pass, gnupg, managing keys and migrating password-store - Security & Cryptography

Users browsing this thread: 1 Guest(s)
Ramiferous
Nixers
Hi all, a bit of a noob question here, but when it comes to gnupg and just using gpg keys in general I know nothing.

I have been using GNU 'pass' to manage my passwords for some time now. Generally I will just consult an internet cheat-sheet when setting it up and I have no real idea what I'm doing.

What I'd like is to keep my .password-store in a git repository, and access it from multiple devices (laptops/phones) making it easier to keep each device in sync.

Currently I have 2 laptops, both with pass set up with different gpg keys.

So my questions are:
  • Is there any security concern in keeping your .password-store in a git repo?
  • How do I change the gpg key used on my .password-sore and can I simply copy the keys via USB to my different devices?
  • How do I set the .password-store destination so that pass can look in the git repo and not in my home folder?
I have read over the man pages, but honestly it just a little over my head and I don't want to risk loosing my passwords.

I did try to run $ pass git init but after that I'm not sure what to do. The man page gives the example:
$ pass git remote add origin kexec.com:pass-store and I'm not sure is I should be copying this or what? I tried it once and it broke so not doing that again.

Any help is greatly appreciated.
_____________________________________________________________________________________________
“Maybe you have some bird ideas... Maybe that's the best you can do.” - Terry A. Davis (R.I.P Terry & Percival)
mattrose
Members
So, to answer your questions.

* if you don't want to expose the names you give your password entries, then there can be a risk of putting your .password-store in a public repository on github or gitlab, or something. I would put your .password-store on a private repo if possible. To be clear, the passwords themselves are secure, but the names you assign to those passwords are not, so if you have a bunch of passwords labelled as sensitive IP addresses, I might think twice about putting those in a publicly accessible repo.

* I would copy the GPG key used to encrypt the passwords to each device you want to use pass on.

* You can use "PASS_HOME" (IIRC), but what I do is I clone the main git repo to ~/.password-store on each of the devices I use pass on.

To be honest, I'm not sure how I set up the main git repo. Hopefully somebody else can help you.
Ramiferous
Nixers
Thanks. This helps a little. I think my issue is I'm also not so knowledgable with git. I have created a private repo, and I assume all I need to do now is:
Inside my ~/.password-store
$ pass git init
$ pass git remote add origin https://my-private-password-repo.git
$ pass git push -u --all

EDIT: this was successful! I now have my passwords in a private git repo, pushed from my main laptop. Now just to sync this with my other laptop and then mobile.

(11-03-2021, 08:23 PM)mattrose Wrote: copy the GPG key used to encrypt the passwords to each device you want to use pass on

So copy the gpg keys, then once again, inside my ~/.password-store on my other laptop, run:
$ pass git init
$ pass git remote add origin https://my-private-password-repo.git
then something like this?
$ pass git pull -u --all

But then, how do I assign existing keys to an already initiated password-store?


Cheers.
jkl
Long time nixers
I have been considering to migrate from KeePass to pass/gopass a while ago, but I could not find a working converter yet. All I could find were outdated Python 2.7 scripts which only spawned errors.

Then again, isn’t moving from KeePass to (go)pass a security issue? As far as I could see, the pass format requires to have the account names unencrypted - right?
mattrose
Members
You wouldn't do
$ pass git init
on the second laptop. Once you have the repo at https://my-private-password-repo.git, you can just do
$ git clone https://my-private-password-repo.git .password-store

in your home directory and will pull automatically create the repo and pull the contents down.

As long as the keys you encrypted the pass repo with on the original laptop is the same as the keys you're using to decrypt with on the other laptop, this should all work.

If you want to use different keys on different laptops, that ... may be possible but I don't know how you would do that.
Ramiferous
Nixers
(12-03-2021, 11:13 PM)mattrose Wrote: You wouldn't do
$ pass git init
on the second laptop. Once you have the repo at https://my-private-password-repo.git, you can just do
$ git clone https://my-private-password-repo.git .password-store

in your home directory and will pull automatically create the repo and pull the contents down.

As long as the keys you encrypted the pass repo with on the original laptop is the same as the keys you're using to decrypt with on the other laptop, this should all work.

So if I already have pass set up on my other laptop though, should I just delete my existing ~/.password-store before cloning the git repo and starting fresh? And once I clone the repo, I will at least need to run $ pass init correct?
My only concern is, even after I copy over my gpg keys, how can I assign them to my newly cloned ~/.password-store ?

(12-03-2021, 11:13 PM)mattrose Wrote: If you want to use different keys on different laptops, that ... may be possible but I don't know how you would do that.

No, I'd prefer to use the same key for all 3 devices. I'm not concerned about losing the key or having it be exposed.

Cheers for your help.
mattrose
Members
(13-03-2021, 04:57 AM)Ramiferous Wrote: So if I already have pass set up on my other laptop though, should I just delete my existing ~/.password-store before cloning the git repo and starting fresh?
Yep. Just delete the existing .password-store (assuming all your passwords are in the repo copy)
and run the git clone command.
(13-03-2021, 04:57 AM)Ramiferous Wrote: And once I clone the repo, I will at least need to run $ pass init correct?
Nope. The git repo has an already initialized password store, so you don't have to run pass init again.
(13-03-2021, 04:57 AM)Ramiferous Wrote: Mu only concern is, even after I copy over my gpg keys, how can I assign them to my newly cloned ~/.password-store ?
You don't need to. The password-store is just a bunch of gpg encrypted files, so you as long as you have the same keys, you can use them to encrypt and decrypt the same files.
Ramiferous
Nixers
Ok cool, I was over thinking it then!

Last question: Which key/s do I copy over?

I have 2 subfolders inside my ~/.gnupg folder:
~/.gnupg/opengpg-revocs.d/
~/.gnupg/private-keys-v1.d/

I assume I copy the private-keys folder? But if I run $ gpg2 --list-secret-keys --keyid-format LONG
The output shows the key that is inside the opengpg-revocss folder.

Should I just copy over both folders?

This also raises another question. The keys on my main laptop were ecrypted using gunpg2. Does this mean I need to install gnupg2 in place of the existing gnupg package or can I simply have both installed?.

Thanks again for all the help :)
mattrose
Members
you can't just copy over keys like that, you need to export your private key from GPG, and then import it into the new laptop.

Good instructions are here:

https://makandracards.com/makandra-orga/...nt-machine or google gpg export keys.
mattrose
Members
wrt gpg vs gpg2. I think you can have both installed but I don't know.
Ramiferous
Nixers
(15-03-2021, 03:39 PM)mattrose Wrote: you can't just copy over keys like that, you need to export your private key from GPG, and then import it into the new laptop.

Good instructions are here:

https://makandracards.com/makandra-orga/...nt-machine or google gpg export keys.

Ahh ok, that's what I was looking for! thanks

Up and running on both laptops now. Now I just need to work out the android app