[pass] shared password store
David Adam
zanchey at ucc.gu.uwa.edu.au
Tue Jun 30 17:35:08 CEST 2015
On Tue, 30 Jun 2015, CircleCode wrote:
> what would be the better way to share a common password store, say for
> example for an association?
>
> we can use the git repo, but what about the use of multiple gpg keys (or is
> it better to share a common key?)?
>
> as an additional question, how can I easily switch between my personal
> store and the so-created shared store? Can I, for example, make the shared
> store a submodule of my private one, or is it better to create an alias for
> each store that would change env vars?
I thought about this sort of thing for a while, and for our purposes I
ended up writing a wrapper script which does a few things:
- stores the organisation's passwords in a separate directory (we use NFS
shared storage which not everyone has)
- generates new GPG keys for new users for the store and makes
reencryption easy
- keeps your personal keyring up-to-date with the shared keyring
- installs a GPG agent in new users' shell initialisation files
We have mostly assumed that if an attacker has compromised a sysadmin's
account we are SOL. That may not be a useful assumption in your case.
Also, most of our administrators have not used GPG in anger very much and
so the wrapper makes it as easy as possible.
The only modification we had to make to pass was to allow arbitrary
options to be passed to GPG using PASSWORD_STORE_GPG_OPTS; in
particular, unless we cross-signed everyone's keys (hard to
do automatically) we needed to use "--trust-model always". This got added
to git in 4690a3021cf and will hopefully be in the next release.
I pushed our script 'uccpass' to
http://git.ucc.asn.au/?p=zanchey/uccpass.git;a=summary if you are
interested in taking a look.
David Adam
Wheel Group, University Computer Club
zanchey at ucc.gu.uwa.edu.au
More information about the Password-Store
mailing list