GnuPG and Pass

I find myself constantly referring to different sources to setup my password manager; Pass. This reference is going to provide a source for reference that includes both.

Installation

References (Archlinux)

GnuGP

According to the official website:

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).

Install the gnugp package.

    $ sudo pacman -S gnugp

Configurations and the gnugp store will be saved at ~/.gnupg.

The configurations are stored in the following files: ~/.gnupg/gpg.conf and ~/.gnupg/dirmngr.conf.

Create a key pair

    $ gpg --full-gen-key

Restore a key pair

In my case I have three devices and instead of each device having it’s own key pair I share the key pair between all the devices. When a new devices is used or a device is reset I sync the keys to the device and restore the key pair.

Export private key

    $ gpg --export-secret-keys --armor <user-id> > privkey.asc

Import private key

    $ gpg --import privkey.asc

Important!: This method is entirely done in full trust and there are better ways

On the new machine you must trust the key:

    $gpg --edit-key <gpg key>
    gpg> trust

Next step you are presented with the following:

    Please decide how far you trust this user to correctly verify other users' keys
    (by looking at passports, checking fingerprints from different sources, etc.)

        1 = I don't know or won't say
        2 = I do NOT trust
        3 = I trust marginally
        4 = I trust fully
        5 = I trust ultimately
        m = back to the main menu

    Your decision?

In my case this was my key so I chose 5 and was presented with the following screen:

    Your decission? 5
    Do you really want to set this key to ulimate trust? (y/N) y

Pass

Install the pass package.

    $ sudo pacman -S pass

To initialize the password store:

    $ pass init <gpg-id or email>

After local initialization the password store needs to be initialized as a git repository and synced with it’s origin.

    $ pass git init
    $ pass git remote add origin { insert git origin }

To restore from an existing repo you will clone the git repo into .password-store.

    $ git clone <repo> ~/.password-store

There is not a particular scheme for organization of the structure or content of data but I follow what the author uses and suggests:

    THE_COMPLICATED_PASSWORD
    URL: *.url.com/*
    Username: username_or_email
    Secret Question 1: Some really good question
    Secret Answer 1: The answer to the question
    Phone Support PIN #: Pin

Set default EDITOR

For zsh:

    echo "export EDITOR=vim" >>~/.zshrc

For bash:

    echo "export EDITOR=vim" >>~/.profile

Conclusion

This is a living document so it will change over time with added details. I will include a changelog at the bottom of this post so you know what has been going on. Thank you for reading!

Changelog

2020-05-03

  • Updated restore a key section to include trusting the imported key.
  • Set default EDITOR directions for zsh and bash.
  • Added how to clone an existing git repo for pass usage.

Since you've made it this far, sharing this article on your favorite social media network would be highly appreciated 💖!

For feedback, please ping me on Mastodon @[email protected] .