A commandline utility for the Enpass password manager.
Go get yourself a compiled binary from the releases page.
$ # set an alias to easily reuse
$ alias enp="enpasscli -vault=/my-vault-dir/ -sort"
$ # list anything containing 'twitter' (without password)
$ enp list twitter
$ # show passwords of 'enpass.com'
$ enp show enpass.com
$ # show every field of every entry matching 'github' (incl. TOTP code)
$ enp -detailed show github
$ # copy password of 'reddit.com' entry to clipboard
$ enp copy reddit.com
$ # print password of 'github.com' to stdout, useful for scripting
$ password=$(enp pass github.com)
$ # create a new entry
$ enp create -title="My Service" -login="user@example.com" -password="secret123" -url="https://example.com"
$ # edit an existing entry
$ enp edit github.com -password="newsecret"
$ # move an entry to trash
$ enp trash github.com
$ # restore an entry from trash
$ enp restore github.com
$ # permanently delete a trashed entry
$ enp delete github.com| Name | Description |
|---|---|
list FILTER |
List vault entries matching FILTER without password |
show FILTER |
List vault entries matching FILTER with password |
copy FILTER |
Copy the password of a vault entry matching FILTER to the clipboard |
pass FILTER |
Print the password of a vault entry matching FILTER to stdout |
create |
Create a new entry in the vault |
edit FILTER |
Edit an existing entry matching FILTER |
trash FILTER |
Move an entry matching FILTER to the trash |
restore FILTER |
Restore an entry matching FILTER from the trash |
delete FILTER |
Permanently delete a trashed entry matching FILTER |
dryrun |
Opens the vault without reading anything from it |
version |
Print the version |
help |
Print the help text |
| Name | Description |
|---|---|
-vault=PATH |
Path to your Enpass vault |
-keyfile=PATH |
Path to your Enpass vault keyfile |
-type=TYPE |
The type of your card (password, ...) |
-log=LEVEL |
The log level (trace, debug, info, warn, error, fatal, panic) |
-nonInteractive |
Disable prompts and fail instead |
-json |
Output as JSON to stdout |
-pin |
Enable Quick Unlock using a PIN |
-and |
Combines filters with AND instead of default OR |
-sort |
Sort the output by title and username of the list and show command |
-trashed |
Show trashed items in the list and show command |
-detailed |
Show every field of each entry in list and show instead of only the summary fields (title, login, category, label, type) |
-clipboardPrimary |
Use primary X selection instead of clipboard for the copy command |
-title=TITLE |
Title for create/edit commands |
-login=LOGIN |
Login/username for create/edit commands |
-password=PASSWORD |
Password for create/edit commands |
-url=URL |
URL for create/edit commands |
-notes=NOTES |
Notes for create/edit commands |
-category=CATEGORY |
Category for create/edit commands (default: Login) |
-force |
Skip confirmation prompts for trash/delete commands |
With -detailed, fields of type totp are treated as sensitive: their
secret key is never displayed by the list command and the field is masked
the same way passwords are. The show command computes the current
RFC 6238 code for the
field and prints it alongside the secret key. Both bare base32 secrets and
otpauth://totp/... URIs (honoring the period, digits and algorithm
parameters) are supported. If the stored value can't be parsed, show
prints <dynamic TOTP value> instead of a code so the user knows the field
holds a generated value rather than a static one.
| Name | Description |
|---|---|
MASTERPW |
Vault master password (skips the interactive prompt) |
ENP_PIN |
PIN value when -pin is enabled (skips the PIN prompt) |
ENP_PIN_PEPPER |
Pepper mixed into the PIN-derived key |
ENP_PIN_ITER_COUNT |
KDF iteration count for the PIN (default: 100000) |
# to run it from code
% go run ./cmd/... -vault=foo list
# to build it yourself
% make build
% ./enpass-cli -vault=foo list$ go test -v $(go list ./... | grep -v /vendor/)See the documentation on pkg.go.dev.