Part 2: The Unix Password Manager pass
Now that your GPG is working perfectly, let's install and configure pass - a simple, secure, and scriptable password manager that wraps GPG encryption around plain text files.
2.1 What is pass and Why It's Perfect for Your Use Case
pass is a password manager that follows the Unix philosophy: do one thing and do it well. Each password lives in its own GPG-encrypted file, organized in a simple directory structure at ~/.password-store/.
Why this is ideal for your NeoMutt setup:
- Simple retrieval:
pass Email/alowree@twineintl.comoutputs just the password - Scriptable: Perfect for use in
isyncrcwithPassCmd - Cross-platform: Works identically on macOS and Arch Linux
- Transparent: Each password is a file - easy to backup, sync, or version with Git
2.2 Installation
On Arch Linux
sudo pacman -S passOn macOS (using Homebrew)
brew install pass2.3 Initialize Your Password Store
Remember the GPG key ID from Part 1? You'll use it here. Based on your earlier output, your RSA 4096 key ID is 0E4E7F5FCC8D0F57.
# Initialize the password store with your GPG key
pass init "0E4E7F5FCC8D0F57"You should see output like:
mkdir: created directory '/Users/alowree/.password-store'
Password store initialized for 0E4E7F5FCC8D0F57Important Note: The trust level of your GPG key must be "ultimate" for pass to work properly. You already set this in Part 1 when you ran gpg --edit-key and selected trust → 5. If you encounter "unusable public key" errors later, revisit that step.
2.4 Storing Your Email Password
Now let's store the actual password for your Twine email account. This is the password that isync/mbsync will use to connect to your IMAP server.
Method 1: Interactive entry (recommended for first time)
# The -m flag allows multi-line entry (useful if your password spans multiple lines)
pass insert -m Email/alowree@twineintl.comYou'll be prompted:
Enter contents of Email/alowree@twineintl.com and press Ctrl+D when finished:Type or paste your email password, then press Ctrl+D (or Cmd+D on macOS). The password is now encrypted and stored.
Method 2: Using clipboard (if password is in your clipboard)
# Paste from clipboard into pass
pbpaste | pass insert -m Email/alowree@twineintl.comMethod 3: Generate a new strong password (if changing passwords)
# Generate a 25-character random password
pass generate -c Email/alowree@twineintl.com 25The -c flag copies the generated password to your clipboard - perfect for updating it in your email provider's settings.
2.5 Verifying Your Stored Password
View the password store structure
passOutput should look like:
Password Store
└── Email
└── alowree@twineintl.comRetrieve and display the password
pass Email/alowree@twineintl.comThis will print your password to the terminal (after prompting for your GPG passphrase if not cached).
Copy to clipboard without displaying
pass -c Email/alowree@twineintl.comThis is much more secure - the password stays in clipboard for 45 seconds (default), then clears automatically.
2.6 Understanding the Password Store Structure
Your ~/.password-store/ directory now contains:
~/.password-store/
├── .gpg-id # Contains your GPG key ID for this store
└── Email/
└── alowree@twineintl.com.gpg # The encrypted password fileTry examining it:
# View the encrypted file (gibberish)
cat ~/.password-store/Email/alowree@twineintl.com.gpg
# View which GPG key protects this store
cat ~/.password-store/.gpg-id2.7 Multi-line Entries (Important for Complex Credentials)
Some services require more than just a password (username, API keys, etc.). pass handles this elegantly with multi-line entries.
Let's enhance your email entry to include your username as well:
# Edit the existing entry
pass edit Email/alowree@twineintl.comWhen your editor opens (vim by default), you can structure it like:
your_actual_email_password_here
Username: alowree@twineintl.com
IMAP: twineintlcom.securemail.hk
SMTP: smtp.example.comNow when you run pass Email/alowree@twineintl.com, it prints all lines. But here's the magic: tools like isync will only see the first line as the password, while you have extra context stored alongside.
The password-store structure is as follows:
╭╴ alowree on Mac OS at ~ took 22s
╰─❯ pass
Password Store
├── Business
│ ├── amazon
│ ├── figma
│ ├── fiverr
│ ├── siteground
│ ├── soundfreaq
│ └── stackcommerce
├── Email
│ ├── biaget
│ ├── gmail
│ ├── hotmail
│ ├── soundfreaq
│ └── twineintl
├── Social
│ ├── facebook
│ ├── github
│ ├── linkedin
│ └── mycloud
├── Token
└── Wifi
├── SOUNDFREAQ 01-2.4G
├── SOUNDFREAQ 02-5G
├── synchronhk
└── synchronwl2.8 Git Integration (Optional but Highly Recommended)
One of pass's most powerful features is built-in Git support. This allows you to sync your encrypted password store across multiple machines (macOS + Arch Linux) securely.
Initialize Git in your password store
╭╴ alowree on Mac OS at ~
╰─❯ pass git init
Initialized empty Git repository in /Users/alowree/.password-store/.git/
[main (root-commit) 3bfd677] Add current contents of password store.
Committer: Alowree <alowree@AX-Mac-mini.local>
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly:
git config --global user.name "Your Name"
git config --global user.email you@example.com
After doing this, you may fix the identity used for this commit with:
git commit --amend --reset-author
20 files changed, 11 insertions(+)
create mode 100644 .gpg-id
create mode 100644 Business/amazon.gpg
create mode 100644 Business/figma.gpg
create mode 100644 Business/fiverr.gpg
create mode 100644 Business/siteground.gpg
create mode 100644 Business/soundfreaq.gpg
create mode 100644 Business/stackcommerce.gpg
create mode 100644 Email/biaget.gpg
create mode 100644 Email/gmail.gpg
create mode 100644 Email/hotmail.gpg
create mode 100644 Email/soundfreaq.gpg
create mode 100644 Email/twineintl.gpg
create mode 100644 Social/facebook.gpg
create mode 100644 Social/github.gpg
create mode 100644 Social/linkedin.gpg
create mode 100644 Social/mycloud.gpg
create mode 100644 Wifi/SOUNDFREAQ 01-2.4G.gpg
create mode 100644 Wifi/SOUNDFREAQ 02-5G.gpg
create mode 100644 Wifi/synchronhk.gpg
create mode 100644 Wifi/synchronwl.gpg
[main d5afe96] Configure git repository for gpg file diff.
Committer: Alowree <alowree@AX-Mac-mini.local>
Your name and email address were configured automatically based
on your username and hostname. Please check that they are accurate.
You can suppress this message by setting them explicitly:
git config --global user.name "Your Name"
git config --global user.email you@example.com
After doing this, you may fix the identity used for this commit with:
git commit --amend --reset-author
1 file changed, 1 insertion(+)
create mode 100644 .gitattributesThis creates a Git repository in ~/.password-store/ and commits your current passwords.
Add a remote repository (GitHub, GitLab, or self-hosted)
pass git remote add origin https://github.com:yourusername/password-store.gitPush your encrypted passwords
╭╴ alowree on Mac OS at ~
╰─❯ pass git push -u --all
Enumerating objects: 29, done.
Counting objects: 100% (29/29), done.
Delta compression using up to 10 threads
Compressing objects: 100% (27/27), done.
Writing objects: 100% (29/29), 13.69 KiB | 13.69 MiB/s, done.
Total 29 (delta 1), reused 0 (delta 0), pack-reused 0 (from 0)
remote: Resolving deltas: 100% (1/1), done.
To https://github.com/Alowree/password-store.git
* [new branch] main -> main
branch 'main' set up to track 'origin/main'.Security note: Since all files are GPG-encrypted with your key, it's safe to push them to a public repository. However, ensure your .gpg-id file doesn't contain sensitive information.
Pull from Arch Linux
Step 1: Clone the repository manually
You can't directly use pass git clone because pass doesn't have a built-in clone command. However, you can clone the repository manually and then point pass to it. Here are the correct steps:
╭╴ alowree on Arch Linux at ~ took 49s
╰─❯ git clone git@github.com:Alowree/password-store.git ~/.password-store
Cloning into '/home/alowree/.password-store'...
remote: Enumerating objects: 29, done.
remote: Counting objects: 100% (29/29), done.
remote: Compressing objects: 100% (26/26), done.
remote: Total 29 (delta 1), reused 29 (delta 1), pack-reused 0 (from 0)
Receiving objects: 100% (29/29), 13.69 KiB | 6.85 MiB/s, done.
Resolving deltas: 100% (1/1), done.Step 2: Initialize pass with your GPG key
╭╴ alowree on Arch Linux at ~ took 6s
╰─❯ gpg --list-secret-keys --keyid-format LONG
[keyboxd]
---------
sec rsa4096/D11D4EB71A6C9DF3 2026-06-02 [SC]
D167ABCFE10D22BB714C6FE8D11D4EB71A6C9DF3
uid [ultimate] Alowree XU (Personal Identity Key) <alowree@hotmail.com>
ssb rsa4096/1DA696C645BB5017 2026-06-02 [E]
╭╴ alowree on Arch Linux at ~
╰─❯ pass init D11D4EB71A6C9DF3
Password store initialized for D11D4EB71A6C9DF3Step 3: Verify everything works
# List passwords (should show everything from macOS)
╭╴ alowree on Arch Linux at ~
╰─❯ pass
Password Store
├── Business
│ ├── amazon
│ ├── figma
│ ├── fiverr
│ ├── siteground
│ ├── soundfreaq
│ └── stackcommerce
├── Email
│ ├── biaget
│ ├── gmail
│ ├── hotmail
│ ├── soundfreaq
│ └── twineintl
├── Social
│ ├── facebook
│ ├── github
│ ├── linkedin
│ └── mycloud
└── Wifi
├── SOUNDFREAQ 01-2.4G
├── SOUNDFREAQ 02-5G
├── synchronhk
└── synchronwl
# Test retriving a password
╭╴ alowree on Arch Linux at ~
╰─❯ pass Email/soundfreaq
# Check that .gpg-id is set correctly, same as that on your macOS
╭╴ alowree on Arch Linux at ~ took 8s
╰─❯ cat ~/.password-store/.gpg-id
D11D4EB71A6C9DF3Step 4: Set up git remote for future syncing
╭╴ alowree on Arch Linux at ~
╰─❯ cd .password-store
# Check the remote URL
╭╴ alowree on Arch Linux via main at ~/.password-store
╰─❯ git remote -v
origin git@github.com:Alowree/password-store.git (fetch)
origin git@github.com:Alowree/password-store.git (push)Step 5: Test git operations with pass
# Make a test change
# Any change you make through the pass command, is auto committed
╭╴ alowree on Arch Linux via main at ~/.password-store
╰─❯ pass insert Business/amazon-uk
Enter password for Business/amazon-uk:
Retype password for Business/amazon-uk:
[main 0704b89] Add given password for Business/amazon-uk to store.
1 file changed, 0 insertions(+), 0 deletions(-)
create mode 100644 Business/amazon-uk.gpg
# Check git status
╭╴ alowree on Arch Linux via main at ~/.password-store took 33s
╰─❯ pass git status
On branch main
Your branch is ahead of 'origin/main' by 1 commit.
(use "git push" to publish your local commits)
nothing to commit, working tree clean
# Push to the remote
╭╴ alowree on Arch Linux via main at ~/.password-store
╰─❯ pass git push
Enumerating objects: 6, done.
Counting objects: 100% (6/6), done.
Delta compression using up to 16 threads
Compressing objects: 100% (4/4), done.
Writing objects: 100% (4/4), 960 bytes | 960.00 KiB/s, done.
Total 4 (delta 2), reused 0 (delta 0), pack-reused 0 (from 0)
remote: Resolving deltas: 100% (2/2), completed with 2 local objects.
To github.com:Alowree/password-store.git
d5afe96..0704b89 main -> mainStep 6: Verify on macOS (pull the change)
╭╴ alowree on Mac OS at ~
╰─❯ pass git pull
remote: Enumerating objects: 6, done.
remote: Counting objects: 16% (1/remote: Counting objects: 33% (2/remote: Counting objects: 50% (3/remote: Counting objects: 66% (4/remote: Counting objects: 83% (5/remote: Counting objects: 100% (6/remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 50% remote: Compressing objects: 100% remote: Compressing objects: 100% (2/2), done.
remote: Total 4 (delta 2), reused 4 (delta 2), pack-reused 0 (from 0)
Unpacking objects: 100% (4/4), 940 bytes | 188.00 KiB/s, done.
From https://github.com/Alowree/password-store
d5afe96..0704b89 main -> origin/main
Updating d5afe96..0704b89
Fast-forwardCommon Git operations with pass
pass git status # Check for changes
pass git pull # Get updates from remote
pass git push # Send local changes
pass git log # View password change historyEvery time you add, edit, or remove a password, pass automatically creates a Git commit with a descriptive message.
2.9 Essential pass Commands Reference
Here's a quick reference of the most useful commands:
| Command | Description |
|---|---|
pass or pass ls or pass show | List all passwords in the store |
pass init KEY-ID | Initialize password store with GPG key |
pass insert PATH | Insert a new password (prompts securely) |
pass insert -m PATH | Insert multi-line content |
pass edit PATH | Edit existing entry with $EDITOR |
pass generate PATH N | Generate a random N-character password |
pass generate -c PATH N | Generate and copy to clipboard |
pass -c PATH | Copy password to clipboard (45 sec timeout) |
pass rm PATH | Remove a password entry |
pass rm -r PATH | Remove directory recursively |
pass mv OLD NEW | Rename/move an entry |
pass cp OLD NEW | Copy an entry |
pass grep SEARCH | Search inside decrypted passwords |
pass find NAME | Find entries by name |
pass git COMMAND | Run any Git command on the store |
2.10 Testing Your Setup for NeoMutt/isync
Let's verify that pass will work seamlessly with your isyncrc configuration.
Test the command that will be used in PassCmd
# This is exactly what isync will execute
pass Email/alowree@twineintl.comIt should output only your password (first line of the file). If you added a username on line 2, that's fine - pass outputs everything, but isync will only use the first line as the password.
Test with clipboard timeout (useful for other contexts)
# Copy to clipboard, clears after 45 seconds
export PASSWORD_STORE_CLIP_TIME=30 # Change timeout to 30 seconds
pass -c Email/alowree@twineintl.com2.11 Environment Variables for Customization
pass respects several environment variables that you can set in your shell config:
# Add to your ~/.zshrc or ~/.bashrc
# Change the location of the password store (if not using default)
export PASSWORD_STORE_DIR=~/.pass-store
# Change clipboard timeout from default 45 seconds
export PASSWORD_STORE_CLIP_TIME=30
# For Wayland users (Linux only)
export PASSWORD_STORE_X_SELECTION=primary # Use primary selection (middle-click)2.12 Security Best Practices
- Never share your GPG private key: It's stored in
~/.gnupg/private-keys-v1.d/ - Use a strong GPG passphrase: This is the master key to all your passwords
- Backup your
.password-storeand.gnupgdirectories: Without them, passwords are lost forever - Consider using a smartcard or YubiKey: For high-security environments
- Regularly update your passwords: Use
pass generateto create strong, unique passwords
Troubleshooting Common Issues
"gpg: decryption failed: No pinentry"
# Set GPG_TTY (same as Part 1)
export GPG_TTY=$(tty)
# Add to your ~/.zshrc permanently
echo 'export GPG_TTY=$(tty)' >> ~/.zshrc"Error: Unusable public key"
Your GPG key doesn't have ultimate trust:
gpg --edit-key 0E4E7F5FCC8D0F57
# At the prompt:
trust
5
quit
# Then re-encrypt the store:
pass init 0E4E7F5FCC8D0F57Passphrase prompt every time
Configure gpg-agent caching as we did in Part 1. The settings in ~/.gnupg/gpg-agent.conf control how long your passphrase stays cached.
What's Next?
Now that pass is set up with your email password, Part 3 will show you how to:
- Update your
~/.config/isyncrcto usepassinstead of Keychain - Configure NeoMutt to retrieve passwords from
pass - Create a unified configuration that works on both macOS and Arch Linux
- Set up proper permissions and environment variables for automation
Ready to proceed to Part 3 when you are!
On Step 2.6, inside ~/.password-store/.gpg-id contains my GPG key ID for this store, but the email ID is "alowree@soundfreaq.com" that I generated earlier today. Now, since both alowree@twineintl.com and alowree@soundfreaq.com are of work emails, I intend to revise my GPG key ID for the store to "alowree@hotmail.com", which is my personal email. Explain whether this is a good approach, and how should be proceed next? Revise, or delete and re-generate the .password-store folder?
Analysis: Should You Use Your Personal Email for GPG Key ID?
This is an excellent question that touches on important security and identity management principles. Let me give you a clear answer and then guide your next steps.
The Short Answer
No, don't use alowree@hotmail.com as your GPG key ID for work passwords. Instead, use your work email alowree@twineintl.com for the work password store.
Why This Matters: GPG Key IDs Are Identity Claims
When you set a GPG key ID in .gpg-id, you're not just choosing a label - you're telling pass to encrypt all passwords with the private key associated with that email identity. Here's the critical distinction:
| Email Identity | Purpose | Who Has Access |
|---|---|---|
alowree@twineintl.com | Work email, company resources | You (work identity) |
alowree@soundfreaq.com | Another work email | You (work identity) |
alowree@hotmail.com | Personal email | You (personal identity) |
The problem: If you use your personal GPG key (hotmail) to encrypt work passwords, you're creating an audit and access nightmare:
- If you leave the company, you still have work passwords encrypted with your personal key
- If you lose your personal key, you lose access to work credentials
- There's no clear separation between work and personal digital identity
The Better Approach: Multiple Password Stores
pass supports multiple stores elegantly. Here's the professional setup:
Store 1: Work Passwords (encrypted with work GPG key)
# Create separate work store
export PASSWORD_STORE_DIR=~/.password-store-work
pass init "0E4E7F5FCC8D0F57" # Your work GPG key
pass insert Email/alowree@twineintl.comStore 2: Personal Passwords (encrypted with personal GPG key)
# Create separate personal store
export PASSWORD_STORE_DIR=~/.password-store-personal
pass init "YOUR_PERSONAL_GPG_KEY_ID" # Your hotmail GPG key
pass insert Email/alowree@hotmail.comWhat's Currently Wrong with Your Setup
From your description, your .password-store/.gpg-id contains a key ID associated with alowree@soundfreaq.com, but you're storing alowree@twineintl.com passwords there. This is mismatched identities - you should fix it.
Recommended Action Plan
Step 1: Create a Proper GPG Key for Your Personal Email
First, generate a GPG key for your personal identity:
gpg --full-generate-key
# Use:
# - Your real name (e.g., "Alowree XU")
# - Email: alowree@hotmail.com
# - Comment: "Personal Key"
# - RSA 4096, no expirationNote the new key ID (e.g., AAAAAAAAAAAAAAAA).
Step 2: Clean Up Current Mismatched Store
Delete the current password store that has the wrong identity:
# Backup anything important first (though there's nothing yet)
ls -la ~/.password-store/
# Delete the mismatched store
rm -rf ~/.password-store/Step 3: Create Separate Stores for Work and Personal
For Work (Twine and SoundFreaq):
# Create work store directory
mkdir -p ~/.password-store-work
# Initialize with your existing work GPG key
export PASSWORD_STORE_DIR=~/.password-store-work
pass init "0E4E7F5FCC8D0F57" # Your existing work key
# Add your work email passwords
pass insert Email/alowree@twineintl.com
pass insert Email/alowree@soundfreaq.comFor Personal (Hotmail):
# Create personal store directory
mkdir -p ~/.password-store-personal
# Initialize with your new personal GPG key
export PASSWORD_STORE_DIR=~/.password-store-personal
pass init "AAAAAAAAAAAAAAAA" # Your new personal key ID
# Add personal passwords
pass insert Email/alowree@hotmail.comStep 4: Create Convenience Scripts or Aliases
Add these to your ~/.zshrc for easy switching:
# Password store aliases
alias pass-work='PASSWORD_STORE_DIR=~/.password-store-work pass'
alias pass-personal='PASSWORD_STORE_DIR=~/.password-store-personal pass'
# Default to work (since you're usually using work email)
alias pass='pass-work'Now you can use:
pass-work Email/alowree@twineintl.com- get work passwordpass-personal Email/alowree@hotmail.com- get personal passwordpassalone uses work (if you set the alias)
Step 5: Configure isync/NeoMutt to Use the Correct Store
In your ~/.config/isyncrc, you'll need to specify which store to use:
# For work email account
PassCmd "PASSWORD_STORE_DIR=$HOME/.password-store-work pass Email/alowree@twineintl.com"And similarly if you ever configure a personal email in NeoMutt.
Step 6: Consider Merging Work Emails Under One Key
Since both alowree@twineintl.com and alowree@soundfreaq.com are work emails, you have two options:
Option A (Recommended): Add both emails to your existing work GPG key
gpg --edit-key 0E4E7F5FCC8D0F57
# At the prompt:
adduid
# Enter: Alowree XU (Work Email) <alowree@soundfreaq.com>
# Save
quitNow one key works for both work identities.
Option B: Keep separate keys for each work email (more secure but more complex)
Why Not Just Use One Key for Everything?
Here's what happens if you use your personal hotmail key for everything:
Good: You remember one passphrase
Bad: If your personal email is compromised, ALL work credentials are exposed
Bad: When you leave Twine, you still have their passwords encrypted with your key
Bad: Your employer can't verify that you've destroyed access to their systems
Bad: Compliance violations (many companies require work data encrypted with work keys)Final Recommendation
For your specific situation:
- Use your existing work GPG key (
0E4E7F5FCC8D0F57) for bothalowree@twineintl.comandalowree@soundfreaq.com - Create a new personal GPG key for
alowree@hotmail.com - Use separate password stores as shown above
- Delete the mismatched
.password-storeand start clean
This setup:
- ✅ Maintains clear separation between work and personal identity
- ✅ Allows you to sync work passwords across work devices only
- ✅ Lets you sync personal passwords everywhere (if desired)
- ✅ Is professional and auditable
- ✅ Works perfectly with your planned isync/NeoMutt setup
Quick Fix Commands (If You Want to Proceed)
Here's the exact sequence to fix your current situation:
# 1. Delete the mismatched store
rm -rf ~/.password-store/
# 2. Create clean work store
mkdir -p ~/.password-store-work
PASSWORD_STORE_DIR=~/.password-store-work pass init "0E4E7F5FCC8D0F57"
# 3. Add your Twine email password
PASSWORD_STORE_DIR=~/.password-store-work pass insert Email/alowree@twineintl.com
# 4. Add alias to shell config
echo 'alias pass-work="PASSWORD_STORE_DIR=\$HOME/.password-store-work pass"' >> ~/.zshrc
source ~/.zshrc
# 5. Test it
pass-work Email/alowree@twineintl.comNow you're ready to proceed with Part 3 - configuring your actual isyncrc file!
.password-store best practices
For the Unix command-line utility, best practices focus on robust GPG key management, encrypted Git synchronization, and disciplined store organization to secure and manage your credentials. [1]
GPG & Encryption Configuration
- Use Subkeys: Never store your master GPG key on a daily machine. Create dedicated, short-lived GPG subkeys for each device you use to access the store.
- Key Length: Use at least a 4096-bit RSA key or a strong ECC curve (e.g., Ed25519) to future-proof your encryption.
- Back Up Keys: Keep an encrypted, offline backup of your primary GPG master key (e.g., in a physical safe or air-gapped drive) in case a device is lost.
Synchronization & Version Control
- Encrypt Git Remotes: The built-in Git integration is powerful, but ensure your remote repository (e.g., on GitHub or GitLab) is private. Because file names, directory structures, and modification times remain visible, you must prevent metadata leakage.
- Avoid Syncing
.gpg-idConflicts: Be careful when initializing new stores across multiple machines simultaneously to avoid branching history in your Git remote.
Store Organization & Usage
- Structure Hierarchically: Group passwords by category (e.g.,
pass insert work/emailorpass insert banking/chase) to make navigation easier and allow for granular subkey permissions. - Store Metadata Wisely: While the
passtool only encrypts the file content, your folder names and filenames are unencrypted. Avoid putting sensitive details (like full usernames or account numbers) in the file path. - Generate Strong Secrets: Utilize the built-in password generator with at least 24 to 32 characters, including uppercase, lowercase, numbers, and symbols:
pass generate service/name 32
- Structure Hierarchically: Group passwords by category (e.g.,
Extensions & Integrations
- Use Browser Extensions: Integrate with PassFF to enable autofill directly in your browser.
- Integrate with OS/Dev Tools: If using it for system-level credentials, map your applications to use
passvia docker-credential-helpers
Client Security
- Clipboard Clearing:
pass -cclears the clipboard after 45 seconds. Do not reveal the password in plain text on screen, and avoid manually highlighting and copying it to prevent persistence in clipboard history managers. - Protect GPG Agent Caching: Set a reasonable timeout for your GPG agent cache (
default-cache-ttlin~/.gnupg/gpg-agent.conf) so your passwords aren't instantly accessible if you step away from an unlocked machine.
- Clipboard Clearing: