If you are looking for simple password management in Unix, pass
maybe the answer. It utilizes GPG to encrypt the stored passwords. It stores the encrypted passwords as text files in a tree of directories. Each directory can maintain a separate GPG key for encrypting the passwords stored inside it.
How easy is it? The following command shows how we can store a password and set AWS/access-key-id
as the variable name to access it in the future.
pass insert AWS/access-key-id
The previous command will automatically create a directory named AWS
inside the ~/.password-store
directory which is the default location of pass
storage. It also creates a file named access-key-id.gpg
inside the ~/.password-store/AWS
directory. To access the value we can call the following command.
pass AWS/access-key-id
There are some steps we need to run for utilizing the tool.
- Install
pass
using package manager - Create a GPG key pair record
- Initialize the
pass
storage with the specified GPG key - Store the passwords
Install pass
apt install pass
Create a GPG record
We can utilize the GPG tool available in Linux or we can install it from the package manager if it has not been installed yet. We can omit the requested passphrase for generating unprotected GPG key pair. Even though it is not recommended, it can be useful when we will use the password in an automation process.
gpg --generate-key
Then, we can list all the generated keys using the following command. The public ID part will be required when we want to initialize the pass
storage.
gpg --list-keys
Initialize the pass
storage
We set the root directory of the pass
storage to utilize our GPG key generated in the previous step. For example, the public ID is ABCXYZ
.
pass init "ABCXYZ"
The previous command will create a .gpg-id
file inside the ~/.password-store
directory. The file contains GPG public ID that is being used in the directory.
Store the passwords
Now, we can store any passwords using the following format.
pass insert hello/world/my-secret
The previous command will create a my-secret.gpg
file inside the ~/.password-store/hello/world
directory.
Additional GPG keys
We can generate more GPG key pairs, some are protected with a passphrase, to store more data with different encryption keys. In this case, we have to differentiate the directories in the pass
initialization step. For example, we want all passwords in the ~/.password-store/secured
directory to use a passphrase-protected GPG key.
gpg --generate-key
gpg --list-keys
pass init -p secured "new_secured_GPG_public_id"
The previous command will generate another .gpg-id
file inside the ~/.password-store/secured
directory. Then, any records stored in the specified directory will use the GPG key which is different from the key available in the root directory of the storage (~/.password-store
). For instance, we can store a new record using the following format.
pass insert secured/AWS/access-key-id
Any time we need to get the value of secured/AWS/access-key-id
, we will be asked for a passphrase.
Example use case
We can access a secret value and pass it into the environment variable by running the following command.
export MY_VAR=$(pass hello/world/my-secret)
Comments
Post a Comment