This repository contains the database of password-store used by our Team to store passwords (mostly to be used in emergencies).
The database is encrypted for the PGP keys of all members, and can be read and written by any standard PGP implementation.
The preferred tool to manage these passwords is
password-store a.k.a. pass
.
To install it on any current POSIX-compatible system, run the following commands:
sudo apt-get install pwgen gnupg tree git xclip
wget http://git.zx2c4.com/password-store/snapshot/password-store-1.6.5.tar.xz
tar xvf password-store-*.tar.xz
cd password-store-*
sudo make install
Don't use the apt package for Ubuntu, it's outdated (at least until 14.04), and doesn't support multiple PGP keys.
Now clone the repository: git clone ...password-store.git ~/.password-store
Now you can use the tool, but if you are a new user, you will need someone to reencrypt the store for your public key.
You will need a PGP key pair for that. If you don't have any, use seahorse
(GUI) or gpg --gen-key
to generate one. The defaults parameters will be fine
(but I would choose a >2Kb key and set an expiration date of 10 or 20 years).
The key generation takes very long time, be patient (seahorse doesn't give you
feedback about the process; it's time to do an apt-get upgrade to gain some entropy).
Then figure out the generated public key's ID from the gen-key output or like bellow (C869E69F in the example):
$ gpg --list-key|grep ^pub
pub 2048R/C869E69F 2015-04-21
And push it to a public keyserver (with your key ID):
$ gpg --send-keys C869E69F
You will also need to import the keys of the colleagues:
$ gpg --recv-keys $(cat ~/.password-store/.gpg-id)
Now ask someone to reencrypt the repo with your key (substitute the ID):
$ gpg --recv-keys C869E69F
# You may need to poll for some time until the key servers get in sync
$ pass init $(cat ~/.password-store/.gpg-id) C869E6GF
$ pass git push
After that you will be able to reach the keys. Update the repo (pass git pull
) and try pass keep-this-please
.
Please keep your private key private, make encrypted backups, choose a proper passphrase, and save a revocation cert.
You won't need many commands for everyday use, but here are some examples:
$ pass keep-this-please # show key named keep-this-please
$ pass show keep-this-please # ditto
$ pass -c keep-this-please # copy named pw to keyboard
$ pass # list all passwords
$ pass search keep # search passwords by name
$ pass generate foobar 10 # generate a 10 chars long password and save
$ pass git push # push recent changes (pass autocommits, but
# never pushes/pulls magically)
$ pass git pull # update the password store
Read-only access is easy to gain on Windows, but pass is only supposed to work with cygwin (like on Linux).
- Install Git and gpg4win.
- Generate and publish a key.
- Ask someone to reencrypt the repo with it.
- Clone the
yourname@git.balabit:/var/scm/git/backoffice/password-store.git
git repository. - Decrypt the needed file in the repository.