1pass is a caching wrapper for the 1Password
CLI op
.
1pass is designed to make using your 1Password usernames and passwords quick and easy. It is intended for use within an interactive shell as well as from scripts. Once installed and configured as described below, you can obtain an account password in a shell simply by typing:
$ 1pass Github
and your Gitbub password will be copied to the clipboard.
The official 1Password CLI application (op
) can be difficult to use interactively, and unlike
the Mac OS X or Windows 1Password native applications, requires an internet connection to fetch data
from your password vaults. 1pass solves both of these problems. Op
needs session tokens to
be revalidated manually after 30 minutes of inactivity and produces rich output in JSON format. The
JSON output is easy for a program to use, but is not trivially consumed by humans without help.
1pass provides that help, with two main features:
- a simplified interface for listing and fetching usernames, passwords, and other fields for individual items.
- an encrypted local cache of 1Password CLI results.
Together these features enable easy use of 1Password-stored credentials.
First make sure that the op
1Password
CLI is installed. If
you use homebrew cask on Mac OS X, this works well:
$ brew cask install 1password-cli
Copy the 1pass executable file to a suitable location on your PATH (for example, /usr/local/bin) and ensure that it is executable. For example:
curl https://raw.githubusercontent.com/dcreemer/1pass/master/1pass > /usr/local/bin/1pass
chmod a+x /usr/local/bin/1pass
1pass requires you to store your 1Password master password in a local GPG-encrypted file. You should inspect the source code to ensure that you trust the software, as well as read this documentation to understand the security tradeoffs.
Like the 1Password application itself, 1pass relies on one password. However that password is not your 1Password "master password" -- it is your Gnu Privacy Guard (gpg) private key. GPG, when configured to use the GPG-agent, will cache your private key password for a configurable length of time (a few hours to a day is perhaps reasonable). 1pass uses your GPG key to store an encrypted copies of your 1Password master password and your 1Password account secret key.
When data is needed from your online 1Password data store, the master password and secret key are temporarily decrypted and exchanged for a session token, which is also then encrypted and stored. The session token will be refreshed as needed. These actions happen automatically once your GPG key is available in the GPG-agent.
The data that is fetched from the 1Password service is cached in local files -- once again also encrypted using your GPG private key.
You can "lock" your 1pass session by running the "forget" command:
$ 1pass -f
cleared local session
which removes the local session token (if any), and calls gpgconf --kill gpg-agent
to purge
any running gpg-agent of your GPG secret keys.
In order to run with minimum user input, 1pass relies on the Gnu Privacy Guard gpg to encrypt all locally stored data. 1Password needs both a master password and a secret key to access your vault. Each of these must be stored in an encrypted file (in the ~/.1pass) directory for 1pass to work correctly. 1pass encrypts these and all other files with your own gpg key. This key, as well as your 1Password login email and subdomain must be configured in the ~/.1pass/config file.
GPG can be configured to use the gpg-agent
, which can prompt for your gpg password, and
cache it in a local agent for a fixed amount of time. If you configure GPG this way, you will only
need to enter you GPG password (e.g.) once a day, and then seldom need to enter your 1Password
master password.
Running 1pass -rv
repeatedly will output instructions on how to configure this file and safely
store your master password and secret key.
$ ./1pass -rv
please config 1pass by editing /home/me/.1pass/config
$ vi ~/.1pass/config
$ ./1pass -rv
please put your master password into /home/me/.1pass/_master.gpg
ex: echo "master-password" | gpg -er me@example.com > /home/me/.1pass/_master.gpg
$ echo "sEcre77" | gpg -er me@example.com > /home/me/.1pass/_master.gpg
$ ./1pass -rv
please put your mysubdomain.1password.com secret key into /home/me/.1pass/_secret.gpg
ex: echo "A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX" | gpg -er me@example.com > /home/me/.1pass/_secret.gpg
$ echo "A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX" | gpg -er me@example.com > /home/me/.1pass/_secret.gpg
$ ./1pass -rv
signing in to mysubdomain.1password.com me@example.com
...
Once you are configured and signed in, you are ready to use 1pass. The simplest command is 1pass with no arguments to list all items in your vault:
$ 1pass
Github
MyBankAccount
gmail.com
...
The list consists of the titles of each item. You can then retrieve the password of an item:
$ 1pass -p Github
sjd$kh23@0dfjs1DDj
The password is echoed to the standard output (when the '-p' option is used). You can easily use this in scripts, for example:
export PGPASSWORD=$(1pass -p MyPostgresServer)
Without the '-p' option, 1pass copies the password to the clipboard:
$ 1pass Github
The contents of the clipboard will be automatically cleared after 30 seconds. You can also pass 1pass an optional field argument -- for example "username" to retrieve that field from the item:
$ 1pass -p MyBankAccount username
me@example.com
1pass can lookup other fields besides username or password. They field name is the "label" for the field in the 1Password GUI.
$ 1pass -p MyBankAccount pin
1234
1pass can be nicely combined with fzf for fuzzy search and
completion. Install fzf
, then paste this function into your shell:
fuzzpass() {
local arg=$1
if [ "$arg" == "" ]; then
arg="password"
fi
local item=$(1pass | fzf);
[[ ! -z "$item" ]] && 1pass $item $arg
}
the type fuzzpass
, select the Item, and press enter.
For the brave, a trivial Emacs wrapper library is included. E.g.
(setq freenode-nick-username (1pass--item-username "Freenode/nick1"))
(setq freenode-nick-password (1pass--item-password "Freenode/nick1"))
(setq freenode-nick-password (1pass--item-field "Freenode" "server"))
When using 1pass, all response data from 1Password is encrypted and then cached to
~/.1pass/cache
. Sometimes this cache will be out of date -- for example if you have created a
new password entry via the 1Password application. Passing -r
to 1pass will force a refresh
from the online 1Password vault.
Similarly, 1Password CLI sessions last for 30 minutes from the time of last use. 1pass will manage the session for you, and refresh it as needed.
Copyright (c) 2017, David Creemer (twitter: @dcreemer) with some components from other GPL 2+ software.
Some ideas, and a tiny bit of code are taken from pass by Jason A. Donenfeld.