” a key was used in a way that cannot identify the key unambiguously. This should be considered a misconfiguration of your password store. This can occur when a password store was initialized with

$ pass init alice@example.com

and there are several keys for alice@example.com available in your gpg store.

pass team -q key list only shows the fingerprints and the uids of the keys and does not pretty-print the fingerprints.

Exit Code:

Zero indicates zero errors.
EXIT_BAD_KEY (99) when at least one of the listed keys is expired, ambiguous, not validated or the public key is unknown.

show

Show details for the key matching the pattern. The pattern can be a fingerprint, parts thereof, a name, or an email address. If the pattern matches more than one key the matching keys are listed instead.

Note: Not all keys in your gpg store will be searched for matches
but only those keys which are actually used by your team. That is,
only keys which are assigned to one of your team's roles are
considered.

pass team -q key show only prints the fingerprint and the uids of the key if there is a match.

In non-quiet mode also the roles and shared directories for the given key are listed. Additional information (expiredness, validity, etc.) is printed as well. See list for more information.

Exit Codes:

Zero indicates zero errors.
EXIT_NO_MATCHING_KEY (96) when there is no matching key.
EXIT_KEY_EXPIRED (97) when the key is expired.
EXIT_KEY_VALIDITY (98) when the key’s validity is unknown.

EXIT CODES

EXIT_GENERIC_ERROR (1): A generic error has occured.
EXIT_USAGE_ERROR (81): The command could not be executed due to wrong user input, typos or missing parameters. Try pass team --help to find the correct ussage.
EXIT_PASS_NOT_INITIALIZED (82): The command could not be executed because the password store has no been initialized. Try pass help to see how.
EXIT_PASS_TEAM_NOT_INITIALIZED (83): The command could not be executed because the team extension has not been initialized for this password store. Try pass team initialize <gpg-key> to do so.
EXIT_UNKNOWN_GPG_PUBLIC_KEY (84): A key was used where the public key is missing from the gpg key store.
EXIT_ROLE_IS_ASSIGNED_TO_SUBJECTS (85): The command could not be executed because a role is still or already assigned to a subject.
EXIT_ROLE_DOES_NOT_EXIST (86): The role does not exist.
EXIT_ROLE_DOES_EXIST (87): The role does exist already.
EXIT_CANNOT_UNASSIGN_SUBJECT_NOT_ASSIGNED (88): The command could not be executed because the subject is not assigned to the given role.
EXIT_DIRECTORY_DOES_NOT_EXIST (89): The directory does not exist.
EXIT_NOT_A_DIRECTORY (90): The given path is not a directory.
EXIT_NOT_A_SHARED_DIRECTORY (91): The given path is not a shared directory.
EXIT_BAD_ROLE_NAME_DOT_START (92): Role names must not start with a dot.
EXIT_BAD_ROLE_NAME_NO_LATIN_CHAR (93): Role names must contain at least one character from the latin alphabet.
EXIT_BAD_ROLE_NAME_UNALLOWED_CHAR (94): Role names must not contain any other character than latin alphabetic characters, arabic numbers, ‘-’. ‘_’, and ‘.’.
EXIT_KEY_PATTERN_NOT_UNIQUE (95): The key pattern did not unambiguously identify a gpg key.
EXIT_NO_MATCHING_KEY (96): The key pattern did not match any key.
EXIT_KEY_EXPIRED (97): The key is expired.
EXIT_KEY_VALIDITY (98): The key’s validity is unknown.
EXIT_BAD_KEY (99): At least one of the listed keys is expired, ambiguous, not validated or the public key is unknown.

Other exit codes stem from gpg or other programms when they are used internally and are passed through.

ENVIRONMENT

PASSWORD_STORE_TEAM_NO_COLOR|NO_COLOR: Set to any value to disable colored output. Alternatively, use the --no-color flag.
PASSWORD_STORE_TEAM_QUIET: Set to any value to display less output which is easier to process for non-human readers. Alternatively, use the --quiet flag.
PASSWORD_STORE_TEAM_DEBUG_LEVEL=[0-3]: Set debug level. A level of ‘0’ does not output any debug messages. Higher levels output more verbose debug messages. Alternatively, use the --debug flags.

COPYING

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see https://www.gnu.org/licenses/.

Docs

man pass-team(1)