aboutsummaryrefslogtreecommitdiff
path: root/content/operations/acces
diff options
context:
space:
mode:
Diffstat (limited to 'content/operations/acces')
-rw-r--r--content/operations/acces/pass.md167
1 files changed, 167 insertions, 0 deletions
diff --git a/content/operations/acces/pass.md b/content/operations/acces/pass.md
index 62bf23a..5f89631 100644
--- a/content/operations/acces/pass.md
+++ b/content/operations/acces/pass.md
@@ -5,3 +5,170 @@ weight = 40
+++
https://www.passwordstore.org/
+
+## you are new and want to access the secret repository
+
+You need a GPG key to start with.
+You can generate one with:
+
+```bash
+gpg2 --expert --full-gen-key
+# Personnaly I use `9) ECC and ECC`, `1) Curve 25519`, and `5y`
+```
+
+Now export your public key:
+
+```bash
+gpg2 --export --armor <your email address>
+```
+
+You can upload it to Gitea, it will then be available publicly easily.
+For example, you can access my key at this URL:
+
+```
+https://git.deuxfleurs.fr/quentin.gpg
+```
+
+You can import it to your keychain as follow:
+
+```bash
+gpg2 --import <(curl https://git.deuxfleurs.fr/quentin.gpg)
+gpg2 --list-keys
+# pub ed25519/0xE9602264D639FF68 2022-04-19 [SC] [expire : 2027-04-18]
+# Empreinte de la clef = 8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68
+# uid [ ultime ] Quentin Dufour <quentin@deuxfleurs.fr>
+# sub cv25519/0xA40574404FF72851 2022-04-19 [E] [expire : 2027-04-18]
+```
+
+How to read this snippet:
+ - the key id: `E9602264D639FF68`
+ - the key fingerprint: `8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68`
+
+Now, you need to:
+ 1. Inform all other sysadmins that you have published your key
+ 2. Check that the key of other sysadmins is the correct one.
+
+To perform the check, you need another communication channel (ideally physically, otherwise through the phone, Matrix if you already trusted the other person, etc.)
+
+Once you trust someone, sign its key:
+
+```bash
+gpg --edit-key quentin@deuxfleurs.fr
+# or
+gpg --edit-key E9602264D639FF68
+# gpg> lsign
+# (say yes)
+# gpg> save
+```
+
+Once you signed everybody, ask to a sysadmin to add your key to `<secrets>/.gpg-id` and then run:
+
+```
+pass init -p deuxfleurs $(cat ~/.password-store/deuxfleurs/.gpg-id)
+cd ~/.password-store
+git commit
+git push
+```
+
+Now you are ready to install `pass`:
+
+```bash
+sudo apt-get install pass # Debian + Ubuntu
+sudo yum install pass # Fedora + RHEL
+sudo zypper in password-store # OpenSUSE
+sudo emerge -av pass # Gentoo
+sudo pacman -S pass # Arch Linux
+brew install pass # macOS
+pkg install password-store # FreeBSD
+```
+
+*Go to [passwordstore.org](https://www.passwordstore.org/) for more information about pass*.
+
+Download the repository:
+
+```
+mkdir -p ~/.password-store
+cd ~/.password-store
+git clone git@git.deuxfleurs.fr:Deuxfleurs/secrets.git deuxfleurs
+```
+
+And then check that everything work:
+
+```bash
+pass show deuxfleurs
+```
+
+---
+
+---
+
+## init
+
+generate a new password store named deuxfleurs for you:
+
+```
+pass init -p deuxfleurs you@example.com
+```
+
+add a password in this store, it will be encrypted with your gpg key:
+
+```bash
+pass generate deuxfleurs/backup_nextcloud 20
+# or
+pass insert deuxfleurs/backup_nextcloud
+```
+
+## add a teammate
+
+edit `~/.password-store/acme/.gpg-id` and add the id of your friends:
+
+```
+alice@example.com
+jane@example.com
+bob@example.com
+```
+
+make sure that you trust the keys of your teammates:
+
+```
+$ gpg --edit-key jane@example.com
+gpg> lsign
+gpg> y
+gpg> save
+```
+
+Now re-encrypt the secrets:
+
+```
+pass init -p deuxfleurs $(cat ~/.password-store/deuxfleurs/.gpg-id)
+```
+
+They will now be able to decrypt the password:
+
+```
+pass deuxfleurs/backup_nextcloud
+```
+
+## sharing with git
+
+To create the repo:
+
+```bash
+cd ~/.password-store/deuxfleurs
+git init
+git add .
+git commit -m "Initial commit"
+# Set up remote
+git push
+```
+
+To setup the repo:
+
+```bash
+cd ~/.password-store
+git clone https://git.example.com/org/repo.git deuxfleurs
+```
+
+## Ref
+
+https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592