⚠️ Fluidkeys is no longer maintained. This page is kept for posterity.
Store shared team passwords and secrets in pass with automatic syncing via git. Because Fluidkeys keeps team keys updated and signs them with GnuPG, it’s easy to use pass for team shared passwords and secrets.
pass Password Store ├── office │ └── wifi └── jenkins └── github-webhook-token
For this example we’ll be using Github and an imaginary team called kiffix
.
If you're already using pass for personal passwords, we suggest using a completely separate ~/.password-store
directory.
Contents:
You’ll need:
Create new repo on e.g. Github, Bitbucket, Gitlab.
We call our repo fluidkeys/pass and it’s public.
Future versions of Fluidkeys will automate these steps for your team. See our public roadmap.
Extract the team’s emails from your signed team roster so pass knows who to encrypt to:
TEAM_EMAILS=$(cat ~/.config/fluidkeys/teams/*/roster.toml | grep email | cut -d'"' -f2) echo "setting up pass for $TEAM_EMAILS" setting up pass for tina@kiffix.com, chat@kiffix.com, mark@kiffix.com
pass init ${TEAM_EMAILS} mkdir: created directory '/home/paul/.password-store' Password store initialized for tina@kiffix.com, chat@kiffix.com, mark@kiffix.com
pass git init
pass git remote add origin git@github.com:kiffix/pass.git
Edit ~/.password-store/.git/hooks/post-commit
and add these lines:
#!/bin/sh -x
git push origin master:master
Make post-commit
executable:
chmod +x ~/.password-store/.git/hooks/post-commit
So far, so good. Let’s make sure we can encrypt and decrypt passwords. Try adding a password with pass insert
:
pass insert office/wifi Enter password for test/test: Retype password for test/test: + git push origin master:master Counting objects: 3, done. Delta compression using up to 4 threads. Compressing objects: 100% (3/3), done. Writing objects: 100% (3/3), 1.56 KiB | 798.00 KiB/s, done. Total 3 (delta 0), reused 0 (delta 0) To github.com:kiffix/pass e459005..31d83cb master -> master [master 31d83cb] Add given password for office/wifi to store. 1 file changed, 0 insertions(+), 0 deletions(-) create mode 100644 wifi.gpg
The password has been encrypted, committed to git and pushed to the remote repo.
Now read it back with pass
:
pass office/wifi dividable.county.smuggling.movable.oaf.afternoon
That’s it! You’ve set up pass for shared passwords. These will be automatically pushed to Github when they’re updated.
Next, let’s set up other team members.
When someone joins the team, set up their machine to use the shared password repo:
git clone git@github.com:fluidkeys/pass.git ~/.password-store
Cloning into '~/.password-store'...
remote: Enumerating objects: 26, done.
remote: Counting objects: 100% (26/26), done.
remote: Compressing objects: 100% (22/22), done.
remote: Total 26 (delta 4), reused 23 (delta 1), pack-reused 0
Receiving objects: 100% (26/26), 11.57 KiB | 5.78 MiB/s, done.
Resolving deltas: 100% (4/4), done.
Edit ~/.password-store/.git/hooks/post-commit
and add these lines:
#!/bin/sh -x
git push origin master:master
Make post-commit
executable:
chmod +x ~/.password-store/.git/hooks/post-commit
That’s it! Now you and your team can share passwords, automatically synced using git.
Here are some helpful commands to get you started.
pass Password Store ├── office │ └── wifi └── jenkins └── github-webhook-token
You can see the corresponding file structure by looking in ~/.password-store
.
pass insert
pass insert office/wifi Enter password for test/test:
pass insert --multiline
pass insert --multiline Enter contents of test/multiline and press Ctrl+D when finished: 1c626a86-5181-11e9-a4c2-77d3a1368a19 # ^^ this is the access token for foobar # you can use multi-line passwords to add comments like this one. # we also use them to store PGP key backups and certificates
Like all passwords in pass
, it’s a flat file with no schema (a normal password is just a file
with only 1 line).
pass office/wifi dividable.county.smuggling.movable.oaf.afternoon
pass -c
pass -c office/wifi Copied office/wifi to clipboard. Will clear in 45 seconds.
For multiline files, pass
just copies the first line.
pass git pull
pass git pull Already up-to-date. Current branch master is up-to-date.
You might need to configure the branch if you see an error about no tracking information
.
pass edit
pass edit office/wifi
That’s it!
For more docs, extensions, GUIs and compatible clients, visit passwordstore.org
If you see this (familiar) error:
There is no tracking information for the current branch.
Please specify which branch you want to merge with.
See git-pull(1) for details.
Fix it with git branch
pass git branch --set-upstream-to=origin/master master