Setting up pass on git with a gpg key

passgitgpg.md

The following shell transcript shows how to:

• Create a GPG key
• Create a pass database
• Add git support to the pass database
• Create a remote git repository
• Push the pass database to the remote git repository
• Fetch and display your passwords from another host

It is assumed that the pass package has been installed on both the first and second computers.

Create a GPG key

user@host:~$ gpg --gen-key
gpg (GnuPG) 1.4.18; Copyright (C) 2014 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
Your selection? 1
RSA keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048) 4096
Requested keysize is 4096 bits
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: First Middle Last Suffix
Email address: first.last@host.tld
Comment: 
You selected this USER-ID:
    "First Middle Last Suffix <first.last@host.tld>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
You need a Passphrase to protect your secret key.

We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 172 more bytes)
............+++++

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 198 more bytes)
..............+++++
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 250 more bytes)
..........+++++

Not enough random bytes available.  Please do some other work to give
the OS a chance to collect more entropy! (Need 249 more bytes)
......+++++
gpg: key 68214821 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   1  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 1u
pub   4096R/68214821 2015-06-24
      Key fingerprint = A5C2 96E8 AC41 0889 60D9  2D1F 0F6D B722 6821 4821
uid                  First Middle Last Suffix <first.last@host.tld>
sub   4096R/36A6F06D 2015-06-24

Create a pass database

user@host:~$ gpg --list-keys
/home/user/.gnupg/pubring.gpg
------------------------------
pub   4096R/68214821 2015-06-24
uid                  First Middle Last Suffix <first.last@host.tld>
sub   4096R/36A6F06D 2015-06-24

user@host:~$ pass init 68214821
mkdir: created directory ‘/home/user/.password-store/’
Password store initialized for 68214821

Add git support to the pass database

user@host:~$ pass git init
Initialized empty Git repository in /home/user/.password-store/.git/
[master (root-commit) c343a0c] Add current contents of password store.
 1 file changed, 1 insertion(+)
 create mode 100644 .gpg-id
[master edaf464] Configure git repository for gpg file diff.
 1 file changed, 1 insertion(+)
 create mode 100644 .gitattributes

user@host:~$ pass generate serviceprovider/account.name@service.tld 21
mkdir: created directory ‘/home/user/.password-store/gmail’
[master e6a1974] Add generated password for serviceprovider/account.name@service.tld.
 1 file changed, 0 insertions(+), 0 deletions(-)
 create mode 100644 serviceprovider/account.name@service.tld.gpg
The generated password for serviceprovider/account.name@service.tld is:
;J&E_2A55<%=<KxoEDZuL

Create a remote git repository

user@host:~$ ssh user@gitrepo.org -p gitport \
    "git init --bare /path/to/git/user-password/"
user@gitrepo.org's password: 
Initialized empty Git repository in /path/to/version_systems/git/user-password/

Push the pass database to the remote git repository

user@host:~$ pass git remote add origin \
    ssh://user@gitrepo.org:gitport/path/to/git/user-password/

user@host:~$ pass git push -u --all
user@gitrepo.org's password: 
Counting objects: 10, done.
Delta compression using up to 8 threads.
Compressing objects: 100% (7/7), done.
Writing objects: 100% (10/10), 1.38 KiB | 0 bytes/s, done.
Total 10 (delta 1), reused 0 (delta 0)
To ssh://user@gitrepo.org:gitport/path/to/git/user-password/
 * [new branch]      master -> master
Branch master set up to track remote branch master from origin.

Fetch and display passwords from another computer

It is assumed here that your GPG key has been migrated to the second computer.

user@host:~$ gpg --list-keys
/home/user/.gnupg/pubring.gpg
------------------------------
pub   4096R/68214821 2015-06-24
uid                  First Middle Last Suffix <first.last@host.tld>
sub   4096R/36A6F06D 2015-06-24

user@host:~$ pass init 68214821
mkdir: created directory ‘/home/user/.password-store/’
Password store initialized for 68214821

user@host:~$ pass git init
Initialized empty Git repository in /home/user/.password-store/.git/
[master (root-commit) c343a0c] Add current contents of password store.
 1 file changed, 1 insertion(+)
 create mode 100644 .gpg-id
[master edaf464] Configure git repository for gpg file diff.
 1 file changed, 1 insertion(+)
 create mode 100644 .gitattributes

user@host:~$ pass git remote add origin \
    ssh://user@gitrepo.org:gitport/path/to/git/user-password/

user@host:~$ git reset origin/master

user@host:~$ pass git fetch
user@gitrepo.org's password: 
warning: no common commits
remote: Counting objects: 10, done.
remote: Compressing objects: 100% (7/7), done.
remote: Total 10 (delta 1), reused 0 (delta 0)
Unpacking objects: 100% (10/10), done.
From ssh://user@gitrepo.org:gitport/path/to/git/user-password/
 * [new branch]      master     -> origin/master

user@host:~$ pass git rebase origin/master
First, rewinding head to replay your work on top of it...

user@host:~$ pass show serviceprovider/account.name@service.tld
gpg: WARNING: The GNOME keyring manager hijacked the GnuPG agent.
gpg: WARNING: GnuPG will not work properly - please configure that tool to not interfere with the GnuPG system!
;J&E_2A55<%=<KxoEDZuL

nice!

This is awesome, thank you!

On a new computer I think you can just clone the repo directly into .password-store in your home dir (after you have imported GPG keys):

cd
git clone <git-repo> .password-store

very very helpful, thank you

Maybe the gpg program has changed a bit, or my version is different on Ubuntu 18.04, but my initial steps were slightly different than these ones. It was still pretty self-explanatory though.

Awesome, thanks for spending the time creating this 👍

nowadays (with gpg version 2.2.X) gpg --list-keys doesn't show the correct key ID to use for pass init, one has to do gpg --list-signatures. To filter out other keys one already might have in an existing gpg install, use gpg --list-signatures $USER and look for a line saying sig in the beginning.
E.g.

$ gpg --list-signatures $USER | grep ^sig
sig 3        XXXXXXXXXXXXXX 20YY-MM-DD  Dima Pasechnik (work key) <whatever>
sig          XXXXXXXXXXXXXX 20YY-MM-DD  Dima Pasechnik (work key) <whatever>

then XXXXXXXXXXXXXX is the key id you need to use.

Awesome! thanks for the tip in the last comment. That worked for me!

Thank you all for your gratitude, feedback and comments!

…

On Wed, Oct 27, 2021 at 10:19 AM sdorbala ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Awesome! thanks for the tip in the last comment. That worked for me! — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <https://gist.github.com/a4f24da7e0c3552942ff#gistcomment-3941671>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAYE3PXBENX7K6D2JVTPCBLUJADA7ANCNFSM4HRKEEUQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

Gracias por su servicio

Gracias por todo

Muy buen servicio

Fingers crossed

Don't cross your fingers, just keep working on it until it works! Hang in there!

…

On Fri, Nov 25, 2022, 12:22 AM jonb665 ***@***.***> wrote: ***@***.**** commented on this gist. ------------------------------ Fingers crossed — Reply to this email directly, view it on GitHub <https://gist.github.com/a4f24da7e0c3552942ff#gistcomment-4381087> or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAYE3PTUTTC7AT7JDHPEOOLWKBEI5BFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFQKSXMYLMOVS2I5DSOVS2I3TBNVS3W5DIOJSWCZC7OBQXE5DJMNUXAYLOORPWCY3UNF3GS5DZVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVAZDGNRXHA3DGNVHORZGSZ3HMVZKMY3SMVQXIZI> . You are receiving this email because you authored the thread. Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub> .