I used to treat GitLab Personal Access Tokens (PATs) rather casually, but while working on an automation task using a Dockerfile, I realized they are not a simple matter.

At first, I used the common approach of embedding the token directly into the URL:

1

https://oauth2:<token>@gitlab.com/username/project.git

While convenient, I quickly realized this method is very insecure. If the token is included in a Dockerfile and that file is accidentally committed or shared, anyone with access to it can use the token to access GitLab. Additionally, if the token expires or is regenerated, you must manually update all related scripts and configuration files.

Looking for a more secure way to manage PATs, I discovered a tool called pass, which allowed me to manage tokens in a simple yet powerful manner.

What is pass?

pass is a simple password manager based on GPG (GNU Privacy Guard). Each password is encrypted using GPG and stored as a file. Only users who possess the GPG private key can decrypt the files. Since the files are stored locally and are inaccessible without the key, this method is highly secure.

Installation and Initial Setup

First, install the necessary packages:

1

sudo apt install pass gnupg

If you don’t already have a GPG key, you can generate one with the following command:

1

gpg --full-generate-key

After entering your name, email, and a passphrase, a key will be generated. You can list your keys with:

1

gpg --list-keys

Now initialize pass using your GPG key. It’s safest to use the full fingerprint instead of a name or email.

1

pass init 121C19C25E08DB40298DC736283B3D49ACE4E74A

Storing and Retrieving Passwords (PATs)

To store a PAT:

1

pass insert gitlab/pat

You’ll be prompted to enter the password (your PAT) and then confirm it. The input won’t be shown on screen, but it is being recorded correctly.

To retrieve the stored PAT:

1

pass gitlab/pat

You can also use this securely during Docker builds via environment variables:

1
2

export GITLAB_PAT=$(pass gitlab/pat)
docker build --build-arg GIT_TOKEN=$GITLAB_PAT .

Since the token is not directly written into the Dockerfile, this method is highly secure.

Conclusion

At first, I considered using environment variables or a simple .env file. But when weighing security and ease of management, pass turned out to be an excellent alternative. Its GPG-based design ensures a high level of security without requiring complex external solutions.

Not only can you manage GitLab PATs this way, but also API keys and passwords for other services. If you’re working in an automation environment that handles sensitive information, I highly recommend giving pass a try.