forked from Deuxfleurs/infrastructure
166 lines
3.4 KiB
Markdown
166 lines
3.4 KiB
Markdown
## you are new and want to access the secret repository
|
||
|
||
You need a GPG key to start with.
|
||
You can generate one with:
|
||
|
||
```bash
|
||
gpg2 --expert --full-gen-key
|
||
# Personnaly I use `9) ECC and ECC`, `1) Curve 25519`, and `5y`
|
||
```
|
||
|
||
Now export your public key:
|
||
|
||
```bash
|
||
gpg2 --export --armor <your email address>
|
||
```
|
||
|
||
You can upload it to Gitea, it will then be available publicly easily.
|
||
For example, you can access my key at this URL:
|
||
|
||
```
|
||
https://git.deuxfleurs.fr/quentin.gpg
|
||
```
|
||
|
||
You can import it to your keychain as follow:
|
||
|
||
```bash
|
||
gpg2 --import <(curl https://git.deuxfleurs.fr/quentin.gpg)
|
||
gpg2 --list-keys
|
||
# pub ed25519/0xE9602264D639FF68 2022-04-19 [SC] [expire : 2027-04-18]
|
||
# Empreinte de la clef = 8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68
|
||
# uid [ ultime ] Quentin Dufour <quentin@deuxfleurs.fr>
|
||
# sub cv25519/0xA40574404FF72851 2022-04-19 [E] [expire : 2027-04-18]
|
||
```
|
||
|
||
How to read this snippet:
|
||
- the key id: `E9602264D639FF68`
|
||
- the key fingerprint: `8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68`
|
||
|
||
Now, you need to:
|
||
1. Inform all other sysadmins that you have published your key
|
||
2. Check that the key of other sysadmins is the correct one.
|
||
|
||
To perform the check, you need another communication channel (ideally physically, otherwise through the phone, Matrix if you already trusted the other person, etc.)
|
||
|
||
Once you trust someone, sign its key:
|
||
|
||
```bash
|
||
gpg --edit-key quentin@deuxfleurs.fr
|
||
# or
|
||
gpg --edit-key E9602264D639FF68
|
||
# gpg> lsign
|
||
# (say yes)
|
||
# gpg> save
|
||
```
|
||
|
||
Once you signed everybody, ask to a sysadmin to add your key to `<secrets>/.gpg-id` and then run:
|
||
|
||
```
|
||
pass init -p deuxfleurs $(cat ~/.password-store/deuxfleurs/.gpg-id)
|
||
cd ~/.password-store
|
||
git commit
|
||
git push
|
||
```
|
||
|
||
Now you are ready to install `pass`:
|
||
|
||
```bash
|
||
sudo apt-get install pass # Debian + Ubuntu
|
||
sudo yum install pass # Fedora + RHEL
|
||
sudo zypper in password-store # OpenSUSE
|
||
sudo emerge -av pass # Gentoo
|
||
sudo pacman -S pass # Arch Linux
|
||
brew install pass # macOS
|
||
pkg install password-store # FreeBSD
|
||
```
|
||
|
||
*Go to [passwordstore.org](https://www.passwordstore.org/) for more information about pass*.
|
||
|
||
Download the repository:
|
||
|
||
```
|
||
mkdir -p ~/.password-store
|
||
cd ~/.password-store
|
||
git clone git@git.deuxfleurs.fr:Deuxfleurs/secrets.git deuxfleurs
|
||
```
|
||
|
||
And then check that everything work:
|
||
|
||
```bash
|
||
pass show deuxfleurs
|
||
```
|
||
|
||
---
|
||
|
||
---
|
||
|
||
## init
|
||
|
||
generate a new password store named deuxfleurs for you:
|
||
|
||
```
|
||
pass init -p deuxfleurs you@example.com
|
||
```
|
||
|
||
add a password in this store, it will be encrypted with your gpg key:
|
||
|
||
```bash
|
||
pass generate deuxfleurs/backup_nextcloud 20
|
||
# or
|
||
pass insert deuxfleurs/backup_nextcloud
|
||
```
|
||
|
||
## add a teammate
|
||
|
||
edit `~/.password-store/acme/.gpg-id` and add the id of your friends:
|
||
|
||
```
|
||
alice@example.com
|
||
jane@example.com
|
||
bob@example.com
|
||
```
|
||
|
||
make sure that you trust the keys of your teammates:
|
||
|
||
```
|
||
$ gpg --edit-key jane@example.com
|
||
gpg> lsign
|
||
gpg> y
|
||
gpg> save
|
||
```
|
||
|
||
Now re-encrypt the secrets:
|
||
|
||
```
|
||
pass init -p deuxfleurs $(cat ~/.password-store/deuxfleurs/.gpg-id)
|
||
```
|
||
|
||
They will now be able to decrypt the password:
|
||
|
||
```
|
||
pass deuxfleurs/backup_nextcloud
|
||
```
|
||
|
||
## sharing with git
|
||
|
||
To create the repo:
|
||
|
||
```bash
|
||
cd ~/.password-store/deuxfleurs
|
||
git init
|
||
git add .
|
||
git commit -m "Initial commit"
|
||
# Set up remote
|
||
git push
|
||
```
|
||
|
||
To setup the repo:
|
||
|
||
```bash
|
||
cd ~/.password-store
|
||
git clone https://git.example.com/org/repo.git deuxfleurs
|
||
```
|
||
|
||
## Ref
|
||
|
||
https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592
|