worldofgeese/using-secrets-with-gopass-and-summon.org

## using-secrets-with-gopass-and-summon.org

      
    Raw
  

              using-secrets-with-gopass-and-summon.org
            
          
    Using Gopass and Summon to Secure Secrets Inside the Enterprise and Out

*Gopass cheatsheet*
Windows user?

Install scoop

Set-ExecutionPolicy RemoteSigned -scope CurrentUser
iwr -useb get.scoop.sh | iex
Use scoop to install gopass

scoop install gopass
Linux user?

Install gopass

First install go on your platform of choice. Then, to install gopass, do:
go get github.com/gopasspw/gopass
You can upgrade gopass in the future with:
go get -u github.com/gopasspw/gopass
Up and running with gopass

Gopass works on the basis of Pretty Good Privacy, a standard that uses private and public keys to prove you are who you say you are.
Generate your own key

First, generate a PGP key if you don’t already have one:
Get and mount the secrets repository

When asked, accept all default prompts by pressing the ENTER key.
Bootstrap team store
gopass --yes setup --remote git@github.com:MQSdk/secrets.git --alias secrets --name "Jane Doe" --email "jane.doe@example.com"
If you already have your own secrets repository at the .password-store directory you can mount the team secrets repository as an additional substore:
gopass clone git@github.com:MQSdk/secrets.git secrets --sync gitcli
Want a graphical interface? Install Gopass UI.
Import and trust your team’s keys

Now, we will ultimately trust your team’s keys using the below trust script. This is necessary for gopass to use your keys to decrypt team secrets.
for fpr in $(gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $10}' | sort -u); do  echo -e "5\ny\n" |  gpg --command-fd 0 --expert --edit-key $fpr trust; done
When onboarding new users, it’s important to first add them as a recipient. If they have a GitHub account this is as easy as
curl -sSL https://github.com/MQS-mark.gpg | gpg --import
gopass recipients add mark@mqs.dk
gopass sync
followed by the above trust script.
Working with secrets

Below is offered an example of a number of operations you might do when working with gopass.
To print a secret to your shell:
gopass secrets/hetzner/gitea/worldofgeese
You can use fuzzy searching to find a secret too:
gopass worldofgeese
will show any secrets containing worldofgeese. If it’s the only secret, it will display it.
You can copy secrets directly to the clipboard
gopass -c worldofgeese
Generate a new secret
gopass generate secrets/pizza-delivery-passcode
Add a new user to our secrets store
gopass recipients add $USER_EMAIL
gopass sync
Using gopass and summon to manage container secrets

What is summon?

Summon injects secrets as environment variables into any process. For our purposes we will be using summon with the aid of gopass to inject secrets into our Docker containers without leaving a trace.
Gopass acts as a provider to summon, offering secrets to summon that summon then passes into our containers.
Using summon

We assume we have a postgres database backing our Gitea container and that our database password has been saved to our secrets repository in the format gitea/gitea-db using the command gopass insert gitea/gitea-db.
summon -p /usr/local/bin/gopass --yaml 'POSTGRES_PASSWORD: !var gitea/gitea-db' docker run -e $POSTGRES_PASSWORD postgres:9.6
This command is intentionally verbose to demonstrate how summon passes on secrets to our docker container. In production we will use a secrets.yaml file to greatly simplify.
Using a secrets.yml file

Define your keys in secrets.yml within the directory of your docker-compose.yml:

  POSTGRES_PASSWORD: !var gitea/gitea-db
  DB_PASSWD: !var gitea/gitea-db

Bring up your containers:
summon -p /usr/local/bin/gopass -e common docker-compose --env-file @SUMMONENVFILE up -d
If this command fails, you may need the latest version of docker-compose, which supports passing --env-file:
nix-env -i docker-compose