The show command is the most important and most frequently used command.
It allows displaying and copying the content of the secrets managed by gopass.
$ gopass show entry
$ gopass show entry key
$ gopass show entry --qr
$ gopass show entry --password
- Show the whole entry:
gopass show entry - Show a specific key of the given entry:
gopass show entry key(only works for key-value or YAML secrets)
| Flag | Aliases | Description |
|---|---|---|
--clip |
-c |
Copy the password value into the clipboard and don't show the content. |
--alsoclip |
-C |
Copy the password value into the clipboard and show the content. |
--qr |
Encode the password field as a QR code and print it. Note: When combining with -c/-C the unencoded password is copied. Not the QR code. |
|
--unsafe |
-u |
Display unsafe content (e.g. the password) even when the safecontent option is set. No-op when safecontent is false. |
--password |
-o |
Display only the password. For use in scripts. Takes precedence over other flags. |
--revision |
-r |
Display a specific revision of the entry. Use an exact version identifier from gopass history or the special -<N> syntax. Does not work with native (e.g. git) refs. |
--noparsing |
-n |
Do not parse the content, disable YAML and Key-Value functions. |
--chars |
Display selected characters from the password. |
This section describes the expected behaviour of the show command with respect to different combinations of flags and
config options.
Note: This section describes the expected behaviour, not necessarily the observed behaviour. If you notice any discrepancies please file a bug and we will try to fix it.
TODO: We need to specify the expectations around new lines.
- When no flag is set the
showcommand will display the full content of the secret and will parse it to support key-value lookup and YAML entries. If thesafecontentoption is set totrueany secret fields (current default is onlypassword) are replaced with a random number of '*' characters (length: 5-10). Using the--unsafeflag will reveal these fields even ifsafecontentis enabled.--passwordtakes precedence ofsafecontent=trueas well and displays only the password. - The
--noparsingflag will disable all parsing of the output, this can help debugging YAML secrets for example, wherekey: 0123actually parses into octal for 83. - The
--clipflag will copy the value of thePasswordfield to the clipboard and doesn't display any part of the secret. - The
--alsoclipoption will copy the value of thePasswordfield but also display the secret content depending on thesafecontentsetting, i.e. obstructing thePasswordfield ifsafecontentistrueor just displaying it if not. - The
--qrflags operates complementary to other flags. It will additionally format the value of thePasswordentry as a QR code and display it. Other than that it will honor the other options, e.g.gopass show --qrwill display the QR code and the whole secret content below. One special case is the-oflag, this flag doesn't make a lot of sense in combination, so if both--qrand-oare given only the QR code will be displayed. - Since gopass plans to supports different RCS backends we do not support arbitrary git refs as arguments to the
--revisionflag. Using those might work, but this is explicitly not supported and bug reports will be closed aswont-fix. There are two issues with using arbitrary git refs is that (a) this doesn't work with non-git RCS backends and (b) git versions a whole repository, not single files. So the revisionHEAD^might not have any changes for a given entry. Thus we only support specifc revisions obtained fromgopass historyor our custom syntax-Nwhere N is an integer identifying a specific commit beforeHEAD(cf.HEAD~N).
Secrets are stored on disk as provided, but are parsed upon display to provide extra features such as the ability
to show the value of a key using: gopass show entry key.
The secrets are split into 3 categories:
-
the plain type, which is just a plain secret without key-value capabilities
this is a plain secret using multiple lines and that's itgets parsed to the same value
-
the key-value type, which allows to query the value of a specific key. This does not preserve ordering.
this is a KV secret where: the first line is the password and: the keys are separated from their value by : and maybe we have a body text below itwill be parsed into (with
safecontentenabled):and: the keys are separated from their value by : where: the first line is the password and maybe we have a body text below it -
the YAML type which implements YAML support, which means that secrets are parsed as per YAML standard.
s3cret --- invoice: 0123 date : 2001-01-23 bill-to: &id001 given : Bob family : Doe ship-to: *id001will be parsed into (with
safecontentenabled):bill-to: map[family:Doe given:Bob] date: 2001-01-23 00:00:00 +0000 UTC invoice: 83 ship-to: map[family:Doe given:Bob]Note how the
0123is interpreted as octal for 83. If you want to store a string made of digits such as a numerical username, it should be enclosed in string delimiters:username: "0123"will always be parsed as the string0123and not as octal.
Both the key-value and the YAML format support so-called "unsafe-keys", which is a key-value that allows you to specify keys that should be hidden when using gopass show with gopass config safecontent set to true.
E.g:
supersecret
---
age: 27
secret: The rabbit outran the tortoise
name: John Smith
unsafe-keys: age,secret
will display (with safecontent enabled):
age: *****
name: John Smith
secret: *****
unsafe-keys: age,secret
unless it is called with gopass show -n that would disable parsing of the body, but still hide the password, or gopass show -f that would show everything that was hidden, including the password.
You can read more about secrets formats in its documentation.
Notice that if the option parsing is disabled in the config, then all secrets are handled as plain secrets.