Skip to content

Instantly share code, notes, and snippets.

@deinarson

deinarson/multiple-ids-and-gpg.md

Last active September 17, 2021 11:59
Show Gist options
  • Save deinarson/8e42ace0b515a74ac544 to your computer and use it in GitHub Desktop.
Save deinarson/8e42ace0b515a74ac544 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
multiple-ids-and-gpg.md

Password-Store

This example is to point out that password-store facilitates

  1. The encryption of files for one or a list of users
  2. The use of git
    • once you have initialized git with pass git init everything is automatically tracked in the local git repo
    • Once you have added a remote git repo, you are required to manually push when desired
  3. Auto generation of passwords creating a file

Initialize password-store

Beyond the scope of this example, however, you can use this command later to update the keys. This will also require you to decrypt and re-encrypt all files. A forloop with "pass edit $file" maybe?

  #  add your gpg keys to a list 
  KEYS="
  0xF39B623309A44FAC4
  0x4B7B01AED3463F6DC"

  # The name of the sub directory you want to manage with other keys
  GROUP=mcin

  pass init -p ${GROUP} ${KEYS}
  #
  #note what happened; the keys are listed one per line
  # if you need to remove or add new keys you will have to do this manually

  cat ~/.password-store/${GROUP}/.gpg-id

Now test the creation of a secret file

 # create a new file and generate a 10 char password
 pass generate ${GROUP}/test-secret 10

 # edit will auto-create if the file is not already present 
 # pass edit ${GROUP}/new_file

Check that you can read the file

 pass ${GROUP}/test-secret

 # edit or update a pass file
 pass edit ${GROUP}/test-secret

Getting into GPG

Initialize a gpg repo if you dont already have one.

For the sake of a demo we will do this

 mkdir /tmp/example-repo
 cd /tmp/example-repo
 git init --bare

Add the upstream repo ( call it origin since password-store defaults to this )

Once you 'pass git init' every modification using the "pass" command will be git commit. Once you add the git remote you will want to probably have to push manually

# Initialize a git repo in the password store
pass git init 

# Add the remote ( created above )
pass git remote add origin /tmp/example-repo



# make an example file to show that you are git committing 
pass generate ${GROUP}/git-test 10

# now manually push to the repo
pass git push -u --all

Emulate a person sharing this repo

Note git clone auto-creates the directory

 export PASSWORD_STORE_DIR=/tmp/otherperson
 git clone /tmp/example-repo /tmp/otherperson

Food for thought

Now we see that we can share the encrypted password files, that are encrypted for everyone listed in the .gpg-id file in any of the password-store managed directories. There can be a new gpg-id list for each subdirectory (eg each group you work with )

 $ pass
 Password Store
 `-- mcin
     |-- test21
     `-- test-secret
 `-- SecTeam
     |-- systems
     |-- LogisticsPlan
     `-- web-accounts

Short comings

You may have noticed above, that if you work with more than one password-store repos you may have some issues.

I work with several groups that all want to keep their secrets in there own group-shared repo. Unfortunately the pass git command expects that .git is in the root of PASSWORD_STORE_GIT ( which is PASSWORD_STORE_GIT by default ie $HOME ). A fix?: If the script where to cd to the subdir first then issue the git command this would not be an issue, it only makes the push git remote command function differently (But I do all of that manually anyway )

I currently want to modify push git to accept the-p subfolder option. But for now I can suggest aliasing your pass commands to change your $PASSWORD_STORE_DIR or PASSWORD_STORE_GIT for each project.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment