YubiKey-sealed Secrets-as-Code for git.
pass
runs in the command line.
Online password managers have already reached maturity, however git
can be used to store encrypted passwords and files just fine.
The i.e. GitHub repo containing them can be private.
Leveraging age
, one can use private-public keypairs for encryption of data for multiple such keys (recipients).
The private part is directly storeable on a YubiKey. Users are asked for a PIN for additional security.
OS: Linux.
Prerequisites:
just
in$PATH
.- Run
just install <your secrets repo>
.
$ just pass add mysecretname # Asks for a password, encrypts it to a file "mysecretname" and commit+pushes it to the secrets repository.
$ just pass add_file $(realpath mysecretfile) # Encrypts the given file (needs full path) and commit+pushes it to the secrets repository.
$ just pass mysecretname # Decrypts the secret file "mysecretname".
$ just pass list # list all known passwords. Feeds to fzf if installed.
Additionally, you can set an alias to get access to the functionality from any path in the shell:
$ echo 'alias pass="just --justfile ~/git/pass/Justfile pass"' >> ~/.bashrc
$ pass mysecretname # Prints the secret
If you wish, you can generate a new random password directly:
$ just pass random mysecretname
And of course you can use it with the above alias:
$ pass random mysecretname # Encrypts a random password to a mysecretname and commit+pushes to the secrets repository.
$ pass mysecretname # Prints the secret.
If xclip
is installed, the contents of the random password are automatically placed in the clipboard.
pass
is just a thin wrapper around the following awesome technologies:
YubiKey
- Strong hardware encryption.age-plugin-yubikey
- YubiKey plugin forrage
.rage
- a Rust implementation of theage
spec.