|
| 1 | +--- |
| 2 | +layout: page |
| 3 | +title: Gopass Secret Stores |
| 4 | +date: 2025-11-17 |
| 5 | +summary: How the PMC and various SIGs manage passwords and other secrets. |
| 6 | +--- |
| 7 | + |
| 8 | +* TOC |
| 9 | +{:toc} |
| 10 | +{: class="alert alert-primary callout w-33" } |
| 11 | + |
| 12 | +[gopass](https://www.gopass.pw/) is a neat open source tool for secret management. |
| 13 | +It handles (GPG) encryption and stores data in a git repo. |
| 14 | +It's designed primarily to manage passwords, but can effectively manage anything that can be represented in text. |
| 15 | + |
| 16 | +Our existing secret stores that you have access to may be found with a [GitHub search](https://github.com/orgs/voxpupuli/repositories?q=gopass-). |
| 17 | + |
| 18 | +## Getting Started |
| 19 | + |
| 20 | +### Installation |
| 21 | + |
| 22 | +The [upstream docs](https://github.com/gopasspw/gopass/blob/master/docs/setup.md) cover the actual gopass installation. |
| 23 | +We suggest configuring shell autocompletion, as it makes usage much nicer. |
| 24 | + |
| 25 | +### Setting up a secret store |
| 26 | + |
| 27 | +You will need a valid GPG key. |
| 28 | +Validate this with `gpg --list-secret-keys` (please double check the expiration so you don't accidentally lose access at a critical time). |
| 29 | + |
| 30 | +Ask one of the existing secret store admins to grant access. |
| 31 | +- You will need access to the repository itself, usually via a GitHub team. |
| 32 | +- Then the admin will need to add you to the recipients list by running [`gopass recipients add`](https://github.com/gopasspw/gopass/blob/master/docs/commands/recipients.md). |
| 33 | + |
| 34 | +Now you can clone the repo: |
| 35 | + |
| 36 | +```sh |
| 37 | +$ gopass clone [email protected]:voxpupuli/gopass-{name}.git voxpupuli/{name} |
| 38 | +``` |
| 39 | + |
| 40 | +Run `gopass ls` and ensure that you can see all secrets. |
| 41 | +Display a secret to ensure that decryption is working properly. |
| 42 | +For example: |
| 43 | + |
| 44 | +```sh |
| 45 | +$ gopass ls |
| 46 | +gopass |
| 47 | +├── puppet/ |
| 48 | +│ └── forge/ |
| 49 | +│ ├── herculesteam |
| 50 | +│ ├── puppet |
| 51 | +│ └── voxpupuli |
| 52 | +$ gopass show puppet/forge/puppet |
| 53 | +Secret: puppet/forge/puppet |
| 54 | + |
| 55 | +{redacted} |
| 56 | +Username: puppet |
| 57 | +URL: https://forge.puppet.com/login |
| 58 | +``` |
| 59 | + |
| 60 | +## Common commands |
| 61 | + |
| 62 | +Most of the basic interaction you'll need is: |
| 63 | +- `gopass ls` will show an overview of all secrets you have access to. |
| 64 | +- `gopass show name/of/secret` will display the decrypted secret. |
| 65 | +- `gopass edit name/of/secret` is how you update a secret. |
| 66 | + |
| 67 | +For more advanced usage, see the [gopass-cheat-sheet](https://woile.github.io/gopass-cheat-sheet/) or see the [command docs](https://github.com/gopasspw/gopass/tree/master/docs/commands). |
| 68 | + |
| 69 | +To list all GPG keys (people) that have access to the repo, run `gopass recipients` |
| 70 | + |
| 71 | +```terminal |
| 72 | +$ gopass recipients |
| 73 | +Hint: run 'gopass sync' to import any missing public keys |
| 74 | +gopass |
| 75 | +├── 0x2b04d7500fe1c6dd15692bb6779eba5eb9d631b8 => 0x779EBA5EB9D631B8 - Sebastian Rakel <[email protected]> |
| 76 | +├── 0x559BEE876892AA5ECD925F28B352E2A17BB89EF5 => 0xB352E2A17BB89EF5 - Ewoud Kohl van Wijngaarden (Red Hat) <[email protected]> |
| 77 | +├── 0x82349A78E7C0B8070B5980FFBA4D1D955112336F => 0xBA4D1D955112336F - Romain Tartière <[email protected]> |
| 78 | +├── 0x83CE67EC15FA9327838924766CE2B38A165F224B => 0x6CE2B38A165F224B - Robert Waffen <[email protected]> |
| 79 | +├── 0xC10B6298A584A5632E254DA304D659E6BF1C4CC0 => 0x04D659E6BF1C4CC0 - Tim Meusel <[email protected]> |
| 80 | +└── 0xEA338528809E9749E2C3064379E924EBEDA7F3FD => 0x79E924EBEDA7F3FD - Alexander John Fisher <[email protected]> |
| 81 | +``` |
| 82 | + |
| 83 | +## Creating a new secret store |
| 84 | + |
| 85 | +Want a new gopass store for your own SIG? Follow these steps. |
| 86 | + |
| 87 | +1. Create a new blank repo in the `voxpupuli` namespace. |
| 88 | + - ⚠️ *Do not add any content at all -- not even a README or LICENSE* |
| 89 | + - Name it something like `gopass-{name of team}` |
| 90 | + - Give it a description like *Gopass password store for the {name} team* |
| 91 | + - Set it to private |
| 92 | + - Grant access to only the appropriate GitHub teams. Do not grant access to `pmc` or other general teams. |
| 93 | +1. Create the secret store on your local machine |
| 94 | + - `gopass init --store voxpupuli/{name}` |
| 95 | +1. Connect it to the git repo you created |
| 96 | + - `gopass git --store voxpupuli/{name} remote add origin [email protected]:voxpupuli/gopass-{name}.git` |
| 97 | +1. Add other team members. |
| 98 | + - `gopass recipients add --store voxpupuli/{name}` |
| 99 | + - repeat as needed |
| 100 | +1. Push changes to the repo |
| 101 | + - `gopass sync` |
| 102 | +1. Add a quick `README` with information about the secret store. Link to this guide. |
| 103 | + - ⚠️ Make sure you do this *after syncing* at least once. |
0 commit comments