Skip to content

rguziy/spass

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
cmd
cmd
 
 
scripts
scripts
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 

Repository files navigation

📧 spass (Simple Pass)

spass is a minimalist, zero-dependency password manager written in Go. It is designed specifically for system administrators and automation tasks (like cron jobs) where non-interactive access to secrets is required without sacrificing modern encryption standards.

Unlike traditional managers, spass eliminates the need for GPG agents or complex background daemons by using the age (Actually Good Encryption) format.

🌟 Key Features

  • Zero Interactivity: No PINs or master passwords required during runtime (if configured).
  • Single File Database: All secrets are stored in a single encrypted INI file (spass.db).
  • Portable: Compiled into a single static binary. No dependencies required on the host system.
  • Flexible Identity: Specify your private key via CLI flags, environment variables, or default paths.
  • Audit-Friendly: Clean, minimal Go code that uses official, well-audited encryption libraries.

🚀 Getting Started

Installation

Build the binary from source:

make 
# or 
go build -o spass cmd/spass.go

📌 Initializing the Store

Create a new age key and an empty database.

spass init

Note: This will prompt for confirmation if a key already exists to prevent accidental data loss.

🛠 Managing Secrets

Add a secret:

spass add gitpass

You will be prompted to enter the password via Stdin

Retrieve a secret (for automation):

# Direct output to stdout
spass show gitpass

# Usage in a script
MY_PASS=$(spass show gitpass)

Remove a secret:

spass remove gitpass

Lists all stored services:

spass list

🔐 Security & Architecture

Encryption

Secrets are encrypted using X25519 recipients (age format) and stored as Base64-encoded strings within an INI database.

Key Management

spass looks for your private key (age.key) in the following priority:

  1. CLI Flag: --key /path/to/age.key
  2. Env Var: SPASS_KEY=/secret/path/age.key
  3. Default: ~/.config/spass/age.key

Responsibility Model

The program operates on a Local Trust model. Security is enforced by the operating system's file permissions (chmod 600) or physical isolation (e.g., keeping the key on a RAM-disk or encrypted USB).

  • Against Disk Theft: If the spass.db is stolen without the age.key, your data remains secure.
  • Against Local Admin: A root/admin user can always see process memory or environment variables; spass is designed for trusted server environments.

🚀 Migration from pass (GPG)

The repository includes a helper script ./scripts/migrate_pass_to_spass.sh to automate the transition from a standard GPG-based password store to spass.

How it works:

  1. It scans your ~/.password-store for .gpg files.
  2. It uses your system's pass command to decrypt secrets.
  3. It pipes the plain text directly into spass add using Silent Mode (-s).

Usage:

  1. Ensure your GPG agent is running (so you don't type your master password for every single entry).
  2. Run the migration:
   chmod +x migrate_pass_to_spass.sh
   ./migrate_pass_to_spass.sh
  1. Verify the result:
spass list

Note: After migration, you can safely disable gpg-agent and remove your GPG keys from the server. Your new workflow will rely solely on the age.key.

📄 License

This project is licensed under the MIT License.

About

A minimalist, zero-dependency password manager for automation. Built with Go and age encryption. No GPG, no agents, no nonsense.

Topics

go cli security password-manager minimalist password-manager-cli

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

v1.0.1: Production-Ready Automation & Secure Input Latest
Mar 15, 2026

Packages

 
 
 

Contributors

Languages