install platform specific

  • Rnp do not self sign your Id, so import public ID in pass-simple using gnupg mode.

    On windows gnupg mode not applicable, so:

    $ gpg --edit-key jane@acme.org
    gpg> lsign
    gpg> y
    gpg> save
    
  • On windows use gopass instead of pass.

Mandatory

  1. Create a note with pass command line, ensure all well

    pass
    pass edit whatever
    
  2. Ensure you can read and write the test note created before.

  3. setup git

    Avoid this set by using gopass clone

  • if not using gopass.

    Prefer manually to ensure gpg absolute path, also mandatory after git clone.

    # New repository
    git init  
    echo '*.gpg diff=gpg' > ".gitattributes"
    # New and Cloned repository
    git config --local diff.gpg.binary true
    git config --local diff.gpg.textconv "`which gpg` -d --quiet --yes --compress-algo=none --no-encrypt-to"
    

    Or using pass, and correct the diff.gpg.textconv with above.

    export PASSWORD_STORE_DIR=/Volumes/volume\ name/password-store
    pass git init
    
  1. Ensure you can git commit -am "commit".

  2. create additional change and ensure you can git diff HEAD~ and see last change in clear text.

  3. Set restoreWindows in vscode to folder or none

    It is always good practice to close all vscode opened tabs before closing pass simple otherwise vscode might recreate temporary files edited.

Optional/Advanced

  1. Protect your '.gpg_id' or specific folders with Git-Enforced Policy (git server and client hooks)

    https://git-scm.com/book/en/v2/Customizing-Git-An-Example-Git-Enforced-Policy

  2. Use disk encryption - tomb/veracrypt or mac's diskutil to protect the repository itself.

    password for the disk encryption can be stored in the default repository (~/.password-store/), and then link mounted encrypted repository with ln -s (like mounts in gopass)

  3. Consider using yubikey or move secret keys to USB drive

    Use rotate subkey for different devices, or ASDK for team members.

  4. Backup your store to other drive or remote ssh server

    https://stackoverflow.com/questions/39471072/how-to-create-a-local-push-destination-on-a-hard-disk-using-git

    Ensure you can git pull and git push

  5. protect application configuration file as readonly with chmod, or AppArmor