Skip to main content
The Askar Node

How CLI Password Managers Saved Hours of Work and Embarrassment

·917 words·5 mins·
Table of Contents

What Is This CLI Password Manager You Speak Of?
#

Using Pass, the Unix password manager, has completely changed the way I handle API keys and other sensitive environment variables.

As developers and engineers, the way we handle sensitive secrets is usually just throwing them in a .env or a config file and calling it a day. However, that is extremely insecure and also prone to data loss. How many times have you all DM’d a colleague to ask them to give you their .env file because you accidentally deleted yours doing your weekly shitty GitHub project cleaning?

And how many times did you forget to set up a .gitignore file and needed to use git-filter-repo to delete the history?

pass solves all that.

How? Git.

I know I’m beating a dead horse each time I talk about how Git solves all our problems, but what do you want me to do — lie? It does. The answer is always Git.

pass uses Git and GPG as its backend. This allows you to save your keys in a “private” repository and not worry about them being stolen, because they’ll be encrypted.

So How Do I Do That?
#

First, install Pass. I will show how it’s done for Fedora, since that is the correct distro. FIGHT ME!

sudo dnf install pass

the boring stuff (GPG Setup)
#

we just generate a GPG key

gpg --gen-key

This launches an interactive wizard. GPG will ask for your name and email — these are just metadata tied to the key, so use whatever you like it doesn’t matter i’m not your mom. After that, it will prompt you to set a passphrase. Do not skip this step — the passphrase is what protects your private key. If someone gets their hands on it and there’s no passphrase, they own everything you’ve encrypted.

Real name: Your Name
Email address: [email protected]
You selected this USER-ID:
    "Your Name <[email protected]>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O

Once the keys are generated, you’ll want to set it to never expire so you don’t have to deal with renewal:

I Know, I know key rotation is Important, but – but counter point i don’t want to fucking deal with it.

gpg --edit-key <KeyID>

This drops you into an interactive GPG prompt (gpg>). Here’s what each command you’ll type does:

  • expire — enters the expiration submenu
  • 0 — selects “key does not expire”
  • y — confirms the change when GPG asks “Is this correct?”
  • save — writes the changes to disk and exits the prompt
gpg> expire
Changing expiration time for the primary key.
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Your selection? 0
Key does not expire at all
Is this correct? (y/N) y

gpg> save

let’s start the fun part (pass setup)
# 

pass init <KeyID>

then we init the git repository

pass git init

then add your keys

pass insert llm/deepseek

Important note: Do not use your email as the pass entry name! That is a credential leak — albeit a minor one. If you want to add emails to your password entry, just use pass edit <key name>.

It will then prompt you to type in your “password” — just paste your key there.

Backups
#

now we’ll just push the local repository to github using the github cli

don’t forget to make it a private repo, yes they’re encrypted but more security never hurts

gh repo create

then take the url of the empty remote repository and set it as the origin of your pass repository

pass git remote add origin [email protected]:<GithubUsername>/<RepositoryName>

You aren’t using SSH? First of all — ew. Second of all, here is the HTTP version, I guess.

pass git remote add origin https://github.com/<GithubUsername>/<RepositoryName>

I’ll write a guide at a later date on how to use SSH for your Git operations — though it’s not that hard.

after that just push the keys and you’re done

pass git push origin main

How Can I Access My Keys From Another Machine?
#

Well, my astute reader, what you need to do is export your keys and place them in a secure place e.g. a password manager like Bitwarden How can you do that? Here you go:

# Let's make a directory to save the files to
mkdir exported_keys
cd exported_keys
gpg --output public.gpg --armor --export <email>
gpg --output private.gpg --armor --export-secret-key <email>

And then you can either move them to your NAS through SCP

Make sure that your NAS is also encrypted. If it isn’t, you just moved the vulnerability from your personal machine to your NAS — you didn’t plug any holes, just added more availability. (The keys you exported are the plain keys, not encrypted by pass, since they are what does the encrypting.)

cd ..
scp -r exported_keys nas_username@nas_hostname:destination

or move it to your password manager

Note: wl-copy is Wayland-specific. If you’re on X11, use xclip -selection clipboard instead. but if you know what x11 is why the hell are you reading this guide any way you don’t need to, but thanks for the engagement my fellow basement dweller

cat public.gpg | wl-copy
cat private.gpg | wl-copy
cd ..

And then paste them into your password manager. Don’t forget to remove them afterwards.

rm -r exported_keys

Conclusion / Summary
#

Abdulaziz Askar
Author
Abdulaziz Askar
Hi, I’m Abdulaziz! I’m a computer science student with a passion for cybersecurity and homelabbing. I spend my time experimenting with tools, breaking things(and sometimes fixing them), and sharing what I’ve learned along the way. When I’m not geeking out over tech, you’ll probably find me stuck in a CTF rabbit hole or questioning why I decided to just try one more project. This blog is where I document the chaos and (hopefully) help others learn from it too.
Share this article