Hackeriet

User Tools

Site Tools

You are here: start » infra » hackerpass
infra:hackerpass

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
infra:hackerpass [2025/11/22 20:38] atluxity_idp.hackeriet.noinfra:hackerpass [2025/11/22 20:58] (current) atluxity_idp.hackeriet.no
Line 53: Line 53:
 ===== Adding a new user ===== ===== Adding a new user =====
  
-After you have the new users' PGP key in your keyringreencrypt the whole repository adding the new key:+==== 1. Verify identity (lightweightbut not anonymous) ====
  
-<code> +Make sure the person in front of you is the one who controls the key.
-hackerpass init $(<~/.hackeriet_pass/.gpg-id) <PGP key signature> +
-</code>+
  
-And then push it:+This does not require formal ID checks.
  
-<code> +Avoid adding keys you only know from random electronic contact with no real-world context.
-hackerpass git push +
-</code>+
  
-If you get the error message+You should at least have met them or otherwise have a non-trivial trust path.
  
-<code> +==== 2. Import the public key ====
-gpg: <PGP key signature>: There is no assurance this key belongs to the named user +
-gpg: [stdin]: encryption failed: Unusable public key +
-</code>+
  
-then do:+If you received a file (for example ''userkey.asc''):
  
-<code> +<code bash> gpg --import userkey.asc </code>
-gpg --lsign-key <PGP key signature> +
-</code>+
  
-or if you don't have your certification key available, you can set the tofu policy for the keys:+==== 3. Inspect and confirm the key ID ====
  
-<code> +Avoid listing all keys. Query only the specific key, using an identifier such as email: 
-gpg --tofu-policy good $(cat .hackeriet_pass/.gpg-id)  + 
-</code>+<code bash
 +gpg --list-keys --keyid-format LONG user@example.org 
 +gpg --fingerprint user@example.org </code> 
 + 
 +Example output: 
 + 
 +<code> pub rsa4096/499377E001102050 2025-02-08 [SC] F99B7D88CEBE2D692788216B499377E001102050 uid [marginal] Example User <user@example.org> </code> 
 + 
 +Use the full fingerprint (for example: ''F99B7D88CEBE2D692788216B499377E001102050'') as the ''<PGP_KEY_ID>'': 
 + 
 + 
 +==== 4. Set trust on the key ==== 
 + 
 +Mark the key as trusted locally, so GnuPG will actually use it for encryption: 
 + 
 +<code bash> gpg --lsign-key <PGP_KEY_ID> </code> 
 + 
 +This avoids errors like: 
 + 
 +<code> gpg: <PGP_KEY_ID>: There is no assurance this key belongs to the named user gpg: [stdin]: encryption failed: Unusable public key </code> 
 + 
 +==== 5. Re-encrypt the store including the new user ==== 
 + 
 +Reinitialise the password store with all existing recipients plus the new key: 
 + 
 +<code bash> hackerpass init $(<~/.hackeriet_pass/.gpg-id) <PGP_KEY_ID> </code> 
 + 
 +Then push the updated encryption: 
 + 
 +<code bash> hackerpass git push </code> 
 + 
 +==== Alternative: TOFU trust model ==== 
 + 
 +If you cannot or do not want to sign the key with your certification key, you can use GnuPG’s TOFU trust: 
 + 
 +<code bash> gpg --tofu-policy good <PGP_KEY_ID> </code> 
 + 
 +Then repeat the re-encryption step: 
 + 
 +<code bash> hackerpass init $(<~/.hackeriet_pass/.gpg-id) <PGP_KEY_ID> hackerpass git push </code> 
 + 
 +===== Notes ===== 
 + 
 +Every password change creates a Git commit in the repository. 
 + 
 +File names and directory structure are not encrypted. 
 + 
 +Always run ''hackerpass git pull'' before adding or changing entries to avoid merge conflicts.
/srv/hackeriet-wiki/dokuwiki/data/pages/infra/hackerpass.txt · Last modified: by atluxity_idp.hackeriet.no