I use 1Password as my password manager but didn't really see much need for the CLI that they provide until fairly recently. I'll go over a couple of use cases where the CLI has integrated really well into my flow.
Keeping Dot Files Password-Free
I've been using aerc
1 for a few weeks. When you add an email account to aerc
, it saves the password in a configuration file (~/.config/aerc/accounts.conf
for me), an example of which can be seen below:
[Fastmail]
source = imaps://user%40fastmail.com:[email protected]
outgoing = smtps://user%40fastmail.com:[email protected]
Having the password stored in plain text2 is less than ideal, even if it is on a device you own. Helpfully, aerc
provides a way to specify an arbitrary command that can be executed to retrieve the password. To use the 1Password CLI, the accounts configuration file can be modified as follows:
[Fastmail]
source = imaps://user%[email protected]
source-cred-cmd = op read op://MyVault/Fastmail/aerc-password
outgoing = smtps://user%[email protected]
outgoing-cred-cmd = op read op://MyVault/Fastmail/aerc-password
The command we want executed is op read
, and we pass it the URL3 of the secret to access. The next time aerc
is launched, a TouchID prompt, or a prompt to Allow Access
, will be presented as shown below:
Autofilling One-Time Passwords
As a publisher of npm packages, it's a good idea to enable 2FA on your npm account. This makes a leaked token with write-access less of a risk since no writes (such as publishing a new version of a package) can be performed without a valid OTP.
When publishing an npm package using npm publish
, a prompt is shown in the terminal asking the user to type in the OTP. However, there is also an --otp
flag we can make use of to provide the OTP upfront:
npm publish --otp $(op item get NPM --otp)
This time we use the op item get
command4, passing it the name of the item and the --otp
flag. Upon execution, a TouchID prompt or an Allow Access
prompt is presented, removing the need to manually type or paste the OTP. As an added convenience, the above command can be bound to a shell alias.
Footnotes
-
This helpful URL scheme shows that the password is
agvsbg8gd29ybgqh
. ↩︎ -
The URL takes the form:
↩︎op://<vault>/<item>[/<section>]/<field>
-
Note that if we tried using the
op read
command:op read 'op://MyVault/NPM/Security/one-time password'
instead of the current OTP being returned, we would get the reference URL used to generate the OTP:
↩︎otpauth://totp/croccifixio?secret=AGVSBG8GD29YBGQHIGDVB2QGBMLNAHQ1&issuer=npm