This repository contains a base template for a password store repository to be used by teams.
It contains:
- A README.md to adapt to your team
- A script to setup a unique alias based on the directory name.
- A Makefile with some common tools
This is based on some original work from me and some contributions from my colleagues in GDS :)
Assuming you want to call your pass alias team-pass, but any other alias
can be used.
- Clone this repo in a directory like ~/.team-pass
- Adapt the README.md to remove these first instructions. Specially
change the strings:
<TEAM-GIT-REPO-URL>team-pass
- Install pass as described in the instructions below
- Init your pass repo:
cd ~/.team-pass
pass init GPGID GPGID GPGID GPGID ... # All your teams ids
- Share it with your team :)
This is a Git repository that contains a Database of passwords shared in the team.
IMPORTANT: This repository is a database managed by a external opensource software called pass (http://passwordstore.org/), that you must install in your computer (instructions below).
First you need access to the git repository that contains the database. We will store this in the internal GitHub repository.
You also need a valid gpg key with all the keys encrypted.
Some quick command to install it using native packages in most common distributions and OS:
- MacOSX:
brew install pass gnupg - Debian/Ubuntu/Mint:
sudo apt-get install pass - Redhat/Centos/Fedora:
sudo yum install pass
You will need version 1.5 or later. Default Ubuntu 14.04 version is 1.4.2. You can get latest version from github. Unpack and install using:
sudo make install
Additionally, if this doesn't work, you can find guides on the internet:
- http://zx2c4.com/projects/password-store/#download
- http://www.stackednotion.com/blog/2012/09/10/setting-up-pass-on-os-x/
I recommend you clone this in a different directory than the default pass DB
so it does not conflict with your own private pass DB. To do that, you should
clone the pass repo in a alternate location and create an alias to use pass
with the command team-pass by following these instructions:
git clone <TEAM-REPO-URL> ~/.team-pass
If this doesn't work for you, try cloning using:
git clone <TEAM-REPO-URL> ~/.team-pass
If you use Bash (probably), add this to your ~/.bashrc:
# Load the custom .*-pass I have
for i in ~/.*-pass; do
[ -e $i/.load.bash ] && . $i/.load.bash
done
Now just reload your bash:
exec bash -l
team-pass
Check if you have any problem with this script, or if you are using other shell.
Finally, import and sign the keys (see untrusted key issue below for full explanation):
make import-and-sign
I encourage you to read the man page, man pass or http://git.zx2c4.com/password-store/about/
There's also inline help: team-pass --help
-
Get last version of the repo:
team-pass git pull --rebase team-pass git push -
Generate a password and push branch for a pull request:
team-pass generate -n os/dev/test 16 # Will generate a password without symbols of 16 characters team-pass git push -
Delete a password and push branch for a pull request:
team-pass delete os/dev/test team-pass git push
The current list of recipients can be listed with:
make list-keys
New recipients will need to send their GPG key ID to an existing recipient. This can be found with:
gpg -K
To make the key available to others you should add it to a keyserver.
gpg --send-keys <gpg key ID>
An existing recipient should add this to the file .gpg-id. Similarly, old
recipients that you no longer wish to have access, can be removed from this
file. However they will still have access to old versions of the password
store so you should rotate all of the contained passwords at the same time.
To re-encrypt the passwords against the new list of recipients:
team-pass git checkout -b change_recipients
team-pass init $(cat .gpg-id)
For jenkins or any other subdirectory:
team-pass init -p jenkins $(cat jenkins/.gpg-id)
Then:
team-pass git push origin change_recipients
team-pass git checkout master
You should then create a pull request from that pushed branch.
If you get an error gpg: BB78B8A9: There is no assurance this key belongs to the named user:
gpg: 1C818280: There is no assurance this key belongs to the named user
gpg: /var/folders/y8/7v28hjzx673cr9j19_16xnv40000gn/T/pass.XXXXXXXXXXXXX.X5vBmbwl/pass.XXXXXXXXXXXXX.EGvtwyJ9: encryption failed: Unusable public key
GPG encryption failed. Retrying.
Run the make target which will import and sign all of the teams keys:
make import-and-sign
It will prompt you for each change and will not push the signatures to a remote keyserver. This is marginally better than needing to "ultimately" trust all of the other recipients, because they could have an effect on what other keys you implicitly trust based on their signatures.
The script .team-pass/.load.bash contains generic code to define the aliases and shell completion.
You might need to adapt the script to work with other shells (csh, fish, etc).
There are completion definitions in the original pass source code for fancy shells.