aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorQuentin Dufour <quentin@deuxfleurs.fr>2022-04-19 14:32:44 +0200
committerQuentin Dufour <quentin@deuxfleurs.fr>2022-04-19 14:32:44 +0200
commitd62f87fa7158c76eb5085cca5cbdaa53035357c7 (patch)
tree35f7af059b282d148d045a5b426f0c83fa7db389
parent501fbb55533c5db5b5a74978505d08e339611150 (diff)
downloadinfrastructure-d62f87fa7158c76eb5085cca5cbdaa53035357c7.tar.gz
infrastructure-d62f87fa7158c76eb5085cca5cbdaa53035357c7.zip
Update guide
-rw-r--r--op_guide/secrets/README.md89
1 files changed, 88 insertions, 1 deletions
diff --git a/op_guide/secrets/README.md b/op_guide/secrets/README.md
index 7c9fd65..9e50168 100644
--- a/op_guide/secrets/README.md
+++ b/op_guide/secrets/README.md
@@ -1,3 +1,90 @@
+## you are new and want to access the secret repository
+
+You need a GPG key to start with.
+You can generate one with:
+
+```bash
+gpg2 --expert --full-gen-key
+# Personnaly I use `9) ECC and ECC`, `1) Curve 25519`, and `5y`
+```
+
+Now export your public key:
+
+```bash
+gpg2 --export --armor <your email address>
+```
+
+You can upload it to Gitea, it will then be available publicly easily.
+For example, you can access my key at this URL:
+
+```
+https://git.deuxfleurs.fr/quentin.gpg
+```
+
+You can import it to your keychain as follow:
+
+```bash
+gpg2 --import <(curl https://git.deuxfleurs.fr/quentin.gpg)
+gpg2 --list-keys
+# pub ed25519/0xE9602264D639FF68 2022-04-19 [SC] [expire : 2027-04-18]
+# Empreinte de la clef = 8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68
+# uid [ ultime ] Quentin Dufour <quentin@deuxfleurs.fr>
+# sub cv25519/0xA40574404FF72851 2022-04-19 [E] [expire : 2027-04-18]
+```
+
+How to read this snippet:
+ - the key id: `E9602264D639FF68`
+ - the key fingerprint: `8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68`
+
+Now, you need to:
+ 1. Inform all other sysadmins that you have published your key
+ 2. Check that the key of other sysadmins is the correct one.
+
+To perform the check, you need another communication channel (ideally physically, otherwise through the phone, Matrix if you already trusted the other person, etc.)
+
+Once you trust someone, sign its key:
+
+```bash
+gpg --edit-key email@example.com
+# or
+gpg --edit-key E9602264D639FF68
+# gpg> lsign
+# (say yes)
+# gpg> save
+```
+
+Once you signed everybody, ask to a sysadmin to add your key to `<secrets>/.gpg-id` and then run:
+
+```
+pass init -p deuxfleurs $(cat ~/.password-store/deuxfleurs/.gpg-id)
+cd ~/.password-store
+git commit
+git push
+```
+
+Now you are ready to install `pass`:
+
+```bash
+sudo apt-get install pass # Debian + Ubuntu
+sudo yum install pass # Fedora + RHEL
+sudo zypper in password-store # OpenSUSE
+sudo emerge -av pass # Gentoo
+sudo pacman -S pass # Arch Linux
+brew install pass # macOS
+pkg install password-store # FreeBSD
+```
+
+*Go to [passwordstore.org](https://www.passwordstore.org/) for more information about pass*.
+
+And then check that everything work:
+
+```bash
+pass show deuxfleurs
+```
+
+---
+
+---
## init
@@ -66,6 +153,6 @@ cd ~/.password-store
git clone https://git.example.com/org/repo.git deuxfleurs
```
-
+## Ref
https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592