From 74ef3f23a244f1269e3a02d4821258f740ac6c3c Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Sun, 16 Oct 2022 10:55:44 +0200 Subject: Add some raw doc on pass --- content/operations/acces/pass.md | 167 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 167 insertions(+) (limited to 'content/operations') diff --git a/content/operations/acces/pass.md b/content/operations/acces/pass.md index 62bf23a..5f89631 100644 --- a/content/operations/acces/pass.md +++ b/content/operations/acces/pass.md @@ -5,3 +5,170 @@ weight = 40 +++ https://www.passwordstore.org/ + +## you are new and want to access the secret repository + +You need a GPG key to start with. +You can generate one with: + +```bash +gpg2 --expert --full-gen-key +# Personnaly I use `9) ECC and ECC`, `1) Curve 25519`, and `5y` +``` + +Now export your public key: + +```bash +gpg2 --export --armor +``` + +You can upload it to Gitea, it will then be available publicly easily. +For example, you can access my key at this URL: + +``` +https://git.deuxfleurs.fr/quentin.gpg +``` + +You can import it to your keychain as follow: + +```bash +gpg2 --import <(curl https://git.deuxfleurs.fr/quentin.gpg) +gpg2 --list-keys +# pub ed25519/0xE9602264D639FF68 2022-04-19 [SC] [expire : 2027-04-18] +# Empreinte de la clef = 8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68 +# uid [ ultime ] Quentin Dufour +# sub cv25519/0xA40574404FF72851 2022-04-19 [E] [expire : 2027-04-18] +``` + +How to read this snippet: + - the key id: `E9602264D639FF68` + - the key fingerprint: `8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68` + +Now, you need to: + 1. Inform all other sysadmins that you have published your key + 2. Check that the key of other sysadmins is the correct one. + +To perform the check, you need another communication channel (ideally physically, otherwise through the phone, Matrix if you already trusted the other person, etc.) + +Once you trust someone, sign its key: + +```bash +gpg --edit-key quentin@deuxfleurs.fr +# or +gpg --edit-key E9602264D639FF68 +# gpg> lsign +# (say yes) +# gpg> save +``` + +Once you signed everybody, ask to a sysadmin to add your key to `/.gpg-id` and then run: + +``` +pass init -p deuxfleurs $(cat ~/.password-store/deuxfleurs/.gpg-id) +cd ~/.password-store +git commit +git push +``` + +Now you are ready to install `pass`: + +```bash +sudo apt-get install pass # Debian + Ubuntu +sudo yum install pass # Fedora + RHEL +sudo zypper in password-store # OpenSUSE +sudo emerge -av pass # Gentoo +sudo pacman -S pass # Arch Linux +brew install pass # macOS +pkg install password-store # FreeBSD +``` + +*Go to [passwordstore.org](https://www.passwordstore.org/) for more information about pass*. + +Download the repository: + +``` +mkdir -p ~/.password-store +cd ~/.password-store +git clone git@git.deuxfleurs.fr:Deuxfleurs/secrets.git deuxfleurs +``` + +And then check that everything work: + +```bash +pass show deuxfleurs +``` + +--- + +--- + +## init + +generate a new password store named deuxfleurs for you: + +``` +pass init -p deuxfleurs you@example.com +``` + +add a password in this store, it will be encrypted with your gpg key: + +```bash +pass generate deuxfleurs/backup_nextcloud 20 +# or +pass insert deuxfleurs/backup_nextcloud +``` + +## add a teammate + +edit `~/.password-store/acme/.gpg-id` and add the id of your friends: + +``` +alice@example.com +jane@example.com +bob@example.com +``` + +make sure that you trust the keys of your teammates: + +``` +$ gpg --edit-key jane@example.com +gpg> lsign +gpg> y +gpg> save +``` + +Now re-encrypt the secrets: + +``` +pass init -p deuxfleurs $(cat ~/.password-store/deuxfleurs/.gpg-id) +``` + +They will now be able to decrypt the password: + +``` +pass deuxfleurs/backup_nextcloud +``` + +## sharing with git + +To create the repo: + +```bash +cd ~/.password-store/deuxfleurs +git init +git add . +git commit -m "Initial commit" +# Set up remote +git push +``` + +To setup the repo: + +```bash +cd ~/.password-store +git clone https://git.example.com/org/repo.git deuxfleurs +``` + +## Ref + +https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592 -- cgit v1.2.3