-
Notifications
You must be signed in to change notification settings - Fork 0
Encryption
Only need [E] subkey in vault
- Don't touch main(sec) key
- Don't touch [S] and [C] key.
export PGP_SUB_E_ID=YOUR_PGP_SUBKEY_FOR_ENCRYPTION_IDIt should be same as pass init [gpg-id] # content of $PASSWORD_STORE_DIR/.gpg-id.
gopass init "$PGP_SUB_E_ID"
age-keygen | age --passphrase --armor > "$PASSAGE_IDENTITIES_FILE"
age --decrypt "$PASSAGE_IDENTITIES_FILE" | age-keygen -y > "$PASSAGE_RECIPIENTS_FILE"
mkdir -p "$PASSAGE_DIR"
passage git init
<~/.ssh/id_ed25519 passage insert --multiline ssh
<"$(rclone config file | tail -1)" passage insert --multiline rclone-
Restore vaults
# If you are using GitHub private repository, use `gh auth login; gh repo clone example_org/password-store "$PASSWORD_STORE_DIR"` # gh auth login will pass even if making config.yml permission error. It is written in hosts.yml git clone 'https://private.example.com/password-store.git' "$PASSWORD_STORE_DIR" git clone '[email protected]:passage-store.git' "$PASSAGE_DIR" hx "$PASSAGE_IDENTITIES_FILE" # Make sure the editor is not enabling backup features # Don't include this in passage store to avoid circular references age --decrypt --identity "$PASSAGE_IDENTITIES_FILE" "pgp-sub-${PGP_SUB_E_ID}.age" | gpg --import # Make sure other keys are listed but having `#` in the suffix of `sec` and `ssb` gpg --list-secret-keys
-
Load minimum secrets from the vaults
passage show 'ssh' > ~/.ssh/id_ed25519 chmod 400 ~/.ssh/id_ed25519 ssh-add ~/.ssh/id_ed25519 rclone config touch passage show 'rclone' > "$(rclone config file | tail -1)"
-
Restore shell history - Work in Progress
-
Remove used vaults from local
# Don't trust `shred --remove` and `srm` when using SSD. Use tomb, rclone or OS provided solution to encrypt the disk rm -rf "$PASSAGE_DIR" rm "$PASSAGE_IDENTITIES_FILE"
See GH-830
I prefer gpg-sq for the alt, however it does not support much of features. So basically you still need gpg for now.
If you faced to decrypt error with gpg-sq, check it with sq decrypt. It displays error details.
For example, 1: AEAD Encrypted Data Packet v1 is not considered secure
This is caused by encrypted non configured gpg for the AEAD. Disable it with showpref/setpref if you still use gpg.
TODO:
-
Abbreviations
- sec = SECret key
- ssb = Secret SuBkey
-
Symbols in list
From man
--list-secret-keys -K List the specified secret keys. If no keys are specified, then all known secret keys are listed. A # after the initial tags sec or ssb means that the secret key or subkey is currently not usable. We also say that this key has been taken offline (for example, a primary key can be taken offline by exporting the key using the command --export-secret-subkeys). A > after these tags indicate that the key is stored on a smartcard. See also --list-keys. -
How to list keys?
-
-
gpg --list-secret-keys --keyid-format=long# Thesecfirst section displays same text aspubbygpg --list-keys --keyid-format=long
-
-
-
How to add subkey?
-
gpg --edit-key PUBKEY
-
addkey
-
save
-
-
How to revoke subkey?
-
gpg --edit-key PUBKEY
-
-
key nn is the index of subkey
-
-
revkey
-
save
-
- Replace uploaded pubkey with new one, see https://github.com/kachick/dotfiles/pull/311#issuecomment-1715812324 for detail
-
-
How to get pubkey to upload?
gpg --armor --export PUBKEY | clip.exe
-
How to export private key?
-
gpg --export-secret-subkeys --armor "${PGP_SUB_E_ID}\!" > "pgp-sub-${PGP_SUB_E_ID}" && age --encrypt --armor --identity "$PASSAGE_IDENTITIES_FILE" --output "pgp-sub-${PGP_SUB_E_ID}.age" "pgp-sub-${PGP_SUB_E_ID}" && rm "pgp-sub-${PGP_SUB_E_ID}"- Append
!suffix - Don't use pipe. I have faced errors in connecting to age...
- Append
-
gpg --export-secret-keys --armor > gpg-private.keys.bak# You should avoid this as much as possible. This way is including all keys.
-