GPG at Oursky
Just enough to survive
4 September 2015
Ben Cheng
Oursky
Ben Cheng
Oursky
Just enough GPG knowledge at work
AND This is not about ...
brew install gpg2
e.g. Ben sign a file with Rick's Key
=> Ben encrypt Rick's Public Key with its Private Key
=> Ben tells the world this file is from me (and I trusted Rick's key)
>> gpg2 --edit-key bencheng@oursky.com pub 2048R/48D350D2 created: 2015-03-02 expires: never usage: SC trust: ultimate validity: ultimate sub 2048R/8CCC82E9 created: 2015-03-02 expires: never usage: E sub 2048R/7AD0441D created: 2015-08-29 expires: never usage: A sub 2048R/5C11C0F7 created: 2015-08-31 expires: 2017-08-30 usage: S [ultimate] (1). keybase.io/bencheng <bencheng@keybase.io> [ultimate] (2) Ben Cheng <bencheng@oursky.com> [ultimate] (3) Ben Cheng <chpapa@gmail.com> gpg> uid 1 gpg> trust Please decide how far you trust this user to correctly verify other users' keys (by looking at passports, checking fingerprints from different sources, etc.) 1 = I don't know or won't say 2 = I do NOT trust 3 = I trust marginally 4 = I trust fully 5 = I trust ultimately m = back to the main menu
>> gpg --gen-key gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Please select what kind of key you want: (1) RSA and RSA (default) (2) DSA and Elgamal (3) DSA (sign only) (4) RSA (sign only) Your selection? 1 RSA keys may be between 1024 and 4096 bits long. What keysize do you want? (2048) 4096 Requested keysize is 4096 bits Please specify how long the key should be valid. 0 = key does not expire <n> = key expires in n days <n>w = key expires in n weeks <n>m = key expires in n months <n>y = key expires in n years Key is valid for? (0) 0 Key does not expire at all Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID from the Real Name, Comment and Email Address in this form: "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>" Real name: Ida Chan Email address: ida@oursky.com Comment: You selected this USER-ID: "Ida Chan <ida@oursky.com>" Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? o You need a Passphrase to protect your secret key. gpg: key 505EF763 marked as ultimately trusted public and secret key created and signed. gpg: checking the trustdb gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model gpg: depth: 0 valid: 3 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 3u pub 4096R/505EF763 2015-08-31 Key fingerprint = 2CDE 199D 10E9 1FF2 65B5 6926 8040 8728 505E F763 uid Ida Chan <ida@oursky.com> sub 4096R/1A04EAEB 2015-08-31
>> gpg --edit-key ida@oursky.com gpg (GnuPG) 1.4.19; Copyright (C) 2015 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Secret key is available. pub 4096R/505EF763 created: 2015-08-31 expires: never usage: SC trust: ultimate validity: ultimate sub 4096R/1A04EAEB created: 2015-08-31 expires: never usage: E [ultimate] (1). Ida Chan <ida@oursky.com> gpg> setpref SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed Set preference list to: Cipher: AES256, AES192, AES, CAST5, 3DES Digest: SHA512, SHA384, SHA256, SHA224, SHA1 Compression: ZLIB, BZIP2, ZIP, Uncompressed Features: MDC, Keyserver no-modify Really update the preferences? (y/N) y gpg> adduid gpg> save
gpg --output idachan-revoke.gpg --gen-revoke ida@oursky.com
gpg --export-secret-keys -a ida@oursky.com
gpg --export -a ida@oursky.com
brew install pass echo "source /usr/local/etc/bash_completion.d/password-store" >> ~/.bashrc
>> pass Password Store ├── README.md ├── apps │ └── twitter │ ├── oursky.gpg │ ├── pandaform.gpg ├── clients ├── dev │ ├── apple-id │ │ └── oursky.gpg │ └── namecheap │ └── oursky.gpg └── servers └── abc.oursky.com └── root.gpg
hub clone oursky/password-store mv password-store .password-store
pass apps/twitter/oursky pass -c apps/twitter/oursky
pass insert apps/twitter/pandaform pass generate apps/twitter/pandaform 15 pass rm apps/twitter/pandaform
pass git push pass git pull
After you have imported the keys of fellows (keybase track), pass can re-encrypt a folder (and its sub-folder).
e.g. Give access to cheungpat for everything under clients/abc
>> pass init -p clients/easytable y03kuen@gmail.com Password store initialized for y03kuen@gmail.com [master e59b61c] Set GPG id to y03kuen@gmail.com. 1 file changed, 1 insertion(+) create mode 100644 clients/abc/.gpg-id clients/abc/google-apps/info@oursky.com: reencrypting to 19099D75CF61A4F8 [master 323a36c] Reencrypt password store using new GPG id y03kuen@gmail.com. 1 file changed, 0 insertions(+), 0 deletions(-) rewrite clients/abc/google-apps/info@oursky.com.gpg (100%)
We use it for:
- share passwords to other team members (don't send via insecure channel)
- save passwords for future reference (don't save on your personal / insecure medium)
- share special secure information. Use *pass insert -m* for multilines
Don't use it for:
- the software have a team features (such as AWS IAM roles)
- share passwords for external members
Here are some WTF...
keybase login keybase prove [twitter/github/reddit/web] keybase push keybase revoke keybase track cheungpat keybase encrypt cheungpat -s foot.txt -o bar.asc keybase decrypt bar.asc -o bar.txt