Adding a gopass recipient


Gopass is a rewrite of pass in go. For more information, check out their documentation.


  • tools: git, gpg2, gopass
  • a gpg2 key pair
  • access to the repository with the secrets
  • co-worker which has also access to the repository (write permissions)

To be able to read / write secrets, you need a gpg2 key. The following command walks you through the necessary steps.

gpg2 --full-gen-key

Afterwards, export your (public) key and ownertrust. Replace $YOUR_NAME with the name you used during the setup.

Note: ownertrust seems to be needed in order for the other person to be able to read the user id (uid).

gpg2 -a --export $YOUR_NAME >
gpg2 --export-ownertrust > trust.txt

Your co-worker now has to import the ownertrust and your key as well as lsign and trust your key.

gpg2 --import-ownertrust trust.txt
gpg2 --import

For trusting and signing your key, you need the key ID which you can find with gpg2 --list-keys. Replace $KEY_NAME with the ID you found.

gpg2 --edit-key $KEY_NAME
< ... > 
< ... > 
< ... >

Now all that is left is for your co-worker to actually add you as a gopass recipient: gopass recipient add, select your key, approve and run gopass sync.

You still have to clone the repository and do the same with every key in the ~/.password-store/.public-keys folder. Then you are good to go.

Back to the archive