Using gnupg to crypt credentials used by application to access a database server

Matthias Apitz guru at
Mon Jul 16 09:29:29 CEST 2018

El día Monday, July 16, 2018 a las 09:06:58AM +0200, Michael Kesper escribió:

> Hi all,
> Am Samstag, den 14.07.2018, 15:15 +0200 schrieb Matthias Apitz:
> > We are looking for a way to change this situation and one of the
> > options
> > or ideas I have, is crypt the credentials with GnuPG in some file. 
> I use pass [0] for this.
> It uses gnupg under the hood and also has ansible integration.
> Adding and removing users is a bit of hassle but it integrates much
> better with git than e.g. keepass or the like.


Michael, I do use pass too for all my firefox credentials for access of
webpages and services, i.e. I know how this works. I use for this GnuPG
together with an OpenPGP card and to unlock the password storage I have
to provide the 6 digit PIN of the card. The storage remains unlocked
until card removal. This works all fine.

But, I do not see how this could fit into the scene I described. When an
application server starts on the UNIX host, it needs the database access
credentials and there is no human to key in any PIN, for example when
the server start at boot time ...

How do you think, that pass could fit? Maybe I do overlook something...



Matthias Apitz, ✉ guru at, ⌂  📱 +49-176-38902045
Public GnuPG key:

More information about the Gnupg-users mailing list