Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/twpayne/chezmoi/llms.txt

Use this file to discover all available pages before exploring further.

chezmoi includes support for LastPass using the LastPass CLI to expose data as template functions.

Setup

Install LastPass CLI

brew install lastpass-cli

Log In

lpass login $LASTPASS_USERNAME
Enter your master password when prompted.

Verify Setup

Check that lpass is working: 
lpass show --json $LASTPASS_ENTRY_ID

Template Functions

lastpass

Get structured data from a LastPass entry: 
{{ (index (lastpass "GitHub") 0).password }}
Returns an array of objects from lpass show --json id.

lastpassRaw

Get raw note data without parsing: 
{{ (index (lastpassRaw "SSH Private Key") 0).note }}

Entry Specification

LastPass entries can be specified by:
  • Name: "GitHub"
  • ID: "1234567890"
  • URL: "github.com"
  • Group: "Work/GitHub"
See LastPass Entry Specification for details.

Usage Examples

Basic Credentials

# Access password from GitHub entry
githubPassword = {{ (index (lastpass "GitHub") 0).password | quote }}

Git Configuration

~/.gitconfig.tmpl
[user]
    name = {{ (index (lastpass "Git Config") 0).username }}
    email = {{ (index (lastpass "Git Config") 0).note.email }}
    signingkey = {{ (index (lastpass "Git Config") 0).note.gpgKey }}

[github]
    user = {{ (index (lastpass "GitHub") 0).username }}

SSH Private Key from Notes

LastPass automatically parses notes as colon-separated key-value pairs:
~/.ssh/id_rsa.tmpl
{{ (index (lastpass "SSH") 0).note.privateKey }}
If your LastPass note looks like: 
Private Key: -----BEGIN RSA PRIVATE KEY-----
MIIE...
Public Key: ssh-rsa AAAA...
Keys in notes written as CamelCase Words are converted to camelCaseWords.

Raw Note Data

If the note doesn’t contain key-value pairs:
~/.ssh/id_rsa.tmpl
{{ (index (lastpassRaw "SSH Private Key") 0).note }}

AWS Credentials

# ~/.aws/credentials.tmpl
[default]
aws_access_key_id = {{ (index (lastpass "AWS Personal") 0).username }}
aws_secret_access_key = {{ (index (lastpass "AWS Personal") 0).password }}

[work]
aws_access_key_id = {{ (index (lastpass "AWS Work") 0).username }}
aws_secret_access_key = {{ (index (lastpass "AWS Work") 0).password }}

API Tokens

~/.config/tokens.env.tmpl
# GitHub
GITHUB_TOKEN={{ (index (lastpass "GitHub API") 0).password }}
GH_TOKEN={{ (index (lastpass "GitHub API") 0).password }}

# GitLab
GITLAB_TOKEN={{ (index (lastpass "GitLab API") 0).password }}

# OpenAI
OPENAI_API_KEY={{ (index (lastpass "OpenAI") 0).password }}

# Stripe
STRIPE_SECRET_KEY={{ (index (lastpass "Stripe") 0).note.secretKey }}
STRIPE_PUBLISHABLE_KEY={{ (index (lastpass "Stripe") 0).note.publishableKey }}

Database Configuration

~/.config/db/config.yml.tmpl
production:
  host: {{ (index (lastpass "Production DB") 0).note.host }}
  port: {{ (index (lastpass "Production DB") 0).note.port }}
  username: {{ (index (lastpass "Production DB") 0).username }}
  password: {{ (index (lastpass "Production DB") 0).password }}
  database: {{ (index (lastpass "Production DB") 0).note.database }}

development:
  host: localhost
  port: 5432
  username: {{ (index (lastpass "Dev DB") 0).username }}
  password: {{ (index (lastpass "Dev DB") 0).password }}
  database: app_dev

NPM Configuration

~/.npmrc.tmpl
//registry.npmjs.org/:_authToken={{ (index (lastpass "NPM") 0).password }}
email={{ (index (lastpass "NPM") 0).username }}

Advanced Usage

Multiple Entries

If a search returns multiple entries: 
{{ range (lastpass "github") -}}
Entry: {{ .name }}
Username: {{ .username }}
Password: {{ .password }}
{{ end }}

Accessing Nested Fields

# All note fields for an entry
{{ range $key, $value := (index (lastpass "Entry") 0).note -}}
{{ $key }}: {{ $value }}
{{ end }}

Using Entry IDs

Find the entry ID: 
lpass ls
Then reference by ID: 
{{ (index (lastpass "1234567890") 0).password }}

Conditional Access

~/.gitconfig.tmpl
[user]
    name = {{ (index (lastpass "Git") 0).username }}
{{- if (index (lastpass "Git") 0).note.email }}
    email = {{ (index (lastpass "Git") 0).note.email }}
{{- end }}
{{- if (index (lastpass "Git") 0).note.signingkey }}
    signingkey = {{ (index (lastpass "Git") 0).note.signingkey }}
{{- end }}

Structuring Notes in LastPass

For best results, structure your notes as key-value pairs: 
API Key: sk-abc123...
Endpoint: https://api.example.com
Region: us-east-1
Environment: production
These will be accessible as: 
{{ (index (lastpass "Service") 0).note.apiKey }}
{{ (index (lastpass "Service") 0).note.endpoint }}
{{ (index (lastpass "Service") 0).note.region }}
{{ (index (lastpass "Service") 0).note.environment }}

Configuration

Custom Command

If lpass is not in your PATH:
~/.config/chezmoi/chezmoi.toml
[lastpass]
    command = "/custom/path/to/lpass"

Troubleshooting

Not Logged In

If you get “Error: Could not find decryption key”: 
lpass login $LASTPASS_USERNAME

Session Expired

Log in again: 
lpass logout
lpass login $LASTPASS_USERNAME

Entry Not Found

List all entries to find the correct name: 
lpass ls
Or search for entries: 
lpass ls | grep -i github

Command Not Found

Ensure LastPass CLI is installed: 
which lpass
lpass --version

Testing Templates

Test template functions: 
chezmoi execute-template '{{ (index (lastpass "test") 0).password }}'

Verify Entry Data

Check what data is available: 
lpass show --json "Entry Name" | jq .

Best Practices

  1. Use descriptive names: Name entries clearly for easy reference
  2. Structure notes: Use key-value format in notes for easy parsing
  3. Use folders: Organize entries in folders (Work/GitHub, Personal/AWS)
  4. Test entries: Verify entries are accessible before using in templates
  5. Stay logged in: Keep your LastPass session active on trusted machines
  6. Use entry IDs: For stability, consider using entry IDs instead of names

See Also

Build docs developers (and LLMs) love

Get started for freeTalk to us