If you haven’t setup GPG on Yubikey or you cannot access YubiKey from within WSL. Please check previous parts (1, 2) of this series.
Disclaimer I: This tutorial is written for WSL2 with Ubuntu. It may differ distro from distro.
Managing secrets in WSL with Yubikey
Everybody knows the pain with managing secrets. Let’s imagine, you want to access DB or curl an endpoint with base auth.
Most of the people are copying the secrets from their own Secrets Managers (the real ones or plain text files) and placing them to the terminal or exporting them as an environment variable. Simply something like this:
$ curl -u myusername http://example.com
password: <placing-password-here>
$ mysql –umyusername –p
password: <placing-password-here>
There is actually a better way to approach this. Unix systems provides pass as a standard secrets manager and WSL is no exception.
Pass stores your secrets in files which are encrypted by your GPG key.
In case pass
is not installed on your WSL distro, run: sudo apt install pass
Since we have already set up our GPG key with Yubikey. We can use it to encrypt and decrypt our secrets in pass.
Initializing pass store
For this we will need ID of our GPG key. You can get it via gpg --list-keys
Copy this key over and init the pass storage via
$ pass init YOUR_KEY_ID # In my case 1E9...
Adding secrets to pass
Let’s take a look at example using mysql password. Let’s create a secret named mysql-pass
$ pass add mysql-pass
Now paste the password two times and that’s it.
Getting the secret value
Perfect, you created your first secret. Now let’s take a look how to reveal the value and how to use it in commands.
Assuming you have connected your Yubikey, you can get the value via
$ pass mysql-pass
It’ll promt you to enter your PIN.
After unlocking your card, pass will print you the secret.
When you want to use the secret directly in the commands you can simply use subcommands. Let’s take a look at our mysql example
$ mysql –umyusername –p$(pass mysql-pass)
Other useful commands
Here I’m listing just a bunch of other commands which I found useful.
$ pass
# Will show list of all secret names
$ pass rm <secret-name>
# Will delete your secret
$ pass generate <secret-name>
# Will generate a random secret for you and store it
What can be usefull for teams is an ability to share the encrypted pass files over GIT using pass git ...
More info can be found here.
Top comments (4)
This is one of the most beautiful guides I've ever seen. Just one small detail, on Part 4 I think you shoul add the command to install pass, besides that, this is perfect. I managed to install Yubikey in my WSL environment on my Surface Pro 7. Now I am fully mobile and unstoppable!
Many thanks for you feedback. Pass is on WSL Ubuntu by default, so I didn't bothered to include the instructions. But I'll consider it.
very good one! I would only add the ssh access like explained here: cyberciti.biz/faq/ubuntu-18-04-set...
Many thanks for the feedback. Will try to add it.