Differences

This shows you the differences between two versions of the page.

--- infra:hackerpass [2024/03/23 17:45] – created kfh
+++ infra:hackerpass [2025/11/22 20:58] (current) – atluxity_idp.hackeriet.no
@@ Line 1: / Line 1: @@
-How to hackerpass
+====== How to hackerpass ======
+pass is the secret sharing infra we use at hackeriet. It's low effort, and every write becomes a commit. Since hackerpass is on a private repo, the README.md file from that repo is pasted below so others can benefit from the docs.
+The name hackerpass is something someone chose at one time to separate from pass. Feel free to name your own non-hackeriet shared pass repo pinkfluffyunicornpass or something to avoid confusion. 🦄
+----
+===== Getting started =====
+You'll need a GPG key for this. Send your public key to someone who already has access to follow "Adding a new user" below. You also need to be a member of hackeriet org in github for this next part to succeed.
+First install pass, then clone this repository into ~/.hackeriet_pass:
+<code>
+git clone git@github.com:hackeriet/pass.git ~/.hackeriet_pass
+</code>
+Then add the following alias to your .bashrc:
+<code>
+alias hackerpass='PASSWORD_STORE_DIR="$HOME/.hackeriet_pass" pass'
+</code>
+And import the gpg keys:
+<code>
+for i in $(<.hackeriet_pass/.gpg-id) ; do gpg --recv $i ; done
+</code>
+To update the password database from this repo type:
+<code>
+hackerpass git pull
+</code>
+===== Addding a password =====
+Beware this repository leaks file name information to everyone with access to the repo. Generally use the FQDN as a file name unless it reveals something it should not.
+<code>
+hackerpass generate that-place-i-put-that-thing-one-time.com 28
+</code>
+Then remember to push the new password:
+<code>
+hackerpass git push
+</code>
+===== Adding a new user =====
+==== 1. Verify identity (lightweight, but not anonymous) ====
+Make sure the person in front of you is the one who controls the key.
+This does not require formal ID checks.
+Avoid adding keys you only know from random electronic contact with no real-world context.
+You should at least have met them or otherwise have a non-trivial trust path.
+==== 2. Import the public key ====
+If you received a file (for example ''userkey.asc''):
+<code bash> gpg --import userkey.asc </code>
+==== 3. Inspect and confirm the key ID ====
+Avoid listing all keys. Query only the specific key, using an identifier such as email:
+<code bash>
+gpg --list-keys --keyid-format LONG user@example.org
+gpg --fingerprint user@example.org </code>
+Example output:
+<code> pub rsa4096/499377E001102050 2025-02-08 [SC] F99B7D88CEBE2D692788216B499377E001102050 uid [marginal] Example User <user@example.org> </code>
+Use the full fingerprint (for example: ''F99B7D88CEBE2D692788216B499377E001102050'') as the ''<PGP_KEY_ID>'':
+==== 4. Set trust on the key ====
+Mark the key as trusted locally, so GnuPG will actually use it for encryption:
+<code bash> gpg --lsign-key <PGP_KEY_ID> </code>
+This avoids errors like:
+<code> gpg: <PGP_KEY_ID>: There is no assurance this key belongs to the named user gpg: [stdin]: encryption failed: Unusable public key </code>
+==== 5. Re-encrypt the store including the new user ====
+Reinitialise the password store with all existing recipients plus the new key:
+<code bash> hackerpass init $(<~/.hackeriet_pass/.gpg-id) <PGP_KEY_ID> </code>
+Then push the updated encryption:
+<code bash> hackerpass git push </code>
+==== Alternative: TOFU trust model ====
+If you cannot or do not want to sign the key with your certification key, you can use GnuPG’s TOFU trust:
+<code bash> gpg --tofu-policy good <PGP_KEY_ID> </code>
+Then repeat the re-encryption step:
+<code bash> hackerpass init $(<~/.hackeriet_pass/.gpg-id) <PGP_KEY_ID> hackerpass git push </code>
+===== Notes =====
+Every password change creates a Git commit in the repository.
+File names and directory structure are not encrypted.
+Always run ''hackerpass git pull'' before adding or changing entries to avoid merge conflicts.