From d62f87fa7158c76eb5085cca5cbdaa53035357c7 Mon Sep 17 00:00:00 2001 From: Quentin Dufour Date: Tue, 19 Apr 2022 14:32:44 +0200 Subject: [PATCH] Update guide --- op_guide/secrets/README.md | 89 +++++++++++++++++++++++++++++++++++++- 1 file changed, 88 insertions(+), 1 deletion(-) diff --git a/op_guide/secrets/README.md b/op_guide/secrets/README.md index 7c9fd65..9e50168 100644 --- a/op_guide/secrets/README.md +++ b/op_guide/secrets/README.md @@ -1,3 +1,90 @@ +## you are new and want to access the secret repository + +You need a GPG key to start with. +You can generate one with: + +```bash +gpg2 --expert --full-gen-key +# Personnaly I use `9) ECC and ECC`, `1) Curve 25519`, and `5y` +``` + +Now export your public key: + +```bash +gpg2 --export --armor +``` + +You can upload it to Gitea, it will then be available publicly easily. +For example, you can access my key at this URL: + +``` +https://git.deuxfleurs.fr/quentin.gpg +``` + +You can import it to your keychain as follow: + +```bash +gpg2 --import <(curl https://git.deuxfleurs.fr/quentin.gpg) +gpg2 --list-keys +# pub ed25519/0xE9602264D639FF68 2022-04-19 [SC] [expire : 2027-04-18] +# Empreinte de la clef = 8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68 +# uid [ ultime ] Quentin Dufour +# sub cv25519/0xA40574404FF72851 2022-04-19 [E] [expire : 2027-04-18] +``` + +How to read this snippet: + - the key id: `E9602264D639FF68` + - the key fingerprint: `8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68` + +Now, you need to: + 1. Inform all other sysadmins that you have published your key + 2. Check that the key of other sysadmins is the correct one. + +To perform the check, you need another communication channel (ideally physically, otherwise through the phone, Matrix if you already trusted the other person, etc.) + +Once you trust someone, sign its key: + +```bash +gpg --edit-key email@example.com +# or +gpg --edit-key E9602264D639FF68 +# gpg> lsign +# (say yes) +# gpg> save +``` + +Once you signed everybody, ask to a sysadmin to add your key to `/.gpg-id` and then run: + +``` +pass init -p deuxfleurs $(cat ~/.password-store/deuxfleurs/.gpg-id) +cd ~/.password-store +git commit +git push +``` + +Now you are ready to install `pass`: + +```bash +sudo apt-get install pass # Debian + Ubuntu +sudo yum install pass # Fedora + RHEL +sudo zypper in password-store # OpenSUSE +sudo emerge -av pass # Gentoo +sudo pacman -S pass # Arch Linux +brew install pass # macOS +pkg install password-store # FreeBSD +``` + +*Go to [passwordstore.org](https://www.passwordstore.org/) for more information about pass*. + +And then check that everything work: + +```bash +pass show deuxfleurs +``` + +--- + +--- ## init @@ -66,6 +153,6 @@ cd ~/.password-store git clone https://git.example.com/org/repo.git deuxfleurs ``` - +## Ref https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592