install platform specific
For all platforms - recommended
-
Rnp do not self sign your Id, so import public ID in
pass-simple
usinggnupg
mode.On windows
gnupg
mode not applicable, so:$ gpg --edit-key jane@acme.org gpg> lsign gpg> y gpg> save
-
On windows use
gopass
instead ofpass
.
Mandatory
-
Create a note with pass command line, ensure all well
pass pass edit whatever
-
If pass store not initialized use
gopass setup
or follow this: https://www.redhat.com/sysadmin/management-password-storeThis document will walk through creating Private and public keys, and init the repository (setup the
.gpgid
authorization file).
-
-
Ensure you can read and write the test note created before.
-
setup git
Avoid this set by using
gopass clone
-
if not using
gopass
.Prefer manually to ensure
gpg
absolute path, also mandatory aftergit clone
.# New repository git init echo '*.gpg diff=gpg' > ".gitattributes" # New and Cloned repository git config --local diff.gpg.binary true git config --local diff.gpg.textconv "`which gpg` -d --quiet --yes --compress-algo=none --no-encrypt-to"
Or using pass, and correct the
diff.gpg.textconv
with above.export PASSWORD_STORE_DIR=/Volumes/volume\ name/password-store pass git init
-
Ensure you can
git commit -am "commit"
. -
create additional change and ensure you can
git diff HEAD~
and see last change in clear text. -
Set
restoreWindows
invscode
tofolder
ornone
It is always good practice to close all
vscode
opened tabs before closingpass simple
otherwisevscode
might recreate temporary files edited.
Optional/Advanced
-
Protect your '.gpg_id' or specific folders with Git-Enforced Policy (
git server and client hooks
)https://git-scm.com/book/en/v2/Customizing-Git-An-Example-Git-Enforced-Policy
-
Use disk encryption -
tomb
/veracrypt
or mac'sdiskutil
to protect the repository itself.password for the disk encryption can be stored in the default repository (
~/.password-store/
), and then link mounted encrypted repository withln -s
(likemounts
ingopass
) -
Consider using
yubikey
or move secret keys to USB driveUse rotate subkey for different devices, or ASDK for team members.
-
Backup your store to other drive or remote ssh server
Ensure you can
git pull
andgit push
-
protect application configuration file as readonly with
chmod
, or AppArmor