Sharing secrets with passFri, Nov 13, 2015 · 3 minute read
I don’t like password managers. I don’t trust them. But when you work in a small team and use a lot of different servers and technologies you sometimes have to securely store and share a secret with them. There are a lot of password managers out there that can do that but I want a very simple command line tool that just uses standard technologies and — Tata — Pass, the standard unix password manager hits the spot.
The documentation is quite good and there are some helpful blogpost on how to setup
pass. But what I am missing is how to share the stored and encrypted passwords.
pass, you need a GnuPG key which
pass uses to encrypt all your secrets. Run the command and follow the instructions:
$ gpg --gen-key
You should stick to the defaults recommended by GnuPG. Only for the key length I would choose 4096 bits instead of just 2048 bits because you can and bigger is better :-)
After GnuPG has generated the key it prints the details to the key. One line should look something like:
pub 4096R/11223344 2009-07-17
You need to remember (copy into clipboard) the 8 character key id of the public key. Here it is
Now you can initialize your
pass password store with it:
$ pass init 11223344
pass you can use
git to track changes made to the password store and if you have a remote repository, you can also share the store with others. Let’s initialize the git repository with
$ pass git init
And add the remote URL:
$ pass git remote add origin kexec.com:pass-store
pass just uses
git you don’t have to use
pass for managing the repository. You can also just use the bare
git command for that. The default path for the password store is
Now that you have a running
pass setup you can share that with others. For decrypting the secrets you have to export and share the public and private GnuPG key that you just created.
Keep in mind that anyone who has access to the key and knows the password of the key is able to decrypt all your passwords.
$ gpg -a --output gpg-secret-key.asc --export-secret-keys 11223344
If you want to provide a team member access to the password store she needs the exported key in the file
gpg-secret-key.asc, access to the
git remote repository holding the store and the password of the GnuPG key, of course.
This is what the colleague has to do after installing
Import the key into her GnuPG installation:
$ gpg --import gpg-secret-key.asc
Increase the trust-level to maximum with the GnuPG editor:
$ gpg --edit-key 11223344
Now, that you are in the interactive editor you have to enter the following:
5 for ultimate trust, then confirm with
y and enter
quit to exit.
The final step is to clone the
$ git clone kexec.com:pass-store ~/.password-store/
Your colleague is now able to decrypt all passwords and add new ones.
pass password store has some security issues that you should be aware of:
- be careful when giving the public/private GnuPG key and password away. In the wrong hands, everything is lost. You shouldn’t use E-Mail for that. A USB-Drive that is securely wiped clear after sharing the key should do the trick.
- you should also keep the
gitrepository hidden and secure. Pass uses simple files to store the encrypted passwords and the filenames are clear. An attacker with access to the
gitrepository is able to see the clear names of your encrypted passwords and might drew some dangerous conclusions from that.
Please keep that in mind and don’t blame me later ;-)