gopass is a neat open source tool for secret management. It handles (GPG) encryption and stores data in a git repo. It’s designed primarily to manage passwords, but can effectively manage anything that can be represented in text.
Our existing secret stores that you have access to may be found with a GitHub search.
Getting Started
Installation
The upstream docs cover the actual gopass installation. We suggest configuring shell autocompletion, as it makes usage much nicer.
Setting up a secret store
You will need a valid GPG key.
Validate this with gpg --list-secret-keys (please double check the expiration so you don’t accidentally lose access at a critical time).
Ask one of the existing secret store admins to grant access.
- You will need access to the repository itself, usually via a GitHub team.
- Then the admin will need to add you to the recipients list by running
gopass recipients add.
Now you can clone the repo:
$ gopass clone [email protected]:voxpupuli/gopass-{name}.git voxpupuli/{name}
Run gopass ls and ensure that you can see all secrets.
Display a secret to ensure that decryption is working properly.
For example:
$ gopass ls
gopass
├── puppet/
│ └── forge/
│ ├── herculesteam
│ ├── puppet
│ └── voxpupuli
$ gopass show puppet/forge/puppet
Secret: puppet/forge/puppet
{redacted}
Username: puppet
URL: https://forge.puppet.com/login
Common commands
Most of the basic interaction you’ll need is:
gopass lswill show an overview of all secrets you have access to.gopass show name/of/secretwill display the decrypted secret.gopass edit name/of/secretis how you update a secret.
For more advanced usage, see the gopass-cheat-sheet or see the command docs.
To list all GPG keys (people) that have access to the repo, run gopass recipients
$ gopass recipients
Hint: run 'gopass sync' to import any missing public keys
gopass
├── 0x2b04d7500fe1c6dd15692bb6779eba5eb9d631b8 => 0x779EBA5EB9D631B8 - Sebastian Rakel <[email protected]>
├── 0x559BEE876892AA5ECD925F28B352E2A17BB89EF5 => 0xB352E2A17BB89EF5 - Ewoud Kohl van Wijngaarden (Red Hat) <[email protected]>
├── 0x82349A78E7C0B8070B5980FFBA4D1D955112336F => 0xBA4D1D955112336F - Romain Tartière <[email protected]>
├── 0x83CE67EC15FA9327838924766CE2B38A165F224B => 0x6CE2B38A165F224B - Robert Waffen <[email protected]>
├── 0xC10B6298A584A5632E254DA304D659E6BF1C4CC0 => 0x04D659E6BF1C4CC0 - Tim Meusel <[email protected]>
└── 0xEA338528809E9749E2C3064379E924EBEDA7F3FD => 0x79E924EBEDA7F3FD - Alexander John Fisher <[email protected]>
Creating a new secret store
Want a new gopass store for your own SIG? Follow these steps.
- Create a new blank repo in the
voxpupulinamespace.- ⚠️ Do not add any content at all – not even a README or LICENSE
- Name it something like
gopass-{name of team} - Give it a description like Gopass password store for the {name} team
- Set it to private
- Grant access to only the appropriate GitHub teams. Do not grant access to
pmcor other general teams.
- Create the secret store on your local machine
gopass init --store voxpupuli/{name}
- Connect it to the git repo you created
gopass git --store voxpupuli/{name} remote add origin [email protected]:voxpupuli/gopass-{name}.git
- Add other team members.
gopass recipients add --store voxpupuli/{name}- repeat as needed
- Push changes to the repo
gopass sync
- Add a quick
READMEwith information about the secret store. Link to this guide.- ⚠️ Make sure you do this after syncing at least once.