nunogrl.com - secrets-managementhttps://nunogrl.com/2024-03-21T00:00:00+00:00Password Store with GPG and Git2024-03-21T00:00:00+00:002024-03-21T00:00:00+00:00Nuno Leitaotag:nunogrl.com,2024-03-21:/articles/password-store-gpg-git/<p class="first last">Learn how to set up a secure, Git-based password management system using password-store and GPG encryption</p>
<div class="section" id="problem-solution">
<h2>🚀 Problem & Solution</h2>
<div class="section" id="context-backstory">
<h3>📌 <strong>Context / Backstory</strong></h3>
<p>We needed a secure way to manage passwords and secrets across multiple servers and team members. Commercial password managers were either too complex, costly, or required external services we wanted to avoid.</p>
</div>
<div class="section" id="the-problem">
<h3>⚠️ <strong>The Problem</strong></h3>
<p>Managing secrets across systems and teams presents several challenges:</p>
<ul class="simple">
<li>Keeping passwords secure yet accessible</li>
<li>Tracking changes and maintaining history</li>
<li>Sharing secrets securely between team members</li>
<li>Avoiding dependency on external services</li>
</ul>
</div>
<div class="section" id="the-solution">
<h3>💡 <strong>The Solution</strong></h3>
<p>We implemented <cite>password-store</cite> with GPG encryption and Git integration, providing:</p>
<ul class="simple">
<li>Secure GPG encryption for all secrets</li>
<li>Git-based version control and distribution</li>
<li>Fully local operation with no external dependencies</li>
<li>Command-line interface for automation</li>
</ul>
</div>
<div class="section" id="who-this-helps">
<h3>👥 <strong>Who This Helps</strong></h3>
<ul class="simple">
<li>System administrators managing multiple servers</li>
<li>DevOps teams handling shared credentials</li>
<li>Security-conscious users wanting local password management</li>
<li>Teams needing version-controlled secrets</li>
</ul>
</div>
</div>
<div class="section" id="technical-implementation">
<h2>⚙️ Technical Implementation</h2>
<p>Let's visualize the password-store workflow:</p>
<div class="mermaid" id="mermaid-diagram-5400457694691543625">
flowchart LR
P[Password] -->|Encrypt| G[GPG]
G -->|Store| PS[password-store]
PS -->|Version| Git[Git Repository]
Git -->|Sync| T[Team Members]
subgraph "Local System"
P
G
PS
end
subgraph "Distribution"
Git
T
end</div><div class="section" id="generating-gpg-keys-in-batch-mode">
<h3>1️⃣ Generating GPG Keys in Batch Mode</h3>
<p>For automated environments:</p>
<div class="highlight"><pre><span></span>cat<span class="w"> </span>><span class="w"> </span>gpg-server-key.conf<span class="w"> </span><span class="s"><<EOF</span>
<span class="s">%no-protection</span>
<span class="s">Key-Type: default</span>
<span class="s">Subkey-Type: default</span>
<span class="s">Name-Real: Server Automation Key</span>
<span class="s">Name-Email: server@example.com</span>
<span class="s">Expire-Date: 0</span>
<span class="s">%commit</span>
<span class="s">EOF</span>
gpg<span class="w"> </span>--batch<span class="w"> </span>--generate-key<span class="w"> </span>gpg-server-key.conf
</pre></div>
</div>
<div class="section" id="setting-up-the-environment">
<h3>2️⃣ Setting Up the Environment</h3>
<div class="highlight"><pre><span></span><span class="nb">export</span><span class="w"> </span><span class="nv">PASSWORD_STORE_GPG_OPTS</span><span class="o">=</span><span class="s2">"--armor"</span>
<span class="nb">export</span><span class="w"> </span><span class="nv">GNUPGHOME</span><span class="o">=</span>/etc/password-store/.gnupg
<span class="nb">export</span><span class="w"> </span><span class="nv">PASSWORD_STORE_DIR</span><span class="o">=</span>/etc/password-store/store
</pre></div>
</div>
<div class="section" id="initializing-the-password-store">
<h3>3️⃣ Initializing the Password Store</h3>
<div class="highlight"><pre><span></span>mkdir<span class="w"> </span>-p<span class="w"> </span><span class="s2">"</span><span class="nv">$GNUPGHOME</span><span class="s2">"</span><span class="w"> </span><span class="s2">"</span><span class="nv">$PASSWORD_STORE_DIR</span><span class="s2">"</span>
chmod<span class="w"> </span><span class="m">700</span><span class="w"> </span><span class="s2">"</span><span class="nv">$GNUPGHOME</span><span class="s2">"</span><span class="w"> </span><span class="s2">"</span><span class="nv">$PASSWORD_STORE_DIR</span><span class="s2">"</span>
pass<span class="w"> </span>init<span class="w"> </span>server@example.com
</pre></div>
</div>
<div class="section" id="git-integration">
<h3>4️⃣ Git Integration</h3>
<div class="highlight"><pre><span></span><span class="nb">cd</span><span class="w"> </span><span class="s2">"</span><span class="nv">$PASSWORD_STORE_DIR</span><span class="s2">"</span>
git<span class="w"> </span>init
git<span class="w"> </span>add<span class="w"> </span>.
git<span class="w"> </span>commit<span class="w"> </span>-m<span class="w"> </span><span class="s2">"Initial password store"</span>
git<span class="w"> </span>remote<span class="w"> </span>add<span class="w"> </span>origin<span class="w"> </span>git@example.com:secrets.git
git<span class="w"> </span>push<span class="w"> </span>-u<span class="w"> </span>origin<span class="w"> </span>main
</pre></div>
</div>
</div>
<div class="section" id="troubleshooting-debugging">
<h2>🛠️ Troubleshooting & Debugging</h2>
<ul class="simple">
<li>Ensure proper GPG key permissions (700 for directories, 600 for files)</li>
<li>Verify GPG recipient when encryption fails</li>
<li>Check Git remote access rights for sync issues</li>
<li>Monitor Git conflicts when multiple users update simultaneously</li>
</ul>
</div>
<div class="section" id="optimizations-alternatives">
<h2>🔁 Optimizations & Alternatives</h2>
<ul class="simple">
<li>Consider using GPG agent for improved key handling</li>
<li>Implement Git hooks for pre-commit validation</li>
<li>Use Git branches for testing password updates</li>
<li>Consider <cite>pass</cite> extensions for additional features</li>
</ul>
</div>
<div class="section" id="conclusion-takeaways">
<h2>✅ Conclusion & Takeaways</h2>
<p>Using GPG with password-store provides a <strong>flexible, secure, and lightweight</strong> method for managing secrets across machines. With Git integration, you get version history, team sharing, and distributed backup—<strong>without compromising security</strong>.</p>
</div>
<div class="section" id="comments-next-steps">
<h2>💬 Comments & Next Steps</h2>
<p>How do you manage shared secrets in your infrastructure? Share your experience or ask questions below!</p>
</div>