Encryption

Create vault

age-keygen | age --passphrase --armor > "$PASSAGE_IDENTITIES_FILE"
age --decrypt "$PASSAGE_IDENTITIES_FILE" | age-keygen -y > "$PASSAGE_RECIPIENTS_FILE"
mkdir -p "$PASSAGE_DIR"
passage git init
<~/.ssh/id_ed25519 passage insert --multiline ssh
<"$(rclone config file | tail -1)" passage insert --multiline rclone

Restore

1. Restore vaults

   git clone 'https://private.example.com/password-store.git' "$PASSWORD_STORE_DIR"
   git clone '[email protected]:passage-store.git' "$PASSAGE_DIR"
   hx "$PASSAGE_IDENTITIES_FILE" # Make sure the editor is not enabling backup features
   
   # Saved with: `gpg --export-secret-subkeys --armor '9BE4016A38165CCB' | age --encrypt --passphrase --armor --identity "$PASSAGE_IDENTITIES_FILE" --output 'pgp-sub-9BE4016A38165CCB.age'`
   # Don't include this in passage store to avoid circular references
   age --decrypt --identity "$PASSAGE_IDENTITIES_FILE" 'pgp-sub-9BE4016A38165CCB.age' | gpg-sq --import

2. Load minimum secrets from the vaults

   passage show 'ssh' > ~/.ssh/id_ed25519
   chmod 400 ~/.ssh/id_ed25519
   ssh-add ~/.ssh/id_ed25519
   
   rclone config touch
   passage show 'rclone' > "$(rclone config file | tail -1)"

3. Restore shell history - Work in Progress

4. Remove used vaults from local

   # Don't trust `shred --remove` and `srm` when using SSD. Use tomb, rclone or OS provided solution to encrypt the disk
   rm -rf "$PASSAGE_DIR"
   rm "$PASSAGE_IDENTITIES_FILE"

FAQ

Why sequoia-sq and gpg

See GH-830

I prefer gpg-sq for the alt, however it does not support much of features. So basically you still need gpg for now.

If you faced to decrypt error with gpg-sq, check it with sq decrypt. It displays error details.
For example, 1: AEAD Encrypted Data Packet v1 is not considered secure
This is caused by encrypted non configured gpg for the AEAD. Disable it with showpref/setpref if you still use gpg.

sequoia-sq

TODO:

GPG

• How to list keys?
  • 1. gpg --list-secret-keys --keyid-format=long # The sec first section displays same text as pub by gpg --list-keys --keyid-format=long
• How to add subkey?
  • 1. gpg --edit-key PUBKEY
  • 2. addkey
  • 3. save
• How to revoke subkey?
  • 1. gpg --edit-key PUBKEY
  • 2. key n n is the index of subkey
  • 3. revkey
  • 4. save
  • 5. Replace uploaded pubkey with new one, see https://github.com/kachick/dotfiles/pull/311#issuecomment-1715812324 for detail
• How to get pubkey to upload?
  • gpg --armor --export PUBKEY | clip.exe
• How to backup private key?
  • gpg --export-secret-subkeys --armor '9BE4016A38165CCB'
  • gpg --export-secret-keys --armor > gpg-private.keys.bak # You should avoid this as much as possible. This way is including all keys.