Get passphrase for an SSH key from password store, securely
This should be a blog post, and I'll make it one when I have more than 5 mins to spare. For instance these examples are hard-coded for my github SSH key, rather than parameterised.
Based on this SO question
Rather than use pass -c
to copy an SSH key passphrase to your system clipboard and then paste it at the ssh-askpass prompt (which is not very secure: any program can read the clipboard), you can use an SSH_ASKPASS
script to retrieve the passphrase from password store and give it to ssh-add
.
pass
(which in turn will prompt for a master passphrase if needed, via GnuPG PinEntry):#!/bin/bash
pass github/sinewalker|head -1
$SSH_ASKPASS
script to ssh-add
. Note the extra $DISPLAY
environment variable and redirection trickery to convince ssh-add to use the script:#!/bin/bash
export DISPLAY=dummy
export SSH_ASKPASS=/path/to/above/script
ssh-add /path/to/keys/github < /dev/null