# Pass Password Store — Backup Recovery Guide

## How to Restore

### Prerequisites

```bash
brew install age ssss pass
```

### 1. Reconstruct the passphrase

Collect any 3 of the 5 shares, then:

```bash
ssss-combine -t 3 -q
# paste 3 shares when prompted — outputs the passphrase
```

### 2. Decrypt the archive

```bash
age -d -o secrets.tar.gz secrets.tar.gz.age
# paste the passphrase when prompted

tar -xzf secrets.tar.gz
```

### 3. Import GPG keys

```bash
gpg --import new_pub.asc
gpg --import new_secret.asc
```

Mark your own key as trusted:

```bash
gpg --edit-key EAB14D8405F7F6CFFE8B26BC5B91EB2A6CA3B89F
# at the gpg> prompt:
trust
# select 5 (ultimate)
quit
```

### 4. Restore the password store

```bash
git clone pass_backup_YYYYMMDD.bundle ~/.password-store
```

Another option is to just clone it to a tmp dir and decrypt indivual files manually as needed

### 5. Verify

```bash
pass ls
```


## How the backup was created

1. Create secrets dir
1. Export GPG keys to secrets dir
1. Create Git Bundle and move it to secrets dir
1. Tar compress the secrets dir
1. Generate password
1. Use password to encrypt the sectets dir with age
1. split the password with ssss


### 1. Create Git Bundle

```bash
mkdir /tmp/pass-backup
cd ~/.password-store
git bundle create /tmp/pass-backup/pass_backup_$(date +%Y%m%d).bundle --all
```

This exports the full repo with complete history. The resulting file can be cloned directly:

```bash
git clone pass_backup_YYYYMMDD.bundle restored-password-store
```

### 2. Export GPG Keys

```bash
gpg --export xxxxxxxxxxx > new_pub.asc
gpg --export-secret-keys --armor xxxxxxxxxx > new_secret.asc
```

### 2. Encrypt the bundle with age

```bash
$ brew install age
$ age -p pass_backup_20260605.bundle > pass_backup_20260605.bundle.age
```


### 3. Gen password

```bash
openssl rand -base64 96 > pw.txt
```

Then go in and delete the newline


### 4. Split file with ssss

```bash
cat pw.txt | ssss-split -t 3 -n 5 -q > splits.txt
```