Password sharing in a dev team
Status 🔑
A password manager is an essential tool to use nowadays. Anybody who works in IT has a multitude of accounts with different services. These accounts are generally protected using a login/password combination. It is not the most secure way to protect your accounts, but it is the most used overall.
Using a password manager might seem a bit of an overkill. Indeed, when it comes to your personal accounts, you can always try to remember the passwords without storing them anywhere. In a professional setting, in the best-case scenario, you might have one single Sign-On backed by an OAuth Provided (such as Google or Github), and you also own your account. However, it often gets more complicated than that.
You might encounter, for example, a situation where you have one account shared between multiples users, e.g. wifi, artifact registry, cloud services, device’s password, etc. How do you share the credentials in a secure manner? Copying and pasting the password in the Slack channel is definitely not a good option. In this case, having a team-ready password manager is very useful.
Security is a serious business. There are many cloud-based password manager services that vary in price and in levels of security. Releasing all your enterprise credentials in the wild, or to a third-party service, is a bold decision. At MeilleursAgents, we chose to store our password manager on Github, with the ease of pass.
Pass 👩‍💻
pass is an open-source password manager that relies on GPG to encrypt your credentials. You are the only owner of your GPG key, so only you can read it.
pass stores its content in git, which makes things very easy. Every developer is familiar with git. In addition, you have a clear history of the password state and errors are reversible.
Another useful feature of pass is that it can encrypt with multiple GPG keys. Every team member provides their public key for encryption and can decrypt with their private key. Password sharing is easy by design.
In addition, pass has multiple plugins, notably the pass-otp, which allows storing One Time Password for an account with Multiple Factor of Authentification. Pass also has a clean CLI which makes it easy to script, either for retrieving pass or to script password rotation.
You can remove a user by removing their public key. However, the recently removed user still has access to all the credentials on their local copy (that is a git feature). Thus, you will have to generate new passwords if you want to remove someone’s access completely.
pass is a powerful tool. You can use it for business or personal needs, or both! You can clone your personal password store into the business one. With the help of .gitignore , nobody else will see it and, locally, you will have all your passwords available from the CLI. pass does a recursive “find” to list all passwords.
Some tooling needed 👨‍🔧
As pass relies on git, you can store anything you want in the password-store. We store the public keys in the folder .public_keys . When a user pulls the repository, he also pulls the keys. Everything is atomic.
We made a script to add a password. The script ensures that the user is up-to-date. It then imports all the GPG public keys, trusts them by adding their ID in gpg.conf and, finally, prompts for the password value. The script:
Adding a new user can also be a pain point, so we made a script again. The script ensures the user is up-to-date too and extracts the ID of the new GPG key. Next, it adds the GPG key to the repository (allowing others to import it), and updates the list of keys in the GPG configuration and pass. pass re-encrypts all passwords with all public keys. At this point, the job is done! You push the modifications, and can start sharing the credentials. Here’s the script:
Pass ❤️ FZF
If you frequently need the same password, it can be cumbersome to have to find and type the password name. If you have fzf installed, we wrote one last script to simplify this simple action.
It adds a completion to the pass command and also adds a function named passfor. Both functions have autocompletion. Basically, it copies your password to your clipboard. Also, if it finds an OTP (one-time password), it will prompt you before putting it in your clipboard.
Conclusion
If you want a password manager hosted in git (thus benefiting from all of its features), a password manager encrypted with your GPG key and shared between team members, pass is one of the best solutions out there. It requires some time in the early stage for scripting error-prone actions. However, at the end of the day, you truly own your password manager.
