forked from Deuxfleurs/guide.deuxfleurs.fr
Add some raw doc on pass
This commit is contained in:
parent
d695725647
commit
74ef3f23a2
1 changed files with 167 additions and 0 deletions
|
@ -5,3 +5,170 @@ weight = 40
|
|||
+++
|
||||
|
||||
https://www.passwordstore.org/
|
||||
|
||||
## you are new and want to access the secret repository
|
||||
|
||||
You need a GPG key to start with.
|
||||
You can generate one with:
|
||||
|
||||
```bash
|
||||
gpg2 --expert --full-gen-key
|
||||
# Personnaly I use `9) ECC and ECC`, `1) Curve 25519`, and `5y`
|
||||
```
|
||||
|
||||
Now export your public key:
|
||||
|
||||
```bash
|
||||
gpg2 --export --armor <your email address>
|
||||
```
|
||||
|
||||
You can upload it to Gitea, it will then be available publicly easily.
|
||||
For example, you can access my key at this URL:
|
||||
|
||||
```
|
||||
https://git.deuxfleurs.fr/quentin.gpg
|
||||
```
|
||||
|
||||
You can import it to your keychain as follow:
|
||||
|
||||
```bash
|
||||
gpg2 --import <(curl https://git.deuxfleurs.fr/quentin.gpg)
|
||||
gpg2 --list-keys
|
||||
# pub ed25519/0xE9602264D639FF68 2022-04-19 [SC] [expire : 2027-04-18]
|
||||
# Empreinte de la clef = 8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68
|
||||
# uid [ ultime ] Quentin Dufour <quentin@deuxfleurs.fr>
|
||||
# sub cv25519/0xA40574404FF72851 2022-04-19 [E] [expire : 2027-04-18]
|
||||
```
|
||||
|
||||
How to read this snippet:
|
||||
- the key id: `E9602264D639FF68`
|
||||
- the key fingerprint: `8023 E27D F1BB D52C 559B 054C E960 2264 D639 FF68`
|
||||
|
||||
Now, you need to:
|
||||
1. Inform all other sysadmins that you have published your key
|
||||
2. Check that the key of other sysadmins is the correct one.
|
||||
|
||||
To perform the check, you need another communication channel (ideally physically, otherwise through the phone, Matrix if you already trusted the other person, etc.)
|
||||
|
||||
Once you trust someone, sign its key:
|
||||
|
||||
```bash
|
||||
gpg --edit-key quentin@deuxfleurs.fr
|
||||
# or
|
||||
gpg --edit-key E9602264D639FF68
|
||||
# gpg> lsign
|
||||
# (say yes)
|
||||
# gpg> save
|
||||
```
|
||||
|
||||
Once you signed everybody, ask to a sysadmin to add your key to `<secrets>/.gpg-id` and then run:
|
||||
|
||||
```
|
||||
pass init -p deuxfleurs $(cat ~/.password-store/deuxfleurs/.gpg-id)
|
||||
cd ~/.password-store
|
||||
git commit
|
||||
git push
|
||||
```
|
||||
|
||||
Now you are ready to install `pass`:
|
||||
|
||||
```bash
|
||||
sudo apt-get install pass # Debian + Ubuntu
|
||||
sudo yum install pass # Fedora + RHEL
|
||||
sudo zypper in password-store # OpenSUSE
|
||||
sudo emerge -av pass # Gentoo
|
||||
sudo pacman -S pass # Arch Linux
|
||||
brew install pass # macOS
|
||||
pkg install password-store # FreeBSD
|
||||
```
|
||||
|
||||
*Go to [passwordstore.org](https://www.passwordstore.org/) for more information about pass*.
|
||||
|
||||
Download the repository:
|
||||
|
||||
```
|
||||
mkdir -p ~/.password-store
|
||||
cd ~/.password-store
|
||||
git clone git@git.deuxfleurs.fr:Deuxfleurs/secrets.git deuxfleurs
|
||||
```
|
||||
|
||||
And then check that everything work:
|
||||
|
||||
```bash
|
||||
pass show deuxfleurs
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
---
|
||||
|
||||
## init
|
||||
|
||||
generate a new password store named deuxfleurs for you:
|
||||
|
||||
```
|
||||
pass init -p deuxfleurs you@example.com
|
||||
```
|
||||
|
||||
add a password in this store, it will be encrypted with your gpg key:
|
||||
|
||||
```bash
|
||||
pass generate deuxfleurs/backup_nextcloud 20
|
||||
# or
|
||||
pass insert deuxfleurs/backup_nextcloud
|
||||
```
|
||||
|
||||
## add a teammate
|
||||
|
||||
edit `~/.password-store/acme/.gpg-id` and add the id of your friends:
|
||||
|
||||
```
|
||||
alice@example.com
|
||||
jane@example.com
|
||||
bob@example.com
|
||||
```
|
||||
|
||||
make sure that you trust the keys of your teammates:
|
||||
|
||||
```
|
||||
$ gpg --edit-key jane@example.com
|
||||
gpg> lsign
|
||||
gpg> y
|
||||
gpg> save
|
||||
```
|
||||
|
||||
Now re-encrypt the secrets:
|
||||
|
||||
```
|
||||
pass init -p deuxfleurs $(cat ~/.password-store/deuxfleurs/.gpg-id)
|
||||
```
|
||||
|
||||
They will now be able to decrypt the password:
|
||||
|
||||
```
|
||||
pass deuxfleurs/backup_nextcloud
|
||||
```
|
||||
|
||||
## sharing with git
|
||||
|
||||
To create the repo:
|
||||
|
||||
```bash
|
||||
cd ~/.password-store/deuxfleurs
|
||||
git init
|
||||
git add .
|
||||
git commit -m "Initial commit"
|
||||
# Set up remote
|
||||
git push
|
||||
```
|
||||
|
||||
To setup the repo:
|
||||
|
||||
```bash
|
||||
cd ~/.password-store
|
||||
git clone https://git.example.com/org/repo.git deuxfleurs
|
||||
```
|
||||
|
||||
## Ref
|
||||
|
||||
https://medium.com/@davidpiegza/using-pass-in-a-team-1aa7adf36592
|
||||
|
|
Loading…
Reference in a new issue