2022.04.08 - - Since writing this a new version of the 1Password CLI came out (2.0) that handles setting environment variables in a much slicker way. The below steps will still work but I suggest checking out the official “Load secrets into the environment” 1Password CLI docs first.
I also fixed a bunch of spelling mistakes and typos.
Secure Personal Secrets using Environment Variables and 1Password CLI
At work I spend a lot of time ensuring sensitive access credentials such as passwords, API keys, personal access tokens (PATs) and database connection strings are stored in a secure place that’s easy to manage and consume by trusted people and systems. Part of that is never duplicating information, instead pulling it directly from a single, trusted source-of-truth.
Personally I store all my sensitive passwords and keys in 1Password but I still copy/paste anything that’s not a password into various environment variables and configuration files spread across multiple laptops and environments.
I realized just how silly it was to secure my secrets only to expose them to anyone with access to my machines and how much time I wasted ensuring all my environments were configured correctly and up-to-date.
Automate
Taking a cue from my day job I decided to automate the whole thing in a way that made moving between environments easy and secure, that utilized tools I was already using.
Since 1Password is my source of truth where all my secure information is stored I started there.
Setup and Configuration
Install CLI tools - 1Password CLI, jq, httpie
2022.04.10 - Another reminder that 1Password CLI 2 now handles all of this for you!
jq
is a CLI for querying and manipulating JSON, which comes in handy when dealing with REST responses.
httpie
is my preferred curl
replacement. jq
and httpie
aren’t strictly required but they’re such useful general tools, why not install them?
Authorize Machine
The first time you sign into 1Password on a new machine, whether via the desktop, browser extension, or CLI, you provide both your password and secret key. This authorizes the machine with 1Password. Subsequent logins will only require the main password.
Same command for both Windows and Ubuntu:
|
|
Add an API Credential
For this example I added my Home Assistant PAT as an API Credential to 1Password.
Retrieve a Secure Value
The 1Password CLI docs do an excellent job explaining ways to work with and retrieve stored values but the basics are:
- Request the specific item, by name or UUID
- Extract the value to write
- Write value as an environment variable, or wherever else it needs to go
Dump all values for an entry to get the UUID
|
|
This fetches the entire record for HASS_REST
as JSON and pipes it through jq to make it easier to read.
There are various ways from here to extract just the needed value, including 1Password’s built-in mini query language:
|
|
Automate Setting Secure Environment Variables
One of the most common uses for secure values, at least for me at home, is setting various environment variables. Given the whole point of this is to automate this whole process I wrote two scripts, one to set environment variables with my personal tokens and another to clear them.
Securing a session
PowerShell
|
|
Ubuntu
|
|
Test It
Being able to run the following command was the motivation for this blog post, might as well show it off :) This makes a HTTP POST request to my Home Assistant REST API, secured with a PAT, to turn my office’s ceiling light on/off from the command line. I suppose I could have gotten up and just flipped a switch, but where’s the fun in that?
PowerShell
|
|
Ubuntu
|
|
Output
|
|
Conclusion
That’s the rough version of how to incorporate a password manager into your daily life without spamming secure keys across all your environments.
A lot has been left to the reader (any me), a few things on my to-do list are:
- Create both PowerShell and bash scripts
- Write a script to clear variables and log out
- Stash the scripts in a public Github repo to make it easier to bootstrap a new machine
Have fun and stay secure!