diff --git a/type/__pass/gencode-local b/type/__pass/gencode-local
new file mode 100755
index 0000000..3346707
--- /dev/null
+++ b/type/__pass/gencode-local
@@ -0,0 +1,77 @@
+#!/bin/sh -e
+#
+# 2020 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see .
+#
+
+cat <<- EOF
+
+# Length of generated password.
+LENGTH=
+
+# Keep password strictly alphanumeric.
+NOSYMB=
+
+# Check pass is installed.
+command -v pass >/dev/null 2>&1 ||
+ {
+ cat <<- EOF >&2
+ __pass: this type requires pass installed.
+ See https://www.passwordstore.org/.
+ EOFF
+ exit 1;
+ }
+
+# Check for optional length parameter.
+if [ -f "${__object:?}/parameter/length" ];
+then
+ LENGTH="$(cat "${__object:?}/parameter/length")"
+ export LENGTH
+fi
+
+# Check for optional no symbols parameter.
+if [ -f "${__object:?}/parameter/no-symbols" ];
+then
+ NOSYMB="-n"
+ export NOSYMB
+fi
+
+# Load required password store location parameter.
+PASSWORD_STORE_DIR="$(cat "${__object:?}/parameter/storedir")"
+export PASSWORD_STORE_DIR
+
+# Check if the password store is initialized.
+if ! pass ls >/dev/null 2>&1;
+then
+ cat <<- EOFF >&2
+ __pass: this type requires the password store to be initialized.
+ See cdist-type__pass_init(7) and pass(1) for more information.
+ EOFF
+ exit 1;
+fi
+
+# Generate a password if it does not already exist.
+if [ ! -f "\${PASSWORD_STORE_DIR}/${__object_id:?}.gpg" ];
+then
+ # shellcheck disable=SC2086
+ pass generate \$NOSYMB "${__object_id:?}" $LENGTH >/dev/null
+fi
+
+# Send it out to the messages.
+pass "${__object_id:?}" >> "${__messages_out:?}"
+
+EOF
diff --git a/type/__pass/man.rst b/type/__pass/man.rst
new file mode 100644
index 0000000..ea9b93c
--- /dev/null
+++ b/type/__pass/man.rst
@@ -0,0 +1,73 @@
+cdist-type__pass(7)
+===================
+
+NAME
+----
+cdist-type__pass - Generate and use passwords using pass(1).
+
+
+DESCRIPTION
+-----------
+This type allows a user to generate and query passwords stored using pass(1) on
+the host machine. The password is then printed to the cdist message system, so
+types depending on this one should require it. This enables an administrator to
+ensure a password exists using this type and then, from another type, use it as
+need be.
+
+
+REQUIRED PARAMETERS
+-------------------
+storedir
+ The host-local directory where the password store is to be found (or
+ created if it does not exist).
+
+
+OPTIONAL PARAMETERS
+-------------------
+length
+ The length of the password to be created if it does not exist. Note that if
+ it exists, this has no effect (and hence will not update the password, even
+ if the length is different from the one specified).
+
+
+BOOLEAN PARAMETERS
+------------------
+no-symbols
+ If this parameter is set, then a newly generated password will only contain
+ alphanumeric characters, making it easier for typing by meatware.
+
+
+EXAMPLES
+--------
+
+Assuming that __othertype takes the path of the password as an argument and
+looks up in the cdist messages to find it:
+
+.. code-block:: sh
+
+ require=__pass_init \
+ __pass database/services/arandomservice \
+ --storedir password/store/location
+
+ require='__pass/database/services/arandomservice' \
+ __othertype --password database/service/arandomservice
+
+
+--
+
+SEE ALSO
+--------
+`pass`\ (7), `cdist-type__pass_init`\ (7)
+
+
+AUTHORS
+-------
+Joachim Desroches
+
+
+COPYING
+-------
+Copyright \(C) 2020 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
diff --git a/type/__pass/parameter/boolean b/type/__pass/parameter/boolean
new file mode 100644
index 0000000..8be3749
--- /dev/null
+++ b/type/__pass/parameter/boolean
@@ -0,0 +1 @@
+no-symbols
diff --git a/type/__pass/parameter/optional b/type/__pass/parameter/optional
new file mode 100644
index 0000000..7f5e3b6
--- /dev/null
+++ b/type/__pass/parameter/optional
@@ -0,0 +1 @@
+length
diff --git a/type/__pass/parameter/required b/type/__pass/parameter/required
new file mode 100644
index 0000000..f2fc3a2
--- /dev/null
+++ b/type/__pass/parameter/required
@@ -0,0 +1 @@
+storedir
diff --git a/type/__pass_init/gencode-local b/type/__pass_init/gencode-local
new file mode 100755
index 0000000..0be44d9
--- /dev/null
+++ b/type/__pass_init/gencode-local
@@ -0,0 +1,43 @@
+#!/bin/sh -e
+#
+# 2020 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see .
+#
+
+# Check pass is installed.
+command -v pass >/dev/null 2>&1 ||
+ {
+ cat <<- EOF >&2
+ __pass_init: this type requires pass installed.
+ See https://www.passwordstore.org/.
+ EOF
+ exit 1;
+ }
+
+# Load required GPG ID parameters.
+set --
+while read -r id;
+do
+ set -- "$@" "$id"
+done < "${__object:?}/parameter/gpgid"
+
+# Load required password store location parameter.
+PASSWORD_STORE_DIR="$(cat "${__object:?}/parameter/storedir")"
+export PASSWORD_STORE_DIR
+
+# Do our work.
+pass init "$@" >/dev/null
diff --git a/type/__pass_init/man.rst b/type/__pass_init/man.rst
new file mode 100644
index 0000000..7a8d01e
--- /dev/null
+++ b/type/__pass_init/man.rst
@@ -0,0 +1,56 @@
+cdist-type__pass_init(7)
+========================
+
+NAME
+----
+cdist-type__pass_init - Initialize a local password store.
+
+
+DESCRIPTION
+-----------
+This type is intented to be used as a prerequisite to the
+cdist-type__pass(7) type. It will set up a pass(1) password
+store with the provided GPP2(1) public encryption key IDs.
+
+
+REQUIRED PARAMETERS
+-------------------
+storedir
+ The host-local directory where the password store is to be found (or
+ created if it does not exist).
+
+
+REQUIRED MULTIPLE PARAMETERS
+----------------------------
+gpgid
+ The GPG IDs of the public keys used to encrypt the password store.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+ # Setup a repository with a GPG ID
+ __pass_init
+ --storedir password/store/location
+ --gpgpid 92296965EAA1DD86A93284EF7B21E5AA32FB9810
+
+--
+
+SEE ALSO
+--------
+`pass`\ (7), `cdist-type__pass`\ (7)
+
+
+AUTHORS
+-------
+Joachim Desroches
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
diff --git a/type/__pass_init/parameter/required b/type/__pass_init/parameter/required
new file mode 100644
index 0000000..f2fc3a2
--- /dev/null
+++ b/type/__pass_init/parameter/required
@@ -0,0 +1 @@
+storedir
diff --git a/type/__pass_init/parameter/required_multiple b/type/__pass_init/parameter/required_multiple
new file mode 100644
index 0000000..bed3d4a
--- /dev/null
+++ b/type/__pass_init/parameter/required_multiple
@@ -0,0 +1 @@
+gpgid
diff --git a/type/__pass_init/singleton b/type/__pass_init/singleton
new file mode 100644
index 0000000..e69de29