Introducing lpass-add and lpass-env: ergonomically get secrets out of LastPass

Today, I published two scripts that wrap the LastPass CLI lpass. These scripts are very handy if you are storing non-password credentials, like environment variables or SSH keys, directly in your LastPass vault.

lpass-env - Enables you to easily read environment variables straight out of LastPass Notes fields and into your shell session. The idea is that instead of putting your variables in your .bash_profile, you add them to LastPass and use lpass-env to load them into sessions only if they are required. This way, the credentials are not stored on disk or exposed to other scripts running in your terminal windows.

lpass-add - A wrapper around ssh-add that reads private keys from LastPass instead of from a file on disk. This is intended for private keys that do not have a password, since it allows you to store the whole private key in LastPass directly. If you want to store your private keys on-disk and have passwords in LastPass, use lastpass-ssh instead.

Both utilities should be well-documented in the repository (I just spent an hour writing READMEs that are far bigger than the scripts themselves, which is why this post is so short -- check the repositories for more details).

Why LastPass?

Surely there are other, better ways and means for protecting this information, instead of Bash scripts and LastPass notes? Well -- I thought so too at first, but so far, nothing's come up. LastPass does have "SSH Key" note types, but they are inferior to just using generic Notes because the SSH Key fields aren't multiline and therefore can't hold actual SSH keys in them.

In operations, these secrets are ideally stored in special secret management solutions like Vault. These (presumably) works great once they're set up, but they add significant overhead for some things that LastPass makes easy (like authenticating on different PCs and sharing passwords with authorized persons). In the end, setting up a separate "personal secret management" solution seems like overkill. If you are already using and trusting LastPass, I figure you might as well keep using it for as much as possible.

As for 1Password, Dashlane, and other LastPass competitors -- they might be good options, too. If you aren't using any password manager at all yet, I recommend you think carefully about what you want from yours and research what's available. Picking a password manager is like getting married without a prenup -- you can break it off with them later, but it won't be fun or pretty. So choose wisely.

Finally, maybe you're wondering why you shouldn't just stick all these things in plain-text files on your disk like everyone else. Why use an encrypted secret-management solution at all, since my filesystem is already encrypted on-disk? Actually, I don't know the answer to this one. All I can say is that storing password-equivalent secrets in loose files on my system doesn't feel right to me. Even if they don't get compromised, they can easily be lost or destroyed by mistake. Storing them in LastPass makes sure that they are (theoretically) secure in the cloud, away from accidental corruption or loss.