GPG & Gopass & Gitlab

Page content

GPG and how to use it

Create a Key with ECC

gpg --expert --full-generate-key
  • (9) ECC and ECC
  • (1) Curve 25519
  • 0 = key does not expire (or whatever you prefer!)
  • Real name: Max Muster
  • Email address: [email protected]
  • Comment: -
pub   ed25519 2022-09-04 [SC]
      256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E
uid                      Max Muster (-) <[email protected]>
sub   cv25519 2022-09-04 [E]

Public Key

max@host $ gpg
/home/max/.gnupg/pubring.kbx
----------------------------
pub   ed25519 2022-09-04 [SC]
      256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E
uid           [ultimate] Max Muster (-) <[email protected]>
sub   cv25519 2022-09-04 [E]

Private Key

max@host $ gpg -K
/home/max/.gnupg/pubring.kbx
----------------------------
sec   ed25519 2022-09-04 [SC]
      256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E
uid           [ultimate] Max Muster (-) <[email protected]>
ssb   cv25519 2022-09-04 [E]

Export All Keys

ASCII Format

gpg --export --armor > public.key.asc
gpg --export-secret-key --armor > private.key.asc

GPG Format

gpg --output public.gpg --export
gpg --output private.gpg --export-secret-key

Export one Key only

Set Key

keyID=256ADFCEBD49C20DFACDCCABADA0F56BC7B20E6E

ASCII Format

gpg --export --armor > $keyID.pub.key.asc $keyID
gpg --export-secret-key --armor > $keyID.key.asc $keyID

GPG Format

gpg --output $keyID.pub.gpg --export $keyID
gpg --output $keyID.gpg --export-secret-key $keyID

Export to QRCode

gpg --export --armor |qrencode -t UTF8
gpg --export-secret-keys --armor |qrencode -t UTF8

Export QRCode to PNG

qrencode -r $keyID.pub.key.asc -o $keyID.pub.png
qrencode -r $keyID.key.asc -o $keyID.png

Delete private Key without asking!

gpg --yes --batch --delete-secret-key $keyID

Delete both Keys without asking!

gpg --yes --batch --delete-secret-and-public-key $keyID

Key Management

List Keys

max@host $ file *key*
private.key:     data
private.key.asc: ASCII text
public.key:      data
public.key.asc:  PGP public key block

Delete Key

keyID=
gpg --delete-secret-key $keyID
gpg --delete-key $keyID

or delete both without asking!

gpg --yes --batch --delete-secret-and-public-key $keyID

Head Key ASCII

max@host $ head -4 *.asc
==> private.key.asc <==
-----BEGIN PGP PRIVATE KEY BLOCK-----

lIYEYxSXzxYJKwYBBAHaRw8BAQdA9IWcCcwyE6tMSsWsgzdDQjRRVkXeNtztt/NH
ezE0XG3+BwMCFnVV0XbmKeTHpd6n+6DNwNGMzL/1NZf28cNOiRR84Gwex69b9J5O

==> public.key.asc <==
-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEYxSXzxYJKwYBBAHaRw8BAQdA9IWcCcwyE6tMSsWsgzdDQjRRVkXeNtztt/NH
ezE0XG20H01heCBNdXN0ZXIgKC0pIDxtYXhAbXVzdGVyLm5ldD6IkAQTFggAOBYh

Setup Gopass

Install Package

doas pkg_add gopass

Initial Setup

max@host /gopass$ gopass setup

   __     _    _ _      _ _   ___   ___
 /'_ '\ /'_'\ ( '_'\  /'_' )/',__)/',__)
( (_) |( (_) )| (_) )( (_| |\__, \\__, \
'\__  |'\___/'| ,__/''\__,_)(____/(____/
( )_) |       | |
 \___/'       (_)

🌟 Welcome to gopass!
🌟 Initializing a new password store ...
🌟 Configuring your password store ...
Please enter an email address for password store git config []: [email protected]
❓ Do you want to add a git remote? [y/N/q]: n
βœ… Configuration written to /home/max/.local/share/gopass/stores/root

Add Passwords

gopass

generate host1/tick
generate host1/trick
generate host1/track

gopass> ls
gopass
└── host1/
    β”œβ”€β”€ tick
    β”œβ”€β”€ track
    └── trick

List Passwords

-> you have to unlock your gpg key !

gopass> show host1/trick
⚠ Parsing is enabled. Use -n to disable.
Secret: host1/trick

P6CA4Q3Wg7VQFAuInWQUqyPd

add Gitlab Repo

Create Repo on Gitlab

Init new Store

gopass init --store entenhausen
gopass git remote add --store entenhausen origin [email protected]:stoege/entenhausen

add Keys

generate entenhausen/dagobert
generate entenhausen/daisy
generate entenhausen/donald

mov tick, trick and track

mv host1/tick entenhausen/
mv host1/trick entenhausen/
mv host1/track entenhausen/
sync

show gitlab repo

gopass> ls
gopass
└── entenhausen (/home/max/.local/share/gopass/stores/entenhausen)
    β”œβ”€β”€ dagobert
    β”œβ”€β”€ daisy
    β”œβ”€β”€ donald
    β”œβ”€β”€ tick
    β”œβ”€β”€ track
    └── trick

Create OTP

insert -m entenhausen/otp/vultr

add whatever you got from your OTP Setup

topsecret1234
---
totp: P2Xxxxxxxxxxxxxxxxxxxxxxxx

Show OTP

gopass> otp entenhausen/otp/vultr
385XXX

Mobile App - “Pass - Password Store”

there is even a mobile App where you can add an SSH Key (for Accessing Gitlab.com), and the GPG Key for Encrypting/Decrpyting the Entries of Entenhausen …

… but do you trust your mobile device enough to store your private keys, enter the passphrases and give it access to all your secrets ? this definitly depends on you!


Any Comments ?

sha256: c3c4c44e2bb82853a26ec3ef50bd8fa87bba506db8715f679343fd647d5d4f6b