<div dir="ltr">Hi Renato,<div><br></div><div>Thanks for the snippet, this is perfect. I meant that it feels "more secure" to me to be storing these types of secrets in a gpg encrypted file and only decrypting them on an as-needed basis instead of storing them in cleartext in various config files in a home directory. Not ideal, but seemed like the easiest way to integrate with third party tools (like awscli) that support reading the secrets out of the environment. Let me know if there is an even better way to do this.</div><div><br></div><div>Thanks,</div><div>-Gabe</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, May 4, 2016 at 6:12 PM, Renato Alves <span dir="ltr"><<a href="mailto:alves.rjc@gmail.com" target="_blank">alves.rjc@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi Gabe,<br>
<br>
A simple script:<br>
<br>
#!/bin/bash<br>
source <(pass $1)<br>
shift<br>
exec "$@"<br>
<br>
If called with:<br>
<br>
./script.sh env/mytool/dev ./mytool.py takes_arguments<br>
<br>
Should produce what you desire.<br>
<br>
But as a general note I wouldn't call this "more secure" though. Once<br>
something is added to the environment it will often remain there during<br>
the lifetime of the process. Also true for forked processes if the<br>
environment is not sanitized.<br>
<br>
<br>
Cheers,<br>
Renato<br>
<div><div class="h5"><br>
<br>
Gabe Mulley wrote on 05/04/2016 11:35 PM:<br>
> I am planning on developing a patch for this feature, but wanted to run<br>
> it by the list first. The goal of the feature is to enable more secure<br>
> usage and development of tools that expect passwords and other sensitive<br>
> data to be stored in environment variables.<br>
><br>
> I want to do something like this:<br>
><br>
> pass exec --env=env/mytool/dev ./mytool.py<br>
><br>
> Where "env/mytool/dev" is a passfile with the following content:<br>
><br>
> export MYTOOL_ENV=dev<br>
> export SOME_SECURE_VAR=secret<br>
> export ANOTHER_SECURE_VAR="another secret"<br>
><br>
> The goal is run "./mytool.py" in a transient shell that has the<br>
> variables defined in the environment.<br>
><br>
> Imagine something like this (open to ideas about how to make this work<br>
> with other shells):<br>
><br>
> BASH_ENV=/dev/shm/password-store.sh.yhONUYbBTB8Mr/maTNsc-test bash -c<br>
> "./mytool.py"<br>
><br>
> Where the temporary file contains the decrypted content of the passfile.<br>
><br>
> This could be used to store AWS keys (for example).<br>
><br>
> What are your thoughts? Would this type of patch be accepted if I<br>
> developed it? Is there a better way to accomplish this goal?<br>
><br>
> Thanks,<br>
> -Gabe<br>
><br>
><br>
</div></div>> _______________________________________________<br>
> Password-Store mailing list<br>
> <a href="mailto:Password-Store@lists.zx2c4.com">Password-Store@lists.zx2c4.com</a><br>
> <a href="http://lists.zx2c4.com/mailman/listinfo/password-store" rel="noreferrer" target="_blank">http://lists.zx2c4.com/mailman/listinfo/password-store</a><br>
><br>
<br>
<br>
<br>_______________________________________________<br>
Password-Store mailing list<br>
<a href="mailto:Password-Store@lists.zx2c4.com">Password-Store@lists.zx2c4.com</a><br>
<a href="http://lists.zx2c4.com/mailman/listinfo/password-store" rel="noreferrer" target="_blank">http://lists.zx2c4.com/mailman/listinfo/password-store</a><br>
<br></blockquote></div><br></div>