worldofgeese/using-secrets-with-gopass-and-summon.org

## using-secrets-with-gopass-and-summon.org

      
        

                Raw

        
        
          
            
          
          
            
              using-secrets-with-gopass-and-summon.org
            
          
        
      
      
    Using Gopass and Summon to Secure Secrets Inside the Enterprise and Out
*Gopass cheatsheet*
Windows user?
Install scoop
Set-ExecutionPolicy RemoteSigned -scope CurrentUser
iwr -useb get.scoop.sh | iex
Use scoop to install gopass
scoop install gopass
Linux user?
Install gopass
First install go on your platform of choice. Then, to install gopass, do:
go get github.com/gopasspw/gopass
You can upgrade gopass in the future with:
go get -u github.com/gopasspw/gopass
Up and running with gopass
Gopass works on the basis of Pretty Good Privacy, a standard that uses private and public keys to prove you are who you say you are.
Generate your own key
First, generate a PGP key if you don’t already have one:
Get and mount the secrets repository
When asked, accept all default prompts by pressing the ENTER key.
Bootstrap team store
gopass --yes setup --remote git@github.com:MQSdk/secrets.git --alias secrets --name "Jane Doe" --email "jane.doe@example.com"
If you already have your own secrets repository at the .password-store directory you can mount the team secrets repository as an additional substore:
gopass clone git@github.com:MQSdk/secrets.git secrets --sync gitcli
Want a graphical interface? Install Gopass UI.
Import and trust your team’s keys
Now, we will ultimately trust your team’s keys using the below trust script. This is necessary for gopass to use your keys to decrypt team secrets.
for fpr in $(gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $10}' | sort -u); do  echo -e "5\ny\n" |  gpg --command-fd 0 --expert --edit-key $fpr trust; done
When onboarding new users, it’s important to first add them as a recipient. If they have a GitHub account this is as easy as
curl -sSL https://github.com/MQS-mark.gpg | gpg --import
gopass recipients add mark@mqs.dk
gopass sync
followed by the above trust script.
Working with secrets
Below is offered an example of a number of operations you might do when working with gopass.
To print a secret to your shell:
gopass secrets/hetzner/gitea/worldofgeese
You can use fuzzy searching to find a secret too:
gopass worldofgeese
will show any secrets containing worldofgeese. If it’s the only secret, it will display it.
You can copy secrets directly to the clipboard
gopass -c worldofgeese
Generate a new secret
gopass generate secrets/pizza-delivery-passcode
Add a new user to our secrets store
gopass recipients add $USER_EMAIL
gopass sync
Using gopass and summon to manage container secrets
What is summon?
Summon injects secrets as environment variables into any process. For our purposes we will be using summon with the aid of gopass to inject secrets into our Docker containers without leaving a trace.
Gopass acts as a provider to summon, offering secrets to summon that summon then passes into our containers.
Using summon
We assume we have a postgres database backing our Gitea container and that our database password has been saved to our secrets repository in the format gitea/gitea-db using the command gopass insert gitea/gitea-db.
summon -p /usr/local/bin/gopass --yaml 'POSTGRES_PASSWORD: !var gitea/gitea-db' docker run -e $POSTGRES_PASSWORD postgres:9.6
This command is intentionally verbose to demonstrate how summon passes on secrets to our docker container. In production we will use a secrets.yaml file to greatly simplify.
Using a secrets.yml file
Define your keys in secrets.yml within the directory of your docker-compose.yml:

  POSTGRES_PASSWORD: !var gitea/gitea-db
  DB_PASSWD: !var gitea/gitea-db

Bring up your containers:
summon -p /usr/local/bin/gopass -e common docker-compose --env-file @SUMMONENVFILE up -d
If this command fails, you may need the latest version of docker-compose, which supports passing --env-file:
nix-env -i docker-compose