Password store plugin: env


Like many I use pass for storing usernames and passwords. This gives me easy access to credentials in a secure manner.

I don't like the way that the metadata (i.e. filenames) are public, but that aside it is a robust tool I've been using for several years.

The last time I talked about pass was when I talked about showing the age of my credentials, via the integrated git support.

That then became a pass-plugin:

 frodo ~ $ pass age 6 years ago GPG/root@localhost.gpg 6 years ago GPG/steve@steve.org.uk.OLD.gpg .. 4 years, 8 months ago Domains/Domain.fi.gpg 4 years, 7 months ago Mobile/dna.fi.gpg .. 1 year, 3 months ago Websites/netlify.com.gpg 1 year ago Financial/ukko.fi.gpg 1 year ago Mobile/KiK.gpg 4 days ago Enfuce/sre.tst.gpg ..

Anyway today's work involved writing another plugin, named env. I store my data in pass in a consistent form, each entry looks like this:

 username: steve password: secrit site: http://example.com/login/blah/ # Extra data

The keys vary, sometimes I use "login", sometimes "username", other times "email", but I always label the fields in some way.

Recently I was working with some CLI tooling that wants to have a username/password specified and I patched it to read from the environment instead. Now I can run this:

 $ pass env internal/cli/tool-name export username="steve" export password="secrit"

That's ideal, because now I can source that from within a shell:

 $ source <(pass env internal/cli/tool-name) $ echo username steve

Or I could directly execute the tool I want:

 $ pass env --exec=$HOME/ldap/ldap.py internal/cli/tool-name you are steve ..

TLDR: If you store your password entries in "key: value" form you can process them to export $KEY=$value, and that allows them to be used without copying and pasting into command-line arguments (e.g. "~/ldap/ldap.py --username=steve --password=secrit")