A pretty good security advice would be to never write down a password unencrypted
on disk. This can be pretty tricky to achieve, especially on personal and development
environments. So let me introduce gopass
which is a tool aiming to help with this problem.
First of all, let me say it right away, the CLI interface is not that good.
Took me a lot of time to set things properly as options may be cryptic and
behavior is not obvious as first sight.
Installation and getting started
Just follow the instruction from the official website. It should be packaged
for your distribution as it is now pretty popular. If not, installation is
pretty straightforward as it is a single binary. Do not forget to also install
gpg it’s a hard dependency and potentially
git (even though a git implementation is shipped with the project).
Run gopass init
to set up your environment. It should now be ready to use!
Once this is done, checkout the cheatsheet
as it contains good documentation and examples for usage of gopass
.
Set up stores for organizations and teams
Initialization is pretty simple:
# creates a store named `foo` using binary embedded git implementation
gopass init --path ~/.local/share/password-store/foo --store foo
# you can then connect it to a remote git repository
gopass git remote add --store foo origin git@rulz.xyz/keys.git
# go to the directory and manually push, going through gopass cli is flacky
cd ~/.local/share/password-store/foo && git push origin HEAD:master && cd -
# you can now sync the repo throught the cli
gopass sync
If you need to clone an existing one:
gopass clone --path ~/.local/share/password-store/foo git@rulz.xyz/keys.git foo
Gopass and curl
Using netrc support from curl
and
binary encoding
in gopass, we can run basic access authentication without leaking the password:
# first save the file (password will never hit the hdd here)
cat << EOF |
machine rulz.xyz
login my_username
password $(stty -echo; read p; echo "$p"; stty echo)
EOF
gopass binary cat rulz_netrc
# you can now use curl and pipe the secret to it
gopass show rulz/netrc | base64 -d |
curl --netrc-file /dev/stdin -fsSL https://rulz.xyz/secrets/raw/branch/master/README.md
Gopass and direnv
Another thing you can do is to link it with your direnv environment
(I wrote a post about it).
This will inject development password into environment variables, only for your
the current directory and without the risk of committing them accidentally.
Here is an example of an .envrc
file:
export FOO=BAR
export AWS_ACCESS_KEY_ID=$(gopass show foo/aws)
That’s all for me folks! If I find other use cases, will try to post them.