Love them or hate them, shared passwords are a fact of life. Default user accounts, database users, API keys etc. pass the “standard Unix password manager” stores each password within a directory structure of gpg encrypted files. Because gpg is used, multiple gpg id’s can be used to encrypt/decrypt the password files and due to the simple directory and file structure, git can be used to track changes and share the password repository with others.


SETUP

To set up and test out sharing passwords between two people, I will build and configure three Ubuntu docker containers; two clients alice@heavymessing, bob@justtesting to act as user machines and server git@lastingdamage to be the Git repository machine.


Each host requires these packages:

openssh-client - secure shell (SSH) client, for access to remote machines
gnupg - GNU privacy guard - a free PGP replacement
pass - lightweight directory-based password manager
git - fast, scalable, distributed revision control system


gpg

Each user will need to generate their own keys, export their public key and import and sign their team members public key.

gpg --full-generate-key
gpg --export --armor $USER@$HOST > .gnupg/$USER@$HOST_public.asc
gpg --import /root/public_keys/bob@justtesting_public.asc
gpg --edit-key bob@justtesting -> lsign

Note: Permission denied error

gpg: agent_genkey failed: Permission denied
Key generation failed: Permission denied

is fixed by

ls -la $(tty)
sudo chown <USERNAME> $(tty)


pass

Each user will need to setup pass.

pass init $(echo $USER)@$(echo $HOST)
pass generate $(echo $HOST)/$(echo $USER) 15
pass generate gmail/$USER 15
pass


Git

Each user will need to setup git personal password repo.

cd .password-store
git init
git add .
git commit -m "first commit"
git remote add origin git@lastingdamage:password-store-$USER.git

Alice sets up a shared password repo.

cd /home/alice/.password-store
git push --set-upstream origin master

echo "shared" > .gitignore 
git clone git@lastingdamage:password-store-shared.git shared
pass init -p shared alice@heavymessing
echo "bob@justtesting" >> /home/alice/.password-store/shared/.gpg-id
pass init -p shared $(cat /home/alice/.password-store/shared/.gpg-id)
pass generate --no-symbols shared/password 15
pass

cd /home/alice/.password-store/shared
git add .
git commit -m "added shared/password"
git push --set-upstream origin master

Bob clones the shared password repo.

cd /home/alice/.password-store
git push --set-upstream origin master

echo "shared" > .gitignore 
git clone git@lastingdamage:password-store-shared.git shared
pass


TESTS

To gain a level of assurance that the required functionality has been achieved, conducted the following tests.


1. Alice & Bob have their individual and shared password stores


2. Alice changes the shared password and push’s the git repo and Bob pulls


4. Alice removes Bob’s id and changes the shared password and push’s the git repo. Bob pulls the shared repo, but is unable to decrypt the password.


Conclusion

pass is very easy to use, git and gpg are straightforward, making sharing password simple and secure.


References: