cargo-credential-pass

A Cargo credential provider for pass.

• No config needed[^cargo]
• Stores encrypted tokens in your password store with all your other secrets
• Automatically encrypts using your password store GPG key
• Works great with keys stored on HSMs too (hello YubiKey!)

Because no one likes plaintext credentials on disk :(

Use It

1. Install cargo-credential-pass:

% cargo install --locked cargo-credential-pass

2. Configure Cargo to use this credential provider:

[registry]
global-credential-providers = ["cargo-credential-pass"]

3. Login! cargo login will pop up your editor - paste your registry token and close the window.

Your token will now be stored as an encrypted text file in $PASSWORD_STORE_DIR/cargo-registry/<registery-name>.token.

That's it - you're good to go!

(Optionally) Customise It

Token Directory

You can override where the tokens are stored in the password store, replacing the the default cargo-registry subdir:

[registry]
global-credential-providers = ["cargo-credential-pass cargo-tokens/live/here/"]

Note the trailing / is important - it indicates the directory to be used for storing tokens, and the filename will be automatically derived.

Exact Token Path

A path without the trailing / will be interpreted as the exact token path (inc. filename) to use.

This is helpful for setting per-registry token paths like below, but an exact path can only be used by 1 registry:

[registries.my-work-registry]
credential-provider = ["cargo-credential-pass work/cargo-token.secret"]

[^cargo]: Kinda - only cargo required!