Disclaimer: This tutorial is wrote for WSL2 with Ubuntu. It may differ distro from distro.
Managing secrets in WSL with Yubikey
Everybody knows the pain with managing secrets. Let’s imagine, you want to access DB or curl an endpoint with base auth.
Most of the people are copying the secrets from their own Secrets Managers (the real ones or plain text files) and placing them to the terminal or exporting them as an environment variable. Simply something like this:
$ curl -u myusername http://example.com
password: <placing-password-here>$ mysql –umyusername –p
There is actually a better way to approach this. Unix systems provides pass as a standard secrets manager and WSL is no exception.
Pass stores your secrets in files which are encrypted by your GPG key.
pass is not installed on your WSL distro, run:
sudo apt install pass
Since we have already set up our GPG key with Yubikey. We can use it to encrypt and decrypt our secrets in pass.
Initializing pass store
For this we will need ID of our GPG key. You can get it via
Copy this key over and init the pass storage via
$ pass init YOUR_KEY_ID # In my case 1E9...
Adding secrets to pass
Let’s take a look at example using mysql password. Let’s create a secret named mysql-pass
$ pass add mysql-pass
Now paste the password two times and that’s it.
Getting the secret value
Perfect, you created your first secret. Now let’s take a look how to reveal the value and how to use it in commands.
Assuming you have connected your Yubikey, you can get the value via
$ pass mysql-pass
It’ll promt you to enter your PIN.
After unlocking your card, pass will print you the secret.
When you want to use the secret directly in the commands you can simply use subcommands. Let’s take a look at our mysql example
$ mysql –umyusername –p$(pass mysql-pass)
Other useful commands
Here I’m listing just a bunch of other commands which I found useful.
# Will show list of all secret names$ pass rm <secret-name>
# Will delete your secret$ pass generate <secret-name>
# Will generate a random secret for you and store it
What can be usefull for teams is an ability to share the encrypted pass files over GIT using
$ pass git ...
More info can be found here.