install platform specific

• install_linux
• install_mac
• install_windows

For all platforms - recommended

• Rnp do not self sign your Id, so import public ID in pass-simple using gnupg mode.

  On windows gnupg mode not applicable, so:

  $ gpg --edit-key jane@acme.org
  gpg> lsign
  gpg> y
  gpg> save
  

• On windows use gopass instead of pass.

• Review Auth tab in the app and manually fix any bad entries.

  rnp only search key IDs in the .gpgid file that are 16 (or less) characters long.

  These 16 characters are the ones on the right side, as shown by gnupg.

  The gopass format, which uses a key ID starting with 0x, is also supported.

Mandatory

1. Create a note with pass command line, ensure all well

   pass
   pass edit whatever
   

   • If pass store not initialized use gopass setup or follow this: https://www.redhat.com/sysadmin/management-password-store

     This document will walk through creating Private and public keys, and init the repository (setup the .gpgid authorization file).

2. Ensure you can read and write the test note created before.

3. setup git

   Avoid this set by using gopass clone

• if not using gopass.

  Prefer manually to ensure gpg absolute path, also mandatory after git clone.

  # New repository
  git init  
  echo '*.gpg diff=gpg' > ".gitattributes"
  # New and Cloned repository
  git config --local diff.gpg.binary true
  git config --local diff.gpg.textconv "`which gpg` -d --quiet --yes --compress-algo=none --no-encrypt-to"
  

  Or using pass, and correct the diff.gpg.textconv with above.

  export PASSWORD_STORE_DIR=/Volumes/volume\ name/password-store
  pass git init
  

4. Ensure you can git commit -am "commit".

5. create additional change and ensure you can git diff HEAD~ and see last change in clear text.

6. Set restoreWindows in vscode to folder or none

   It is always good practice to close all vscode opened tabs before closing pass simple otherwise vscode might recreate temporary files edited.

Optional/Advanced

1. Protect your '.gpg_id' or specific folders with Git-Enforced Policy (git server and client hooks)

   https://git-scm.com/book/en/v2/Customizing-Git-An-Example-Git-Enforced-Policy

2. Use disk encryption - tomb/veracrypt or mac's diskutil to protect the repository itself.

   password for the disk encryption can be stored in the default repository (~/.password-store/), and then link mounted encrypted repository with ln -s (like mounts in gopass)

3. Consider using yubikey or move secret keys to USB drive

   Use rotate subkey for different devices, or ASDK for team members.

4. Backup your store to other drive or remote ssh server

   https://stackoverflow.com/questions/39471072/how-to-create-a-local-push-destination-on-a-hard-disk-using-git

   Ensure you can git pull and git push

5. protect application configuration file as readonly with chmod, or AppArmor