pass insert: Add a Secret to the Store
pass insert creates or replaces an entry in the password store, encrypting the value to the store GPG recipients.
pass insert is interactive by default (it prompts twice for the value). To script it in CI you feed the value on stdin or use multiline mode, then commit the encrypted file.
What it does
pass insert <name> prompts for a value, encrypts it to the store's gpg-id recipients, and writes <name>.gpg. -m allows a multiline value (terminated by Ctrl-D). Feeding the value on stdin makes it non-interactive.
Common usage
# interactive (prompts twice)
pass insert ci/deploy-token
# non-interactive, multiline value from a heredoc
pass insert -m ci/config <<'EOF'
API_KEY=abc123
EOFOptions
| Flag | What it does |
|---|---|
| -m, --multiline | Read a multi-line value until EOF |
| -e, --echo | Echo the value while typing (single line) |
| -f, --force | Overwrite an existing entry without asking |
In CI
Use -m with a heredoc (or pipe) so pass reads the secret from stdin instead of the double prompt. The store must already be initialized (pass init) with a gpg-id the runner can encrypt to; only the public key is needed to insert.
Common errors in CI
"Error: ... .gpg-id ... does not exist" means the store is not initialized; run pass init <keyid> first. A single-line pass insert that hangs is waiting on the confirmation prompt; use -m with piped input or -e. "gpg: <id>: skipped: No public key" means the recipient key is not in the keyring.