This is more of a demonstration of what a professional git+GPG repository can look like when it handles various secrets like: - SSL Certificate Authorities - Java Keystores - SSH keys (both host and user) - "cloud" like secrets (admin-openrc.sh = Openstack, aws.credentials = AWS ~/.aws/credentials file) You can access this with either gopass, pass, or git and GPG. Particular focus has been paid attention to gopass. But the beauty of that is git and GPG can be used in place of gopass/pass. Password for the private key, should be 'pinger'
Assuming you are trying to operate with this existing repository, these actions could carry over to another password store similar to this one.
A very helpful tool could be to add bash completion to your shell, you can do that by running . <(gopass completion bash)
Ensure you have bash-completion installed first (yum/dnf/emerge bash-completion).
The full path from the base of the git repo, must be specified for the secret For example to add an SSH key
[user@host ~/.password-store]$ gopass show prod/ssh/automation.ed25519 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACCKwHik39Sit37cuvqaxO9e+PJYyNB+LrA1yiHkCLkW8AAAAKAZt48NGbeP DQAAAAtzc2gtZWQyNTUxOQAAACCKwHik39Sit37cuvqaxO9e+PJYyNB+LrA1yiHkCLkW8A AAAEDNlTPS0/H7ZOaE0Xr4gQzg7o8ZHkmfSeL1T/95ZER4HIrAeKTf1KK3fty6+prE7174 8ljI0H4usDXKIeQIuRbwAAAAGmtvbmRvcjZjQGhvcnNlLmxhenl0cmVlLnVzAQID -----END OPENSSH PRIVATE KEY----- [user@host ~/.password-store]$
That should show the prod/ssh/automation secret. The same goes for adding; to the best of my knowledge relative paths are not supported. This is mostly due to the fact that gopass/pass is designed to be not bound to be executed only in the git repository. It can ran from an automation repository. For example:
[builder@jenkins ~/ansible]$ . <(gopass prod/web/memcache.env) [builder@jenkins ~/ansible]$ ansible-playbook -K local-action
Adding a secret can be done several different ways. With gopass create secret/path/name
you'll be presented with a dialog or "wizard" and it will prompt for information about the secret. Templates can be used as well. Inserting a secret can be done by gopass insert new/secret
, this is largely the same as using create. To add a file that you have generated you'll be presented with a dialog menu to add the secret.
Adding simple string passphrase/secret, can be done easily, here is another example:
[user@host ~]$ read -s PRIVATE <type secret here> [user@host ~]$ echo $PRIVATE | gopass insert pord/otp_home_system_auth.totp
gopass allows us to add binary files, this is done by base64 encoding them and then encrypting them. This could be done manually by:
RECIP_LIST=$(sed 's/0x/--recipient 0x/' .gpg-id) gpg2 --encrypt <(base64 secret_p12) ${RECIP_LIST} --output secret_p12.gpg git add secret_p12.gpg
Alternatively, gopass allows us to do it like this: cat raw_keystore.jceks |gopass bin cat prod/java/raw_keystore.jceks.gpg
Edit a secret
gopass will respect the EDITOR environment variable and the secret will be presented to edit.
gopass edit dev/database-passwords
Absolutely crucial to gopass or zx2c4's pass is properly located .gpg-id files. These files contain the 0xlong format of GPG public ID's. These keys MUST be trusted first! gopass provides an ability to trust the key gopass sync
should trust the keys. That can be done by importing the key, and then editing the key to trust it:
gpg2 --edit-key 0xAA63E0576CC60292 pub ed25519/AA63E0576CC60292 created: 2018-02-15 expires: never usage: SC trust: unknown validity: unknown gpg> trust 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu Your decision? 4 gpg> q
Then place the 0x ID in the file .gpg-id, or create a new file in the directory that you wish to limit/add access to, or you can have gopass do that for you: gopass recipients add 0xAABBCCDD11223344
Executing gopass recipients
without any arguments, will show the recipients that currently are added, keep in mind that this what is active and commited.
Supplementary is the placement of public_gpg_keys/*.pub This was done as a concept to ship the actual public key with the repository. Which I feel is important since unless a keyserver is used.
for i in $(ls public_gpg_keys/*); do gpg2 --with-colons --keyid-format 0xlong public_gpg_keys/*.pub |awk -F: '/pub/{print 0x$5}' ;done > .gpg-id
gopass has a very awesome feature, which allows you to attach another password store to your primary store. This could be useful when integrating other teams or companies. Think of these as mounting an NFS drive to an already mounted filesystem.
gopass mount 3rd-party-contractors git_repositories/dba-team
Deleting is simple and straight forward gopass delete pord/otp_home_system_auth.totp
or gopass rm -rf pord/
Relocating a file is easy gopass move password-store/location/secret destination/secret
Renaming can be done in the same way that moving is done.
These kinds of actions might not be done all the time, but are good to have somewhere as a reference.
Keep in mind that filenames and directories will be visible. Try to place your password store some place where it might not be easily visible and name the files accordingly. But even if you put meaningful information like 'root_password_netapp_appliance_atlanta_DC_closet_5_rack_2', the secret is safe, just a little more information and thus target enumeration would be possible.
gopass init
If the password store needs to be in a different location, it can be specified If placing the password store on a FUSE type of filesystem like SSHFS, S3fs, WebDAV, or NFS and don't want versioning features that git provides; specify noop as the Revision Control System:
gopass init --path gpgcli-noop-fs+file:///s3fs/demos/demo_secret_storage --store=demo_secret_storage`
OTP
Often One Time Passwords are used to implement higher security. I have seen the AWS root password be stored on a finance departmart director's phone and a technology director's phone all of wich could be compromised OTP can be stored in the password store, and then the OTP can be presented as though it were the Virtual Hardware device.
(demos) [user@host ~]$ gpg2 -d demo_secret_storage/pord/otp_home_system_auth.totp.gpg gpg: encrypted with 2048-bit RSA key, ID D72422A60E875A80, created 2018-08-04 "Kevin Faulkner (demo account) <root@lazytree.us>" otpauth://totp/home:kondor6c?issuer=HomeWorkStation&secret=43d1eb1b6212ddf7742f5b04b81649(demos) [user@host ~]$ gopass otp pord/otp_home_system_auth.totp 357506 lasts 19s |-----------===================| (demos) [user@host ~]$ gopass otp pord/otp_home_system_auth.totp 357506 lasts 16s |--------------================|
The syntax is:
otpauth://totp/${location}:${user}?issuer=${displayName}&secret=${base32} Adding that as a regular secret (only that as the contents), and using
gopass otp
on the secret object will display the code.