[pass] Feature proposal: secure environment variables

Gabe Mulley gabe at edx.org
Wed May 4 23:35:17 CEST 2016


I am planning on developing a patch for this feature, but wanted to run it
by the list first. The goal of the feature is to enable more secure usage
and development of tools that expect passwords and other sensitive data to
be stored in environment variables.

I want to do something like this:

pass exec --env=env/mytool/dev ./mytool.py

Where "env/mytool/dev" is a passfile with the following content:

export MYTOOL_ENV=dev
export SOME_SECURE_VAR=secret
export ANOTHER_SECURE_VAR="another secret"

The goal is run "./mytool.py" in a transient shell that has the variables
defined in the environment.

Imagine something like this (open to ideas about how to make this work with
other shells):

BASH_ENV=/dev/shm/password-store.sh.yhONUYbBTB8Mr/maTNsc-test bash -c
"./mytool.py"

Where the temporary file contains the decrypted content of the passfile.

This could be used to store AWS keys (for example).

What are your thoughts? Would this type of patch be accepted if I developed
it? Is there a better way to accomplish this goal?

Thanks,
-Gabe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160504/0c8da971/attachment.html>


More information about the Password-Store mailing list