It might happen that for your working environment you need to store passwords securely. Nowadays many people is using ‘cloud’ solutions – but as you do well know cloud is nothing else than ‘someone’s else computer’ 😉 . Having that said that limits options you have available. As this is point of preference I will try not to get into discussion of ‘the best solution’ but will just show you what I have been using and what I really liked a lot.
Solution is called pass and is available on the website https://www.passwordstore.org/
So let’s go ahead and install this on our machine – installation steps are nicely outlined on the product page so here I will just focus on CentOs
sudo yum install pass
As you might have seen from documentation you will need your GPG key(s) – for this demo I have created dummy one
[[email protected] ~]# gpg --list-keys /root/.gnupg/pubring.gpg ------------------------ pub 2048R/5CBDFF98 2016-10-30 uid RafPe <[email protected]> sub 2048R/B3B34661 2016-10-30 [[email protected] ~]#
Let’s go ahead and initialise our pass with GPG key I have created.
[[email protected] ~]# pass init 5CBDFF98 mkdir: created directory ‘/root/.password-store/’ Password store initialized for 5CBDFF98
Once the above is completed we can start adding passwords to our safe – simply by issuing
[[email protected] ~]# pass insert Business/serviceA/systemA mkdir: created directory ‘/root/.password-store/Business’ mkdir: created directory ‘/root/.password-store/Business/serviceA’
Listing password then becomes really intuitive
[[email protected] ~]# pass ls Password Store └── Business └── serviceA ├── systemA └── systemB
To recover password we will just call the tree value
[[email protected] ~]# pass Business/serviceA/systemA
Now we will be asked for our GPG passphrase key in order to retrieve it.
Here we would now would like to make our password safe more reliable by using GIT to store our secrets. I’m using Gogs (GoGitAsService) which is a lightweight version available.
By issuing the following commmands we get our pass to store secrets in git :
# Initialize [[email protected] ~]# pass git init
Add remote repository ( here you would need to adjust your remote repository to match – I’m using local docker instance )
[[email protected] ~]# pass git remote add origin http://192.168.178.21:10080/rafpe/passwords.git
Commit all changes
[[email protected] ~]# pass git push -u --all Username for 'http://192.168.178.21:10080': rafpe Password for 'http://[email protected]:10080': Counting objects: 7, done. Compressing objects: 100% (5/5), done. Writing objects: 100% (7/7), 1.05 KiB | 0 bytes/s, done. Total 7 (delta 0), reused 0 (delta 0) To http://192.168.178.21:10080/rafpe/passwords.git * [new branch] master -> master Branch master set up to track remote branch master from origin. [[email protected] ~]#
Once thats done we can take a peak on our repo which now has encrypted passwords for our specified items.
From now on whenever I would be making changes I can just push them nicely to GIT and I have everything under control! Documentation has a lot to offer so be sure to check it – more detailed https://git.zx2c4.com/password-store/about/
I personally think the product is good – especially in environments where you should not store passwords in ‘clouds’ due to security constraints which may apply.