Skip to main content

Pass

Pass is a password manager that uses GnuPG for encryption and decryption of stored passwords. Strengthen the security of your API key and client authentication certificate password by storing them in Pass.

Once your credentials are stored, all DigiCert​​®​​ Software Trust Manager client tools can pull your credentials from Pass.

Prerequisites

  • Install GPG on the machine (already included in most Linux distributions)

  • Install Pass

  • Create a GPG key

Install Pass

To install Pass on Linux:

Create GPG key

If you do not have a local GPG key, follow the steps below to create one:

  1. Run:

    gpg2 --full-generate-key
  2. For the key type, select option 1:

    Please select what kind of key you want:
    
       (1) RSA and RSA (default)
       (2) DSA and Elgamal
       (3) DSA (sign only)
       (4) RSA (sign only)
    
    Your selection? 1
  3. Specify the key size:

    RSA keys may be between 1024 and 4096 bits long.
    What keysize do you want?
  4. Specify the key validity:

    Please specify how long the key should be valid.
    
            0 = key does not expire
          <n>  = key expires in n days
          <n>w = key expires in n weeks
          <n>m = key expires in n months
          <n>y = key expires in n years

    Command sample:

    Key is valid for? (0) 1y
    Key expires at Fri 21 Jun 2024 17:50:12 CET
    
  5. Specify Y if the key validity is correct:

    Is this correct? (y/N) y
  6. Provide your full name, email address, and comment if necessary to create your user ID (UID):

    GnuPG needs to construct a user ID to identify your key.
    
    Real name: John Doe
    Email address: john.doe@example.com
    Comment: Pass
    
  7. Select O if the information is correct:

    You selected this USER-ID:
        "John Doe (Pass) john.doe@example.com"
    
    Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
  8. Specify your master password to unlock your pass datastore.

    Avertissement

    To use Pass in an automated environment like a CI/CD pipeline:

    Do not set a passcode for GPG. Leave the passphrase field empty when prompted and accept the warning that comes up.

    If you configure a passphrase, the password prompt from GPG will fail in an automation environment and the client tools will be unable to retrieve credentials for use.

  9. To identify your GPG key ID required for Pass, run:

    gpg2 --list-secret-keys --keyid-format LONG

    Output sample:

    sec   4096R/ABCD1234ABCD1234 2023-06-21 [expires: 2024-06-21] uid         John Doe (Pass) <jdoe@example.com>
  10. To initiate your pass datastore using your GPG key ID, run:

    pass init '<GPG key ID>'

    Command sample:

    pass init 'ABCD1234ABCD1234'

Save credentials to Pass

You can use this command repeatedly to overwrite the credentials stored.

To save credentials to the Pass, run:

smctl credentials save <API Key> <Client authentication certificate password>

Note

Once your API key and client authentication certificate password is securely stored in Pass, use the following command to set the host and client authentication certificate in SMCTL:

export SM_HOST=<host URL>
export SM_CLIENT_CERT_FILE=<P12 client authentication certificate file path>

Alternatively, you can store these variables in a properties file or persistent variables.

Delete credentials from Pass

To delete credentials saved in the Pass, run:

smctl credentials delete

Pass error

Error message

Failed to retrieve credentials from OS, proceeding without. Error: failed retrieving credentials from linux pass: exit status 2: gpg: decryption failed: No secret key

Description

This error occurs when the GPG ecosystem was set up with a passphrase.

Solution

Export the GPG TTY environment variable using this command:

export GPG_TTY=$(tty)

Note

When you re-run the failed command, it should prompt you for the passphrase.

Proxy configuration

Configure the HTTPS_PROXY environment variable if the client tool need to communicate through a proxy.

Anonymous proxy

Use this command if your proxy does not require authentication:

export HTTPS_PROXY=https://<proxy_host>:<proxy_port>

Authenticated proxy

Use this command if your proxy requires authentication:

export HTTPS_PROXY=https://user:password@<proxy_host>:<proxy_port>