Not today... - Gopass

Tue Mar 10 2020

comments

Gopass

Tagged admin , cli

A pretty good security advice would be to never write down a password unencrypted on disk. This can be pretty tricky to achieve, especially on personal and development environments. So let me introduce gopass which is a tool aiming to help with this problem.

First of all, let me say it right away, the CLI interface is not that good. Took me a lot of time to set things properly as options may be cryptic and behavior is not obvious as first sight.

Installation and getting started

Just follow the instruction from the official website. It should be packaged for your distribution as it is now pretty popular. If not, installation is pretty straightforward as it is a single binary. Do not forget to also install gpg it’s a hard dependency and potentially git (even though a git implementation is shipped with the project).

Run gopass init to set up your environment. It should now be ready to use!

Once this is done, checkout the cheatsheet as it contains good documentation and examples for usage of gopass.

Set up stores for organizations and teams

Initialization is pretty simple:

# creates a store named `foo` using binary embedded git implementation
gopass init --path ~/.local/share/password-store/foo --store foo

# you can then connect it to a remote git repository
gopass git remote add --store foo origin git@rulz.xyz/keys.git

# go to the directory and manually push, going through gopass cli is flacky
cd  ~/.local/share/password-store/foo && git push origin HEAD:master && cd -

# you can now sync the repo throught the cli
gopass sync

If you need to clone an existing one:

gopass clone --path ~/.local/share/password-store/foo git@rulz.xyz/keys.git foo

Gopass and curl

Using netrc support from curl and binary encoding in gopass, we can run basic access authentication without leaking the password:

# first save the file (password will never hit the hdd here)
cat << EOF |
machine rulz.xyz
login my_username
password $(stty -echo; read p; echo "$p"; stty echo)
EOF
gopass binary cat rulz_netrc

# you can now use curl and pipe the secret to it
gopass show rulz/netrc | base64 -d |
	curl --netrc-file /dev/stdin -fsSL https://rulz.xyz/secrets/raw/branch/master/README.md

Gopass and direnv

Another thing you can do is to link it with your direnv environment (I wrote a post about it). This will inject development password into environment variables, only for your the current directory and without the risk of committing them accidentally.

Here is an example of an .envrc file:

export FOO=BAR
export AWS_ACCESS_KEY_ID=$(gopass show foo/aws)

That’s all for me folks! If I find other use cases, will try to post them.