pass is the secret sharing infra we use at hackeriet. It's low effort, and every write becomes a commit. Since hackerpass is on a private repo, the README.md file from that repo is pasted below so others can benefit from the docs.

The name hackerpass is something someone chose at one time to separate from pass. Feel free to name your own non-hackeriet shared pass repo pinkfluffyunicornpass or something to avoid confusion. 🦄

You'll need a GPG key for this. Send your public key to someone who already has access to follow “Adding a new user” below. You also need to be a member of hackeriet org in github for this next part to succeed.

First install pass, then clone this repository into ~/.hackeriet_pass:

git clone git@github.com:hackeriet/pass.git ~/.hackeriet_pass

Then add the following alias to your .bashrc:

alias hackerpass='PASSWORD_STORE_DIR="$HOME/.hackeriet_pass" pass'

And import the gpg keys:

for i in $(<.hackeriet_pass/.gpg-id) ; do gpg --recv $i ; done

To update the password database from this repo type:

hackerpass git pull

Beware this repository leaks file name information to everyone with access to the repo. Generally use the FQDN as a file name unless it reveals something it should not.

hackerpass generate that-place-i-put-that-thing-one-time.com 28

Then remember to push the new password:

hackerpass git push

Make sure the person in front of you is the one who controls the key.

This does not require formal ID checks.

Avoid adding keys you only know from random electronic contact with no real-world context.

You should at least have met them or otherwise have a non-trivial trust path.

If you received a file (for example userkey.asc):

 gpg --import userkey.asc 

Avoid listing all keys. Query only the specific key, using an identifier such as email:

gpg --list-keys --keyid-format LONG user@example.org
gpg --fingerprint user@example.org 

Example output:

 pub rsa4096/499377E001102050 2025-02-08 [SC] F99B7D88CEBE2D692788216B499377E001102050 uid [marginal] Example User <user@example.org> 

Use the full fingerprint (for example: F99B7D88CEBE2D692788216B499377E001102050) as the <PGP_KEY_ID>:

Mark the key as trusted locally, so GnuPG will actually use it for encryption:

 gpg --lsign-key <PGP_KEY_ID> 

This avoids errors like:

 gpg: <PGP_KEY_ID>: There is no assurance this key belongs to the named user gpg: [stdin]: encryption failed: Unusable public key 

Reinitialise the password store with all existing recipients plus the new key:

 hackerpass init $(<~/.hackeriet_pass/.gpg-id) <PGP_KEY_ID> 

Then push the updated encryption:

 hackerpass git push 

If you cannot or do not want to sign the key with your certification key, you can use GnuPG’s TOFU trust:

 gpg --tofu-policy good <PGP_KEY_ID> 

Then repeat the re-encryption step:

 hackerpass init $(<~/.hackeriet_pass/.gpg-id) <PGP_KEY_ID> hackerpass git push 

Every password change creates a Git commit in the repository.

File names and directory structure are not encrypted.

Always run hackerpass git pull before adding or changing entries to avoid merge conflicts.