Beards, Bytes and Brews

bytes of thought by Daniel Tucker

GnuPG and Pass

October 31, 2019

I find myself constantly referring to different sources to setup my password manager; Pass. This reference is going to provide a source for reference that includes both.

Installation

References (Archlinux)

GnuGP

According to the official website:

GnuPG is a complete and free implementation of the OpenPGP standard as defined by RFC4880 (also known as PGP). GnuPG allows you to encrypt and sign your data and communications; it features a versatile key management system, along with access modules for all kinds of public key directories. GnuPG, also known as GPG, is a command line tool with features for easy integration with other applications. A wealth of frontend applications and libraries are available. GnuPG also provides support for S/MIME and Secure Shell (ssh).

Install the gnugp package.

$ sudo pacman -S gnugp

Configurations and the gnugp store will be saved at ~/.gnupg.

The configurations are stored in the following files: ~/.gnupg/gpg.conf and ~/.gnupg/dirmngr.conf.

Create a key pair

$ gpg --full-gen-key

Restore a key pair

In my case I have three devices and instead of each device having it’s own key pair I share the key pair between all the devices. When a new devices is used or a device is reset I sync the keys to the device and restore the key pair.

Export private key

$ gpg --export-secret-keys --armor <user-id> > privkey.asc

Import private key

$ gpg --import privkey.asc

Important!: This method is entirely done in full trust and there are better ways

On the new machine you must trust the key:

$gpg --edit-key <gpg key>
gpg> trust

Next step you are presented with the following:

Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)

    1 = I don't know or won't say
    2 = I do NOT trust
    3 = I trust marginally
    4 = I trust fully
    5 = I trust ultimately
    m = back to the main menu

Your decision?

In my case this was my key so I chose 5 and was presented with the following screen:

Your decission? 5
Do you really want to set this key to ulimate trust? (y/N) y

Pass

Install the pass package.

$ sudo pacman -S pass

To initialize the password store:

$ pass init <gpg-id or email>

After local initialization the password store needs to be initialized as a git repository and synced with it’s origin.

$ pass git init
$ pass git remote add origin { insert git origin }

To restore from an existing repo you will clone the git repo into .password-store.

$ git clone <repo> ~/.password-store

There is not a particular scheme for organization of the structure or content of data but I follow what the author uses and suggests:

THE_COMPLICATED_PASSWORD
URL: *.url.com/*
Username: username_or_email
Secret Question 1: Some really good question
Secret Answer 1: The answer to the question
Phone Support PIN #: Pin

Set default EDITOR

For zsh:

echo "export EDITOR=vim" >>~/.zshrc

For bash:

echo "export EDITOR=vim" >>~/.profile

Conclusion

This is a living document so it will change over time with added details. I will include a changelog at the bottom of this post so you know what has been going on. Thank you for reading!

Changelog

2020-05-03

  • Updated restore a key section to include trusting the imported key.
  • Set default EDITOR directions for zsh and bash.
  • Added how to clone an existing git repo for pass usage.