demo_secret_storage

Clone
Source Code
GIT

demo_secret_storage

Created 5 years ago
Maintained by kondor6c
demonstration of secret storage
Star 0
Watch 1
Watch Issues and PRs
Watch Commits
Watch Issues, PRs, and Commits
Unwatch
Reset watch status
Members 1
Kevin Faulkner committed 5 years ago

Password and Secret Storage

This is more of a demonstration of what a professional git+GPG repository can look like when it handles various secrets like: - SSL Certificate Authorities - Java Keystores - SSH keys (both host and user) - "cloud" like secrets (admin-openrc.sh = Openstack, aws.credentials = AWS ~/.aws/credentials file) You can access this with either gopass, pass, or git and GPG. Particular focus has been paid attention to gopass. But the beauty of that is git and GPG can be used in place of gopass/pass. Password for the private key, should be 'pinger'

Regular Usage

Assuming you are trying to operate with this existing repository, these actions could carry over to another password store similar to this one. A very helpful tool could be to add bash completion to your shell, you can do that by running . <(gopass completion bash) Ensure you have bash-completion installed first (yum/dnf/emerge bash-completion).

The full path from the base of the git repo, must be specified for the secret For example to add an SSH key

[user@host ~/.password-store]$ gopass show prod/ssh/automation.ed25519
-----BEGIN OPENSSH PRIVATE KEY-----                                                                                                                                                           
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCKwHik39Sit37cuvqaxO9e+PJYyNB+LrA1yiHkCLkW8AAAAKAZt48NGbeP
DQAAAAtzc2gtZWQyNTUxOQAAACCKwHik39Sit37cuvqaxO9e+PJYyNB+LrA1yiHkCLkW8A
AAAEDNlTPS0/H7ZOaE0Xr4gQzg7o8ZHkmfSeL1T/95ZER4HIrAeKTf1KK3fty6+prE7174
8ljI0H4usDXKIeQIuRbwAAAAGmtvbmRvcjZjQGhvcnNlLmxhenl0cmVlLnVzAQID
-----END OPENSSH PRIVATE KEY-----
[user@host ~/.password-store]$

That should show the prod/ssh/automation secret. The same goes for adding; to the best of my knowledge relative paths are not supported. This is mostly due to the fact that gopass/pass is designed to be not bound to be executed only in the git repository. It can ran from an automation repository. For example:

[builder@jenkins ~/ansible]$ . <(gopass prod/web/memcache.env)
[builder@jenkins ~/ansible]$ ansible-playbook -K local-action

Adding a secret (file)

Adding a secret can be done several different ways. With gopass create secret/path/name you'll be presented with a dialog or "wizard" and it will prompt for information about the secret. Templates can be used as well. Inserting a secret can be done by gopass insert new/secret, this is largely the same as using create. To add a file that you have generated you'll be presented with a dialog menu to add the secret. Adding simple string passphrase/secret, can be done easily, here is another example:

[user@host ~]$ read -s PRIVATE
<type secret here>

[user@host ~]$ echo $PRIVATE | gopass insert pord/otp_home_system_auth.totp

gopass allows us to add binary files, this is done by base64 encoding them and then encrypting them. This could be done manually by:

RECIP_LIST=$(sed 's/0x/--recipient 0x/' .gpg-id)
gpg2 --encrypt <(base64 secret_p12) ${RECIP_LIST} --output secret_p12.gpg
git add secret_p12.gpg

Alternatively, gopass allows us to do it like this: cat raw_keystore.jceks |gopass bin cat prod/java/raw_keystore.jceks.gpg Edit a secret

gopass will respect the EDITOR environment variable and the secret will be presented to edit.

gopass edit dev/database-passwords

Add a user/recipient to a directory

Absolutely crucial to gopass or zx2c4's pass is properly located .gpg-id files. These files contain the 0xlong format of GPG public ID's. These keys MUST be trusted first! gopass provides an ability to trust the key gopass sync should trust the keys. That can be done by importing the key, and then editing the key to trust it:

gpg2 --edit-key 0xAA63E0576CC60292
pub  ed25519/AA63E0576CC60292
     created: 2018-02-15  expires: never       usage: SC  
     trust: unknown       validity: unknown
gpg> trust
  1 = I don't know or won't say
  2 = I do NOT trust
  3 = I trust marginally
  4 = I trust fully
  5 = I trust ultimately
  m = back to the main menu

Your decision? 4
gpg> q

Then place the 0x ID in the file .gpg-id, or create a new file in the directory that you wish to limit/add access to, or you can have gopass do that for you: gopass recipients add 0xAABBCCDD11223344 Executing gopass recipients without any arguments, will show the recipients that currently are added, keep in mind that this what is active and commited.

Supplementary is the placement of public_gpg_keys/*.pub This was done as a concept to ship the actual public key with the repository. Which I feel is important since unless a keyserver is used. for i in $(ls public_gpg_keys/*); do gpg2 --with-colons --keyid-format 0xlong public_gpg_keys/*.pub |awk -F: '/pub/{print 0x$5}' ;done > .gpg-id

Mounts

gopass has a very awesome feature, which allows you to attach another password store to your primary store. This could be useful when integrating other teams or companies. Think of these as mounting an NFS drive to an already mounted filesystem.

gopass mount 3rd-party-contractors git_repositories/dba-team

Delete, Move, Rename

Deleting is simple and straight forward gopass delete pord/otp_home_system_auth.totp or gopass rm -rf pord/ Relocating a file is easy gopass move password-store/location/secret destination/secret Renaming can be done in the same way that moving is done.

Other Actions

These kinds of actions might not be done all the time, but are good to have somewhere as a reference.

Create your own password store

Keep in mind that filenames and directories will be visible. Try to place your password store some place where it might not be easily visible and name the files accordingly. But even if you put meaningful information like 'root_password_netapp_appliance_atlanta_DC_closet_5_rack_2', the secret is safe, just a little more information and thus target enumeration would be possible. gopass init If the password store needs to be in a different location, it can be specified If placing the password store on a FUSE type of filesystem like SSHFS, S3fs, WebDAV, or NFS and don't want versioning features that git provides; specify noop as the Revision Control System:gopass init --path gpgcli-noop-fs+file:///s3fs/demos/demo_secret_storage --store=demo_secret_storage` OTP

Often One Time Passwords are used to implement higher security. I have seen the AWS root password be stored on a finance departmart director's phone and a technology director's phone all of wich could be compromised OTP can be stored in the password store, and then the OTP can be presented as though it were the Virtual Hardware device. 

(demos) [user@host ~]$ gpg2 -d demo_secret_storage/pord/otp_home_system_auth.totp.gpg
gpg: encrypted with 2048-bit RSA key, ID D72422A60E875A80, created 2018-08-04
      "Kevin Faulkner (demo account) <root@lazytree.us>"
otpauth://totp/home:kondor6c?issuer=HomeWorkStation&secret=43d1eb1b6212ddf7742f5b04b81649(demos) [user@host ~]$ gopass otp pord/otp_home_system_auth.totp
357506 lasts 19s        |-----------===================|
(demos) [user@host ~]$ gopass otp pord/otp_home_system_auth.totp
357506 lasts 16s        |--------------================|

The syntax is:

otpauth://totp/${location}:${user}?issuer=${displayName}&secret=${base32} Adding that as a regular secret (only that as the contents), and using gopass otp on the secret object will display the code.

Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.