The ultimate guide to Yubikey on WSL2 [Part 4]

3 min readMar 8, 2021

If you haven’t setup GPG on Yubikey or you cannot access Yubikey from within WSL. Please check Parts 1 and 2 of this series.

Disclaimer: This tutorial is wrote for WSL2 with Ubuntu. It may differ distro from distro.

Managing secrets in WSL with Yubikey

Everybody knows the pain with managing secrets. Let’s imagine, you want to access DB or curl an endpoint with base auth.

Most of the people are copying the secrets from their own Secrets Managers (the real ones or plain text files) and placing them to the terminal or exporting them as an environment variable. Simply something like this:

$ curl -u myusername http://example.com
password: <placing-password-here>$ mysql –umyusername –p
password: <placing-password-here>

There is actually a better way to approach this. Unix systems provides pass as a standard secrets manager and WSL is no exception.

Pass stores your secrets in files which are encrypted by your GPG key.

In case pass is not installed on your WSL distro, run: sudo apt install pass

Since we have already set up our GPG key with Yubikey. We can use it to encrypt and decrypt our secrets in pass.

Initializing pass store

For this we will need ID of our GPG key. You can get it via

gpg --list-keys

Copy this key over and init the pass storage via

$ pass init YOUR_KEY_ID # In my case 1E9...

Adding secrets to pass

Let’s take a look at example using mysql password. Let’s create a secret named mysql-pass

$ pass add mysql-pass

Now paste the password two times and that’s it.

Getting the secret value

Perfect, you created your first secret. Now let’s take a look how to reveal the value and how to use it in commands.

Assuming you have connected your Yubikey, you can get the value via

$ pass mysql-pass

It’ll promt you to enter your PIN.

After unlocking your card, pass will print you the secret.

When you want to use the secret directly in the commands you can simply use subcommands. Let’s take a look at our mysql example

$ mysql –umyusername –p$(pass mysql-pass)

Other useful commands

Here I’m listing just a bunch of other commands which I found useful.

$ pass
# Will show list of all secret names$ pass rm <secret-name>
# Will delete your secret$ pass generate <secret-name>
# Will generate a random secret for you and store it

What can be usefull for teams is an ability to share the encrypted pass files over GIT using

$ pass git ...

More info can be found here.