Add some raw doc on pass
This commit is contained in:
parent
d695725647
commit
74ef3f23a2
1 changed files with 167 additions and 0 deletions
|
@ -5,3 +5,170 @@ weight = 40
|
||||||
+++
|
+++
|
||||||
|
|
||||||
https://www.passwordstore.org/
|
https://www.passwordstore.org/
|
||||||
|
|
||||||
|
## you are new and want to access the secret repository
|
||||||
|
|
||||||
|
You need a GPG key to start with.
|
||||||
|
You can generate one with:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gpg2 --expert --full-gen-key
|
||||||
|
# Personnaly I use `9) ECC and ECC`, `1) Curve 25519`, and `5y`
|
||||||
|
```
|
||||||
|
|
||||||
|
Now export your public key:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gpg2 --export --armor <your email address>
|
||||||
|
```
|
||||||
|
|
||||||
|
You can upload it to Gitea, it will then be available publicly easily.
|
||||||
|
For example, you can access my key at this URL:
|
||||||
|
|
||||||
|
```
|
||||||
|
https://git.deuxfleurs.fr/quentin.gpg
|
||||||
|
```
|
||||||
|
|
||||||
|
You can import it to your keychain as follow:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gpg2 --import <(curl https://git.deuxfleurs.fr/quentin.gpg)
|
||||||
|
gpg2 --list-keys
|
||||||
|
# pub ed25519/0xE9602264D639FF68 2022-04-19 [SC] [expire : 2027-04-18]
|
||||||
|
# Empreinte de la clef = 8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68
|
||||||
|
# uid [ ultime ] Quentin Dufour <quentin@deuxfleurs.fr>
|
||||||
|
# sub cv25519/0xA40574404FF72851 2022-04-19 [E] [expire : 2027-04-18]
|
||||||
|
```
|
||||||
|
|
||||||
|
How to read this snippet:
|
||||||
|
- the key id: `E9602264D639FF68`
|
||||||
|
- the key fingerprint: `8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68`
|
||||||
|
|
||||||
|
Now, you need to:
|
||||||
|
1. Inform all other sysadmins that you have published your key
|
||||||
|
2. Check that the key of other sysadmins is the correct one.
|
||||||
|
|
||||||
|
To perform the check, you need another communication channel (ideally physically, otherwise through the phone, Matrix if you already trusted the other person, etc.)
|
||||||
|
|
||||||
|
Once you trust someone, sign its key:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
gpg --edit-key quentin@deuxfleurs.fr
|
||||||
|
# or
|
||||||
|
gpg --edit-key E9602264D639FF68
|
||||||
|
# gpg> lsign
|
||||||
|
# (say yes)
|
||||||
|
# gpg> save
|
||||||
|
```
|
||||||
|
|
||||||
|
Once you signed everybody, ask to a sysadmin to add your key to `<secrets>/.gpg-id` and then run:
|
||||||
|
|
||||||
|
```
|
||||||
|
pass init -p deuxfleurs $(cat ~/.password-store/deuxfleurs/.gpg-id)
|
||||||
|
cd ~/.password-store
|
||||||
|
git commit
|
||||||
|
git push
|
||||||
|
```
|
||||||
|
|
||||||
|
Now you are ready to install `pass`:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo apt-get install pass # Debian + Ubuntu
|
||||||
|
sudo yum install pass # Fedora + RHEL
|
||||||
|
sudo zypper in password-store # OpenSUSE
|
||||||
|
sudo emerge -av pass # Gentoo
|
||||||
|
sudo pacman -S pass # Arch Linux
|
||||||
|
brew install pass # macOS
|
||||||
|
pkg install password-store # FreeBSD
|
||||||
|
```
|
||||||
|
|
||||||
|
*Go to [passwordstore.org](https://www.passwordstore.org/) for more information about pass*.
|
||||||
|
|
||||||
|
Download the repository:
|
||||||
|
|
||||||
|
```
|
||||||
|
mkdir -p ~/.password-store
|
||||||
|
cd ~/.password-store
|
||||||
|
git clone git@git.deuxfleurs.fr:Deuxfleurs/secrets.git deuxfleurs
|
||||||
|
```
|
||||||
|
|
||||||
|
And then check that everything work:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
pass show deuxfleurs
|
||||||
|
```
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
## init
|
||||||
|
|
||||||
|
generate a new password store named deuxfleurs for you:
|
||||||
|
|
||||||
|
```
|
||||||
|
pass init -p deuxfleurs you@example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
add a password in this store, it will be encrypted with your gpg key:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
pass generate deuxfleurs/backup_nextcloud 20
|
||||||
|
# or
|
||||||
|
pass insert deuxfleurs/backup_nextcloud
|
||||||
|
```
|
||||||
|
|
||||||
|
## add a teammate
|
||||||
|
|
||||||
|
edit `~/.password-store/acme/.gpg-id` and add the id of your friends:
|
||||||
|
|
||||||
|
```
|
||||||
|
alice@example.com
|
||||||
|
jane@example.com
|
||||||
|
bob@example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
make sure that you trust the keys of your teammates:
|
||||||
|
|
||||||
|
```
|
||||||
|
$ gpg --edit-key jane@example.com
|
||||||
|
gpg> lsign
|
||||||
|
gpg> y
|
||||||
|
gpg> save
|
||||||
|
```
|
||||||
|
|
||||||
|
Now re-encrypt the secrets:
|
||||||
|
|
||||||
|
```
|
||||||
|
pass init -p deuxfleurs $(cat ~/.password-store/deuxfleurs/.gpg-id)
|
||||||
|
```
|
||||||
|
|
||||||
|
They will now be able to decrypt the password:
|
||||||
|
|
||||||
|
```
|
||||||
|
pass deuxfleurs/backup_nextcloud
|
||||||
|
```
|
||||||
|
|
||||||
|
## sharing with git
|
||||||
|
|
||||||
|
To create the repo:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd ~/.password-store/deuxfleurs
|
||||||
|
git init
|
||||||
|
git add .
|
||||||
|
git commit -m "Initial commit"
|
||||||
|
# Set up remote
|
||||||
|
git push
|
||||||
|
```
|
||||||
|
|
||||||
|
To setup the repo:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
cd ~/.password-store
|
||||||
|
git clone https://git.example.com/org/repo.git deuxfleurs
|
||||||
|
```
|
||||||
|
|
||||||
|
## Ref
|
||||||
|
|
||||||
|
https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592
|
||||||
|
|
Loading…
Reference in a new issue