Best way to use passwords on your terminal

Using pass as a Linux terminal password manager

You’ve probably heard at some point someone saying that “regardless of the VPNs and high-level security the company A or B pushes, our colleagues keep putting their password on their scripts”. This is unfortunately the reality of many work environments, where people share passwords and secrets via Teams/Slack/Discord.

Password managers

So, how could we handle it better? Using a password manager will suffice most of the time, they will simply require you to have one password, and the other ones will be managed by them. Some examples are Bitbucket, Proton Pass, and pass (for the terminal). I don’t recommend using LastPass, since they had some leaks and problems before.

Pass

Sometimes it’s boring having to open the password manager every time you want to run a script. Usually, people use env vars to solve that, but setting them up might be forever on your shell history, so this is where pass comes in. This password manager will store your password in encrypted files, managed internally by git. It provides command lines to avoid security leaks. In the end, I will provide a quick tutorial on how to use it, it’s pretty easy, also you can refer to pass docs.

The quick pass path

Setting up for the first time can be as easy as this:

Create a GPG key

gpg - full-gen-key # If you don't have one already

Then the command will print your gpg key, else you can get by running `gpg -k`. You can use that key to initialize your pass repo:

pass init "{{your-gpg-key}}"
pass insert -e password_name

Done, now you’ve registered your first password! You can use `pass show password_name` to get it now. For example:

my_script_with_secret - some-argument=$(pass show password_name)

Pass passwords can be stored in a folder-like tree that can be seen by calling pass:

mylaptop ~ $ pass
Password Store
├── Business
│ ├── some-silly-business-site.com
│ └── another-business-site.net
├── Email
│ ├── donenfeld.com
│ └── zx2c4.com
└── France
├── bank
├── freebox
└── mobilephone

You can copy them to your clipboard with -c:

pass show -c password_name

If you were paying attention to the output of `pass init` you’ve noticed that a git repo was created, most probably in your `$HOME/.password-store` folder. You can upload that to your favorite git host and have it at your disposal at any time.

Pass can organize, add, edit, generate, and retrieve passwords. Take a look at their page for more info. But if that’s not enough, you have many extensions at your disposal, take a look at this GitHub page with some of them.

Conclusion

Often, the best tools are the simplest, and it’s no different here. It’s way safer to use pass as your password manager for the terminal since it does not save your passwords in the shell history, and it’s also pretty easy to set up. If you are a dev, then it’s also very easy to get old passwords and install plugins so you can expand the capabilities of this terminal password manager.

Using this tool, you can expand your automation of tasks with scripts that need passwords too, the only password you will need to remember is the GPG one with which you encrypted your key.