Securing Information in dotfiles / aliases / command line in MacOS with Password-Store (pass)

The intent of this is to give a single walk through on setting up, installing and using pass (password store) on my Mac (macOS) along with Github to maintain sensitive information within my day-to-day operational scripts, aliases and commands. When I was setting this up initially I could not find a single document with a selfishly direct explanation. I just wanted a simple system to store a password on a shared encrypted repo, add passwords and use them in a script or command.

I use a lot of dotfiles, aliases and scripts to manage my day-to-day existence. A general challenge I have encountered is what to do with privileged and sensitive information. I do not want the private goodies in my dotfiles repo nor in any project repository. The question becomes:

What do I do with all of this sensitive data, passwords and keys?

I needed a way to encrypt the data locally, I need to share it between a few systems, I want to share it via a repository and I need to be able to use it in scripts, aliases and more.

Solution: pass or the Password Store, GPG and Github

It provides a way for me to encrypt, share, manage and use private data with my aliases and scripts.

NOTE: this is not how I store sensitive information inside of apps; just how I store day-to-day operational private info

GPG Setup

First, we setup a GPG setup with keys. If you do NOT have one already; obviously if you use GPG you can chose which fingerprint to use. Also, make sure you have gpg installed - here is the process assuming macOS.

brew install gpg gpg2
cd $HOME

If you do not have a fingerprint setup; you can build one quickly with

gpg --full-gen-key

Backup GPG

You can backup your GPG files with

gpg --export-secret-keys --armor [fingerprint] > privkey.asc
gpg --export --armor [fingerprint] > pubkey.asc
gpg --export-ownertrust > pgp-ownertrust.asc

Github Setup

Pop over to Github to create your password store repository. Create an empty repo and make sure you note the name of the repo you create and the location.

Pass Setup (macOS)

You will need two things here, first the name of your password store, in my case I just used my email cbschuld@gmail.com and your github repo name; in this example I am using git@github.com:user/passwordstore.git

pass init cbschuld@gmail.com | # just used my email address
pass git init
pass
pass git remote add origin git@github.com:user/passwordstore.git
pass insert Database/db1 | # going to add a password for db1 - it will prompt on stdin and note how I am placing it in a path of "Database"

Now, we have pass setup, we added it to github (almost done with that, stay tuned for two seconds) and we added a password for this imaginary db1.

We can check to see our passwords just by calling pass

✔ ~
15:38 $ pass
Password Store
└── Database
    └── db1

GitHub Updates

Anytime I update my passwords I simple tell pass to push the updates via:

pass git push

Adding a Password

Adding a password is fast; we just insert one via pass. Let’s add a password for another fictitious dB server called db2 and let’s place it into the Database path.

✔ ~
15:38 $ pass insert Database/db2
Enter password for Database/db2: [typed]
Retype password for Database/db2: [typed]
[master a2cb1d2] Add given password for Database/db2 to store.

Getting a Password

To retrieve a password you simply call pass and then the name of the password:

pass Database/db1
248htasdgq240lkhq24h0fbvai2lk209a8weh2n

Using the Passwords

Here is an example of using that db1 password in a call to MySQL

PASSWD=`pass Database/db1`;  mysql -h db1-cluster.us-west-2.rds.amazonaws.com -u root --password=$PASSWD

NOTE: I saw a lot of folks piping passwords from stdin and expecting pass to just shove the data into stdin. I did not have success with this because GPG’s timeout was too short between usages and instead I set the output password value (or key) to a temporary variable to stop the runtime to intake the master password.

[ macos linux ]