I’ve seen a lot of approaches to share passwords in a group of developers.
Today I want to share a command line based and secure setup using
pass with you.
pass - the standard unix password manager
This walk-through is done on a Mac. But it’s easily reproducible on Ubuntu, Fedora, …, FreeBSD and others.
Please check the Download section on the homepage of
pass on Mac
With Homebrew installed this is as simple as:
$ brew install pass … ==> Summary 🍺 /usr/local/Cellar/pass/1.7.2: 34 files, 147.5KB
Check the installation with:
$ pass --version ============================================ = pass: the standard unix password manager = = = = v1.7.2 = = = = Jason A. Donenfeld = = Jason@zx2c4.com = = = = http://www.passwordstore.org/ = ============================================
Create a gpg key
$ gpg --gen-key … Real name: planets Email address: email@example.com You selected this USER-ID: "planets <firstname.lastname@example.org>" …
Setup a shared password store
This has to be done by one developer, only.
First. Initialise a Git repository backed password store. (Basically, I followed the Extended Git Example).
$ pass init email@example.com Password store initialized for firstname.lastname@example.org $ pass git init Initialized empty Git repository in … $ pass git remote add origin <put_your_remote_here>
Use the shared password store on a developer machine
Clone the created password store from your Git repository…
$ git clone <put_your_remote_here> .password-store Cloning into ‘.password-store’… …
then check the password store with:
$ pass Password Store
Export / Import the shared gpg key
The developer who created the shared gpg key needs to export the private key:
$ gpg --export-secret-key -a "planets" > planets-password-store.key
The exported key should look something like:
-----BEGIN PGP PRIVATE KEY BLOCK----- …1qYBSA2anbK2FjbxU… -----END PGP PRIVATE KEY BLOCK-----
On the other developer machines, you’ll need the shared private gpg key to access the password store. Needless to say that the private key has to be transferred in a secure way…
gpg --allow-secret-key-import --import planets-password-store.key
Ready for rumble
Let’s assume a developer creates a new test project account
foo and generates a password locally.
He wants to share this password with his colleagues via
He has to
push the password:
$ pass insert test/foo Enter password for test/foo: Retype password for test/foo: [master d1910d2] Add given password for test/foo to store. 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 test/foo.gpg $ pass git push -u --all Counting objects: 6, done. Delta compression using up to 8 threads. Compressing objects: 100% (3/3), done. … * [new branch] master -> master Branch 'master' set up to track remote branch 'master' from 'origin'.
All other developers will have to
pull the new password.
$ pass git pull remote: Counting objects: 4, done. …
With the password store up-to-date they can access the shared password easily:
$ pass test/foo bar
Congratulations! You successfully used your first shared password with
Most probably you’ll need to generate passwords, too.
$ pass generate test/baz 15
There are more options available.
Please check the
pass homepage for more details.
Store other (meta)data along with the password.
The preferred way of the author of
pass is to use a combination of the options
When storing the password use the option
--multiline add provide the additional data and press
<Ctrl> + D when finished:
$ pass insert --multiline test/multiline Enter contents of test/multiline and press Ctrl+D when finished: s3cr3t URL: example.com
You can grab the password only when necessary with the option
--clip as mentioned above.
$ pass --clip test/multiline Copied test/multiline to clipboard. Will clear in 45 seconds.
This command will only copy the first line of the multiline entry.