Skip to content

SOLVED: use AWS-VAULT with gopass as backend

January 22, 2022

A very good tool to manage multiple AWS account, especially with SSO enabled is AWS VAULT. Idea is that a session gets securely stored in a backend and (re-)used until it expires. One downside with he default macos keystore as backend is a manual password entry every time the session renews. This is not only annoying, reduces security but even aligns with my security setup. Luckily pass is supported as backend too. But for the but mature version gopass, the following setup has to be applied:

Given we have a gopass setup with two stores:

~/.password-store (default)
~/.password-store-awsvault (vault)

Then config would look like this

export AWS_VAULT_PASS_CMD=gopass
export AWS_VAULT_PASS_PASSWORD_STORE_DIR=~/.password-store-awsvault

This worked writing, but never reading. I didn’t even see aws-vault list calling gopass at all. Looks like the missing vault folder is a problem and aws-vault does a direct directory inspection of AWS_VAULT_PASS_PASSWORD_STORE_DIR. Fix was to hardcode the AWS_VAULT_PASS_PREFIX into a customised script (see below) and to not set the variable. Strictly spoken vault is not a prefix but the name of the store, so it maked sense:

The dedicated aws-vault-pass script:

#!/usr/bin/env bash

ARGS=( "$@" )

 ## ensure password store has 'git config commit.gpgsign false'

if [ "${ARGS[0]}" == "insert" ]
    # echo "- INSERT ------ ${ARGS[@]} --------" 1>&2
    gopass ${ARGS[@]/sessions/aws-vault\/sessions}
elif [ "${ARGS[0]}" == "show" ]
    # echo "- SHOW --------------" 1>&2
    gopass show --password aws-vault/"${ARGS[1]}"
elif [ "${ARGS[0]}" == "rm" ]
    # echo "- RM --------------" 1>&2
    gopass ${ARGS[@]/sessions/aws-vault\/sessions}

and ensure aws-vault pics it up:

export AWS_VAULT_PASS_CMD=aws-vault-pass


Related isssue:

Original issue and comments

SOLVED: gpg: public key decryption failed: No pinentry

October 23, 2021

I recently updated to latest gnupg and pinentry version via homebrew, which unfortunately broke my setup. I suddenly got this error when decrypting with gpg:

gpg: public key decryption failed: No pinentry
gpg: decryption failed: No pinentry

Looking into ~/.gnupg/gpg-agent.conf this first line showed:

pinentry-program /usr/local/bin/pinentry-mac

This is right and the same what which pinentry-mac returns. So why the error? I turns out ` /usr/local/bin/pinentry-mac` is a symbol link which (apparently?) the gpg-agent doesn’t follow. So trick was to set the final path, for me that’s:

pinentry-program /usr/local/Cellar/pinentry-mac/

And, BOOM! It works again.

Further sources:


Original issue and comments

Yeah! Ruby 3 released

December 28, 2020

OMG, the long wait has an end, ruby 3 finally released. Can’t wait to checkout Typing, IMHO one if the biggest areas where ruby <3 was lacking!

Original issue and comments

Linux Performance Observability Tools

December 24, 2020

Great cheat sheet to observe linux performance:



Original issue and comments

Launch of Samsung Pay with BankIdent

December 24, 2020

What a year! What kept me busy at work was the realization of Samsung Pay - contactless, mobile payment with a Samsung Phone. One special feature is the way how users onboard. With using BankIdent the KYC is truly seamless and doesn’t require any call agent anymore. With that it’s as quick and user friendly as never before. See the full story here:

Original issue and comments

Github Issue to Blogpost

December 23, 2020

This is a blogpost created via a github issue. With that the comfort of a WYSIWYG editing is combined with jekyll & github pages. <3

For more check out:

Screenshot 2020-12-23 at 22 33 25

Original issue and comments

Oreilly Software Architecture Berlin

August 15, 2019

Cu there!

REST Security Cheat Sheet

August 13, 2019

Wintergarden - building Marble Machine X

August 13, 2019

Must Follow for any music, hacking, DYI, builders:

Follow the full channel:

Lego + Pinball <3

August 13, 2019


How to be an Architect in a Microservice World

August 13, 2019

Great Talk and deck by Felix (@fmueller_bln)


August 01, 2019

Wow, Me wantz!

And for my Kid:

Hack my Car - ODB and GPS

April 23, 2019

I got myself a ‘ODB-diagnosegerät’ from China. Of course it didn’t work right away and I had to readz the internets for fixing. First I had to find a suitable driver. USB identifier was: Product ID: 0x7523 Vendor ID: 0x1a86. This looks like a CH340 / CH341 Serial / USB Chip. Luckily I found the drivers here:

VAG-COM 409.1 + Wine:
VAG-COM 409.1 + Win7:

Kabel Fix:


Other Software:

Other devices:ät-aber-welches/


Next: get GPS Tracker.

Hope is to find my car, once it got stolen, but so far, it was more of a hack project :). I figured, the best opensource solution you currently get is Here’s how to set it up and dockerize:


Hacking mir:ror

February 20, 2019

Finally! All of a sudden I got an evening with ccb23 to hack of lives away. This time: NFC like it’s 2009. Aka violet mir:ror.

Out of the blue we were brainstroming how to DYI hörbert, a smart mp3 player for our youngest. Here, a mp3 is selected via NFC sensor. O.T: “NFC sensor!? Wait, I remember having touch this years ago, lemme get the Nabaztag”. And indeed, along with the infamous Nabaztag IOT rabbit, violet released a side product called ‘mir:ror’ in 2009(?). It’s a NFC to USB device meant to showcase & utilize its capabilities. To bad official drivers were only released for WIN and discontinued with the bankrupt of violet. But opensource to rescue. We quick figure the device adheres to HID standard, so let’s get it working (on a mac/linux).

After confirming the device is recognised in MacOS X we got hooked. Next, with a quick google search we first discovered - an OOO implementation based on hidraw. too bad kernel extension is Linux specific, so next the HIDapi, an OS agnostic lib for general purpose use, felt promising. Indeed, we got the mir:ror up and running the first time on Mac, although reading was non blocking and we couldn’t really make sense out of it. After various back and forth, we jumped back to start: let’s check on linux first. So with virtualbox and ubuntu we were able to install reflektor and use it via hidraw. Worked like a charm! So next is porting this to MacOSX and getting deeper understand of mirware. What commands are supported? Modifying (or just turning off) the choreo would be a huge plus towards using mir:ror for our custom mp3 project. In anycase, this 10 years old device was way ahead of its time and still works like wooow!

Sources worth to check:

Self Contained Systems

September 10, 2018