Pass is a password manager that uses GnuPG for encryption and decryption of stored passwords. Strengthen the security of your API key and client authentication certificate password by storing them in Pass.
Once your credentials are stored, all DigiCert® KeyLocker client tools can pull your credentials from Pass.
Install GPG on the machine (already included in most Linux distributions)
Install Pass
Create a GPG key
To install Pass on Linux:
If you do not have a local GPG key, follow the steps below to create one:
Run:
gpg2 --full-generate-key
For the key type, select option 1:
Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1
Specify the key size:
RSA keys may be between 1024 and 4096 bits long. What keysize do you want?
Specify the key validity:
Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years
Command sample:
Key is valid for? (0) 1y Key expires at Fri 21 Jun 2024 17:50:12 CET
Specify Y if the key validity is correct:
Is this correct? (y/N) y
Provide your full name, email address, and comment if necessary to create your user ID (UID):
GnuPG needs to construct a user ID to identify your key. Real name: John Doe Email address: john.doe@example.com Comment: Pass
Select O if the information is correct:
You selected this USER-ID: "John Doe (Pass) john.doe@example.com" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
Specify your master password to unlock your pass datastore.
Warning
To use Pass in an automated environment like a CI/CD pipeline:
Do not set a passcode for GPG. Leave the passphrase field empty when prompted and accept the warning that comes up.
If you configure a passphrase, the password prompt from GPG will fail in an automation environment and the client tools will be unable to retrieve credentials for use.
To identify your GPG key ID required for Pass, run:
gpg2 --list-secret-keys --keyid-format LONG
Output sample:
sec 4096R/ABCD1234ABCD1234 2023-06-21 [expires: 2024-06-21] uid John Doe (Pass) <jdoe@example.com>
To initiate your pass datastore using your GPG key ID, run:
pass init '<GPG key ID>'
Command sample:
pass init 'ABCD1234ABCD1234'
You can use this command repeatedly to overwrite the credentials stored.
To save credentials to the Pass, run:
smctl credentials save <API Key> <Client authentication certificate password>
Note
Once your API key and client authentication certificate password is securely stored in Pass, use the following command to set the host and client authentication certificate in SMCTL:
export SM_HOST=<host URL>
export SM_CLIENT_CERT_FILE=<P12 client authentication certificate file path>
Alternatively, you can store these variables in a properties file or persistent variables.
To delete credentials saved in the Pass, run:
smctl credentials delete
Error message
Failed to retrieve credentials from OS, proceeding without. Error: failed retrieving credentials from linux pass: exit status 2: gpg: decryption failed: No secret key
Description
This error occurs when the GPG ecosystem was set up with a passphrase.
Solution
Export the GPG TTY environment variable using this command:
export GPG_TTY=$(tty)
Note
When you re-run the failed command, it should prompt you for the passphrase.
Configure the HTTPS_PROXY environment variable if the client tool need to communicate through a proxy.
Anonymous proxy
Use this command if your proxy does not require authentication:
export HTTPS_PROXY=https://<proxy_host>:<proxy_port>
Authenticated proxy
Use this command if your proxy requires authentication:
export HTTPS_PROXY=https://user:password@<proxy_host>:<proxy_port>