DEV Community

loading...
Cover image for The ultimate guide to Yubikey on WSL2 [Part 4]

The ultimate guide to Yubikey on WSL2 [Part 4]

Jaroslav Živný
I am a Cloud Engineer based in Vienna. My most favorite techologies are AWS, Kubernetes, Helm and WSL
Originally published at jardazivny.Medium Updated on ・2 min read

If you haven’t setup GPG on Yubikey or you cannot access YubiKey from within WSL. Please check previous parts (1, 2) of this series.

Disclaimer I: This tutorial is written for WSL2 with Ubuntu. It may differ distro from distro.


Managing secrets in WSL with Yubikey

Everybody knows the pain with managing secrets. Let’s imagine, you want to access DB or curl an endpoint with base auth.

Most of the people are copying the secrets from their own Secrets Managers (the real ones or plain text files) and placing them to the terminal or exporting them as an environment variable. Simply something like this:

$ curl -u myusername http://example.com
password: <placing-password-here>
$ mysql –umyusername –p
password: <placing-password-here>
Enter fullscreen mode Exit fullscreen mode

There is actually a better way to approach this. Unix systems provides pass as a standard secrets manager and WSL is no exception.

Pass stores your secrets in files which are encrypted by your GPG key.

Since we have already set up our GPG key with Yubikey. We can use it to encrypt and decrypt our secrets in pass.

Initializing pass store

For this we will need ID of our GPG key. You can get it via gpg --list-keys

Getting GPG ID

Copy this key over and init the pass storage via

$ pass init YOUR_KEY_ID # In my case 1E9...
Enter fullscreen mode Exit fullscreen mode

Adding secrets to pass

Let’s take a look at example using mysql password. Let’s create a secret named mysql-pass

$ pass add mysql-pass
Enter fullscreen mode Exit fullscreen mode

Now paste the password two times and that’s it.

Getting the secret value

Perfect, you created your first secret. Now let’s take a look how to reveal the value and how to use it in commands.

Assuming you have connected your Yubikey, you can get the value via

$ pass mysql-pass
Enter fullscreen mode Exit fullscreen mode

It’ll promt you to enter your PIN.

PIN Prompt

After unlocking your card, pass will print you the secret.

When you want to use the secret directly in the commands you can simply use subcommands. Let’s take a look at our mysql example

$ mysql –umyusername –p$(pass mysql-pass)
Enter fullscreen mode Exit fullscreen mode

Other useful commands

Here I’m listing just a bunch of other commands which I found useful.

$ pass
# Will show list of all secret names
$ pass rm <secret-name>
# Will delete your secret
$ pass generate <secret-name>
# Will generate a random secret for you and store it
Enter fullscreen mode Exit fullscreen mode

What can be usefull for teams is an ability to share the encrypted pass files over GIT using pass git ...

More info can be found here.

Discussion (3)

Collapse
ch0ks profile image
Adrian Puente Z.

This is one of the most beautiful guides I've ever seen. Just one small detail, on Part 4 I think you shoul add the command to install pass, besides that, this is perfect. I managed to install Yubikey in my WSL environment on my Surface Pro 7. Now I am fully mobile and unstoppable!

Collapse
dzerycz profile image
Jaroslav Živný Author

Many thanks for you feedback. Pass is on WSL Ubuntu by default, so I didn't bothered to include the instructions. But I'll consider it.

Collapse
luizvessosa profile image
Luiz Vessosa

very good one! I would only add the ssh access like explained here: cyberciti.biz/faq/ubuntu-18-04-set...