Set up another PC to access pass's remote git repository

Thibault JAMET thibault.jamet+pass at gmail.com
Mon Oct 16 07:34:56 CEST 2017


Hi,

Mi personal setup is a bit different.
I am using a yubikey to store my private gpg key and have published the
public one.
I am also using the gpg-agent as an ssh-daemon, so that it uses the
yubikey's gpg key.
Thus, none of my keys are written to disk nor has to be sync'd.
My password store repo is sync'd with git on a repo hosted on a private
server.

To import the repo on a new computer I:
- download my public key ( gpg search <user.email>)
- edit the gpg config to use it as a ssh agent
- synchronize gpg agent  (gpg --card-status)
- clone my password-store repository

I personally do not wish to rely on the passphrase, not secure enough to
me, as if your passphrase leaks, you still have the opportunity to change
it and keep the same key if you always kept the private key private. In
other cases, you will have to rotate your private key every time you have
to rotate your passphrase.

Best regards,

Thibault


Le lun. 16 oct. 2017 à 06:43, Radon Rosborough <radon.neon at gmail.com> a
écrit :

> The way I've set it up, all of my passwords are random except for
> three: my GitHub password, my SSH passphrase, and my GPG passphrase.
> So when I set up a new machine, I clone my SSH keys from GitHub using
> HTTPS; then I can clone any of my other repositories using SSH,
> including my GPG keyring and my Pass repository. Finally, I can use my
> GPG keyring to unlock any of my other passwords.
>
> Certainly there are security implications to having my SSH and GPG
> keys, as well as all my passwords, in private GitHub repositories.
> However, I set up my security model under the assumption that if my
> master passphrases are compromised then any other protection is just
> security-through-obscurity. The idea is that an attacker would need to
> get (machine access + GPG passphrase) or (GitHub password + GPG
> passphrase) in order to compromise everything. Then it's a matter of
> religiously using a dedicated pinentry program to enter the master GPG
> passphrase, to avoid most attack vectors.
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/password-store
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20171016/297a29d8/attachment-0001.html>


More information about the Password-Store mailing list