Server administrators manage a lot of passwords. Every database, content management system, user account, application, and third-party service should be protected by a long, random, and unique password.
Managing all these passwords can be a headache, so we often turn to cloud password management services like 1Password and LastPass. But what if you prefer to store sensitive server passwords locally in a file that is under your control and that you can access on the server command line?
You could do it manually, putting passwords and other sensitive data in text files encrypted with tools like OpenSSL. But there are tools that make password management a little easier and less prone to mistakes: it’s easy to forget to encrypt a text file when you’re finished with it.
Pass is a battle-tested tool for managing passwords on the command line. Passwords are stored in encrypted files in a simple directory structure, which means they can be moved and processed with Unix command line tools in the same way as any other text file.
Pass provides commands for adding, removing, editing, and generating secure passwords. Pass isn’t in the default CentOS repositories, but it is in EPEL, which you can add with the following command on CentOS 7:
yum install epel-release
Pass can then be installed with:
yum install pass
Pass uses a GPG key pair to encrypt password files. If you don’t already have a suitable key pair, you can generate one by following these instructions.
Before using Pass, you will need to create the password store and tell it which keypair to use:
pass init $keypair_id
Then you can add a new password with this command, where $password_name is a unique name for the password and its associated data:
pass insert $password_name
Once you have added passwords, they can be copied to the clipboard with:
pass show -clip $password_name
A particularly nice feature of Pass is its ability to integrate with Git. Because the password store is just a directory, it can be made into a Git repository under version control with:
pass git init
You can manage the repository with standard git commands using pass git $git_command.
KeePass is a popular open source password management tool with several GUI and command line interfaces. If Pass is too bare-bones for you, take a look at KeePass.
KeePass uses an open database standard to store passwords. The database is portable, so it can be moved between servers and other devices easily.
The best way to manage a KeePass database on the command line is with the kpcli utility, which can be installed from the EPEL repository.
Command line password managers are a simple, convenient, and secure way to manage passwords while remotely logged in to servers over SSH.