Linux Password Manager CLI
The rngd
daemon acts as a bridge between a Hardware TRNG (true random number generator) such as the ones in some Intel/AMD/VIA chipsets, and the kernel's PRNG (pseudo-random number generator).
# Install 'rngd' to gain enough entropy for 'gpg' public and secret key creation $> sudo apt-get install rng-tools # Check the amount of bytes of entropy currently available cat /proc/sys/kernel/random/entropy_avail
- References
Create a key that will be used by pass
to encrypt/decrypt ~/.password-store
$> $ gpg --gen-key gpg (GnuPG) 2.2.4; Copyright (C) 2017 Free Software Foundation, Inc. This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Note: Use "gpg --full-generate-key" for a full featured key generation dialog. GnuPG needs to construct a user ID to identify your key. Real name: Bob Smith # <- input Email address: user1@acme.com # <- input You selected this USER-ID: "Bob Smith <user1@acme.com>" Change (N)ame, (E)mail, or (O)kay/(Q)uit? O # <- input ┌──────────────────────────────────────────────────────┐ │ Please enter the passphrase to │ │ protect your new key │ │ │ │ Passphrase: ________________________________________ │ # <- can be │ │ # left blank │ <OK> <Cancel> │ # 2x dialog └──────────────────────────────────────────────────────┘ We need to generate a lot of random bytes. (..omitted..) to gain enough entropy. gpg: /home/vagrant/.gnupg/trustdb.gpg: trustdb created gpg: key 0046C0CB14D14757 marked as ultimately trusted gpg: directory '/home/vagrant/.gnupg/openpgp-revocs.d' created gpg: revocation certificate stored as '/home/vagrant/.gnupg/openpgp-revocs.d/B5FCCC7D6BE3B93F0B5569790046C0CB14D14757.rev' public and secret key created and signed. pub rsa3072 2020-02-16 [SC] [expires: 2022-02-15] B5FCCC7D6BE3B93F0B5569790046C0CB14D14757 uid Bob Smith <user1@acme.com> # <- gpg key sub rsa3072 2020-02-16 [E] [expires: 2022-02-15]
Generate password strore, by providing gpg
key for the store encryption. Identify the key by username or keyID. The file ~/.password-store/.gpg-id
will contain the key identifier passed on by pass init <keyIdentifier>
$> $ pass init user1@acme.com # option.1 by the uid $> $ pass init B5FCCC7D6BE3B93F0B5569790046C0CB14D14757 # option.2 by the key fingerprint mkdir: created directory '/home/vagrant/.password-store/' Password store initialized for user1@acme.com $> $ pass ls Password Store $> $ pass insert user1 Enter password for user1: *** Retype password for user1: *** $> $ pass ls Password Store └── user1 $> $ pass user1 password123
GPG keys manipultaion
# Delete GPG key gpg2 --delete-secret-keys user1@acme.com gpg2 --delete-key user1@acme.com # delete a public key (from your public key ring) # delete an private key (a key on your private key ring) # This deletes the secret key from your secret key ring. gpg --delete-secret-key "User Name" # delete a public key (from your public key ring): gpg --delete-key "User Name" This removes the public key from your public key ring. # NOTE! If there is a private key on your private key ring associated with this public key, # you will get an error! You must delete your private key for this key pair from your private key ring first. # To list the keys in your public key ring: gpg --list-keys # To list the keys in your secret key ring: gpg --list-secret-keys
- Resources