starred/nix-config-ryan4yin
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-05-23 06:56:52 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: security - password-store, gpg, age, etc...

Browse Source
This commit is contained in:
Ryan Yin
2024-01-27 15:22:47 +08:00
parent b9b9a55ede
commit 05682dbac9
7 changed files with 155 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files
home/base/desktop/password-store/README.md
+37
View File
@@ -7,4 +7,41 @@
- Android: <https://github.com/android-password-store/Android-Password-Store>
- Brosers(Chrome/Firefox): <https://github.com/browserpass/browserpass-extension>
## How to change the gpg key of the pass password store?
To ensure security, we should change the GPG key every two or three years. Here is how to do this.
1. Create a new GPG key pair and backup it to a safe place.
2. Ensure you can access both the old and new GPG keys.
3. Update `./default.nix` to use the new GPG sub keys.
4. Check which Key `pass` currently uses:
```bash
cd ~/.local/share/password-store/
# check which key is used by pass
cat .gpg-id
# check which key is really used to encrypt the password
gpg --list-packets path/to/any/password.gpg
```
4. Change the key used by `pass`:
```bash
# change the key used by pass, see `man pass` for more details
# you will be asked to enter the password of both the new and old keys
# then pass will re-encrypt all the passwords with the new key
pass init <new-key-id>
```
5. Check if the key is changed:
```bash
# check which key is used by pass
cat .gpg-id
# check which key is really used to encrypt the password
gpg --list-packets path/to/any/password.gpg
```
6. Delete the old GPG key pair:
```bash
# delete the old key pair
gpg --delete-secret-keys <old-key-id>
gpg --delete-keys <old-key-id>
```
home/base/desktop/password-store/default.nix
+2 -2
View File
@@ -23,14 +23,14 @@ in {
# Hexadecimal key signature is recommended.
# Multiple keys may be specified separated by spaces.
PASSWORD_STORE_KEY = lib.strings.concatStringsSep " " [
"62526A4A0CF43E33" # E - Ryan Yin (Personal) <ryan4yin@linux.com>
"EF824EB73CFD6CC7" # E - Ryan Yin (For pass & ssh only) <ryan4yin@linux.com>
];
# all .gpg-id files and non-system extension files must be signed using a detached signature using the GPG key specified by
# the full 40 character upper-case fingerprint in this variable.
# If multiple fingerprints are specified, each separated by a whitespace character, then signatures must match at least one.
# The init command will keep signatures of .gpg-id files up to date.
PASSWORD_STORE_SIGNING_KEY = lib.strings.concatStringsSep " " [
"433A66D63805BD1A" # S - Ryan Yin (Personal) <ryan4yin@linux.com>
"C2A313F98166C942" # S - Ryan Yin (For pass & ssh only) <ryan4yin@linux.com>
];
PASSWORD_STORE_CLIP_TIME = "60";
PASSWORD_STORE_GENERATED_LENGTH = "15";