Fluidkeys

Use pass in your team with Fluidkeys

Store shared team passwords and secrets in pass with automatic syncing via git. Because Fluidkeys keeps team keys updated and signs them with GnuPG, it’s easy to use pass for team shared passwords and secrets.

pass
Password Store
├── office
│   └── wifi
└── jenkins
    └── github-webhook-token

For this example we’ll be using Github and an imaginary team called kiffix.

If you're already using pass for personal passwords, we suggest using a completely separate ~/.password-store directory.

Contents:

  1. Prerequisites
  2. Setup a shared password repo for the team (just once)
  3. Subscribe team members to the password repo
  4. Use pass day to day

Prerequisites

You’ll need:

Set up a shared password repo for the team

Create the repo

Create new repo on e.g. Github, Bitbucket, Gitlab.

We call our repo fluidkeys/pass and it’s public.

Get team emails from Fluidkeys

Future versions of Fluidkeys will automate these steps for your team. See our public roadmap.

Extract the team’s emails from your signed team roster so pass knows who to encrypt to:

TEAM_EMAILS=$(cat ~/.config/fluidkeys/teams/*/roster.toml | grep email | cut -d'"' -f2)
echo "setting up pass for $TEAM_EMAILS"
setting up pass for tina@kiffix.com, chat@kiffix.com, mark@kiffix.com

Initialize pass directory `~/.password-store`

pass init ${TEAM_EMAILS}
mkdir: created directory '/home/paul/.password-store'
Password store initialized for tina@kiffix.com, chat@kiffix.com, mark@kiffix.com

Convert pass directory into a git repo

pass git init

Set the git remote

pass git remote add origin git@github.com:kiffix/pass.git

Automatically push changes to the repo

Edit ~/.password-store/.git/hooks/post-commit and add these lines:

#!/bin/sh -x

git push origin master:master

Make post-commit executable:

chmod +x ~/.password-store/.git/hooks/post-commit

Test everything's working

So far, so good. Let’s make sure we can encrypt and decrypt passwords. Try adding a password with pass insert:

pass insert office/wifi
Enter password for test/test:
Retype password for test/test:
+ git push origin master:master
Counting objects: 3, done.
Delta compression using up to 4 threads.
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 1.56 KiB | 798.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0)
To github.com:kiffix/pass
   e459005..31d83cb  master -> master
[master 31d83cb] Add given password for office/wifi to store.
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 wifi.gpg

The password has been encrypted, committed to git and pushed to the remote repo.

Now read it back with pass:

pass office/wifi
dividable.county.smuggling.movable.oaf.afternoon

That’s it! You’ve set up pass for shared passwords. These will be automatically pushed to Github when they’re updated.

Next, let’s set up other team members.


Subscribe team members to the password repo

When someone joins the team, set up their machine to use the shared password repo:

Clone the repo into `~/.password-store`

git clone git@github.com:fluidkeys/pass.git ~/.password-store
Cloning into '~/.password-store'...
remote: Enumerating objects: 26, done.
remote: Counting objects: 100% (26/26), done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 26 (delta 4), reused 23 (delta 1), pack-reused 0
Receiving objects: 100% (26/26), 11.57 KiB | 5.78 MiB/s, done.
Resolving deltas: 100% (4/4), done.

Automatically push changes to the repo

Edit ~/.password-store/.git/hooks/post-commit and add these lines:

#!/bin/sh -x

git push origin master:master

Make post-commit executable:

chmod +x ~/.password-store/.git/hooks/post-commit

That’s it! Now you and your team can share passwords, automatically synced using git.


Use pass day-to-day

Here are some helpful commands to get you started.

List all passwords

pass
Password Store
├── office
│   └── wifi
└── jenkins
    └── github-webhook-token

You can see the corresponding file structure by looking in ~/.password-store.

Add a password with pass insert

pass insert office/wifi
Enter password for test/test:

Add a text file with pass insert --multiline

pass insert --multiline
Enter contents of test/multiline and press Ctrl+D when finished:

1c626a86-5181-11e9-a4c2-77d3a1368a19
# ^^ this is the access token for foobar

# you can use multi-line passwords to add comments like this one.
# we also use them to store PGP key backups and certificates

Like all passwords in pass, it’s a flat file with no schema (a normal password is just a file with only 1 line).

Echo a password to terminal

pass office/wifi
dividable.county.smuggling.movable.oaf.afternoon

Copy a password to clipboard with pass -c

pass -c office/wifi
Copied office/wifi to clipboard. Will clear in 45 seconds.

For multiline files, pass just copies the first line.

Fetch updated passwords with pass git pull

pass git pull
Already up-to-date.
Current branch master is up-to-date.

You might need to configure the branch if you see an error about no tracking information.

Edit a password or text file with pass edit

pass edit office/wifi

That’s it!

For more docs, extensions, GUIs and compatible clients, visit passwordstore.org


Troubleshooting

no tracking information for the current branch

If you see this (familiar) error:

There is no tracking information for the current branch.
Please specify which branch you want to merge with.
See git-pull(1) for details.

Fix it with git branch

pass git branch --set-upstream-to=origin/master master