pass, gnupg, managing keys and migrating password-store - Security & Cryptography
Users browsing this thread: 7 Guest(s)
|
|||
Hi all, a bit of a noob question here, but when it comes to gnupg and just using gpg keys in general I know nothing.
I have been using GNU 'pass' to manage my passwords for some time now. Generally I will just consult an internet cheat-sheet when setting it up and I have no real idea what I'm doing. What I'd like is to keep my .password-store in a git repository, and access it from multiple devices (laptops/phones) making it easier to keep each device in sync. Currently I have 2 laptops, both with pass set up with different gpg keys. So my questions are:
I did try to run $ pass git init but after that I'm not sure what to do. The man page gives the example: $ pass git remote add origin kexec.com:pass-store and I'm not sure is I should be copying this or what? I tried it once and it broke so not doing that again. Any help is greatly appreciated.
_____________________________________________________________________________________________
“Maybe you have some bird ideas... Maybe that's the best you can do.” - Terry A. Davis (R.I.P Terry & Percival) |
|||
|
|||
So, to answer your questions.
* if you don't want to expose the names you give your password entries, then there can be a risk of putting your .password-store in a public repository on github or gitlab, or something. I would put your .password-store on a private repo if possible. To be clear, the passwords themselves are secure, but the names you assign to those passwords are not, so if you have a bunch of passwords labelled as sensitive IP addresses, I might think twice about putting those in a publicly accessible repo. * I would copy the GPG key used to encrypt the passwords to each device you want to use pass on. * You can use "PASS_HOME" (IIRC), but what I do is I clone the main git repo to ~/.password-store on each of the devices I use pass on. To be honest, I'm not sure how I set up the main git repo. Hopefully somebody else can help you. |
|||
|
|||
Thanks. This helps a little. I think my issue is I'm also not so knowledgable with git. I have created a private repo, and I assume all I need to do now is:
Inside my ~/.password-store $ pass git init $ pass git remote add origin https://my-private-password-repo.git $ pass git push -u --all EDIT: this was successful! I now have my passwords in a private git repo, pushed from my main laptop. Now just to sync this with my other laptop and then mobile. (11-03-2021, 08:23 PM)mattrose Wrote: copy the GPG key used to encrypt the passwords to each device you want to use pass on So copy the gpg keys, then once again, inside my ~/.password-store on my other laptop, run: $ pass git init $ pass git remote add origin https://my-private-password-repo.git then something like this? $ pass git pull -u --all But then, how do I assign existing keys to an already initiated password-store? Cheers.
_____________________________________________________________________________________________
“Maybe you have some bird ideas... Maybe that's the best you can do.” - Terry A. Davis (R.I.P Terry & Percival) |
|||
|
|||
I have been considering to migrate from KeePass to pass/gopass a while ago, but I could not find a working converter yet. All I could find were outdated Python 2.7 scripts which only spawned errors.
Then again, isn’t moving from KeePass to (go)pass a security issue? As far as I could see, the pass format requires to have the account names unencrypted - right? -- <mort> choosing a terrible license just to be spiteful towards others is possibly the most tux0r thing I've ever seen |
|||
|
|||
You wouldn't do
$ pass git init on the second laptop. Once you have the repo at https://my-private-password-repo.git, you can just do $ git clone https://my-private-password-repo.git .password-store in your home directory and will pull automatically create the repo and pull the contents down. As long as the keys you encrypted the pass repo with on the original laptop is the same as the keys you're using to decrypt with on the other laptop, this should all work. If you want to use different keys on different laptops, that ... may be possible but I don't know how you would do that. |
|||
|
|||
(12-03-2021, 11:13 PM)mattrose Wrote: You wouldn't do So if I already have pass set up on my other laptop though, should I just delete my existing ~/.password-store before cloning the git repo and starting fresh? And once I clone the repo, I will at least need to run $ pass init correct? My only concern is, even after I copy over my gpg keys, how can I assign them to my newly cloned ~/.password-store ? (12-03-2021, 11:13 PM)mattrose Wrote: If you want to use different keys on different laptops, that ... may be possible but I don't know how you would do that. No, I'd prefer to use the same key for all 3 devices. I'm not concerned about losing the key or having it be exposed. Cheers for your help.
_____________________________________________________________________________________________
“Maybe you have some bird ideas... Maybe that's the best you can do.” - Terry A. Davis (R.I.P Terry & Percival) |
|||
|
|||
(13-03-2021, 04:57 AM)Ramiferous Wrote: So if I already have pass set up on my other laptop though, should I just delete my existing ~/.password-store before cloning the git repo and starting fresh?Yep. Just delete the existing .password-store (assuming all your passwords are in the repo copy) and run the git clone command. (13-03-2021, 04:57 AM)Ramiferous Wrote: And once I clone the repo, I will at least need to run $ pass init correct?Nope. The git repo has an already initialized password store, so you don't have to run pass init again. (13-03-2021, 04:57 AM)Ramiferous Wrote: Mu only concern is, even after I copy over my gpg keys, how can I assign them to my newly cloned ~/.password-store ?You don't need to. The password-store is just a bunch of gpg encrypted files, so you as long as you have the same keys, you can use them to encrypt and decrypt the same files. |
|||
|
|||
Ok cool, I was over thinking it then!
Last question: Which key/s do I copy over? I have 2 subfolders inside my ~/.gnupg folder: ~/.gnupg/opengpg-revocs.d/ ~/.gnupg/private-keys-v1.d/ I assume I copy the private-keys folder? But if I run $ gpg2 --list-secret-keys --keyid-format LONG The output shows the key that is inside the opengpg-revocss folder. Should I just copy over both folders? This also raises another question. The keys on my main laptop were ecrypted using gunpg2. Does this mean I need to install gnupg2 in place of the existing gnupg package or can I simply have both installed?. Thanks again for all the help :)
_____________________________________________________________________________________________
“Maybe you have some bird ideas... Maybe that's the best you can do.” - Terry A. Davis (R.I.P Terry & Percival) |
|||
|
|||
you can't just copy over keys like that, you need to export your private key from GPG, and then import it into the new laptop.
Good instructions are here: https://makandracards.com/makandra-orga/...nt-machine or google gpg export keys. |
|||
|
|||
wrt gpg vs gpg2. I think you can have both installed but I don't know.
|
|||
|
|||
(15-03-2021, 03:39 PM)mattrose Wrote: you can't just copy over keys like that, you need to export your private key from GPG, and then import it into the new laptop. Ahh ok, that's what I was looking for! thanks Up and running on both laptops now. Now I just need to work out the android app
_____________________________________________________________________________________________
“Maybe you have some bird ideas... Maybe that's the best you can do.” - Terry A. Davis (R.I.P Terry & Percival) |
|||