If you are not aware of pass and gopass, you should be. Both are excellent CLI tools for managing secrets, especially if you’re Yubikey users. Say what you may about GPG and its many woes and many blows, I still believe it’s an excellent tool for the management of programmatically used secrets when coupled with a physical token like a Yubikey.
That said, that doesn’t erase its inherent complexity. Specifically, GPG imposes a rather significant foot-gun factor that requires mitigation. Locking yourself out of your precious secrets is fairly easy and requires planning to avoid.
I personally do the following:
- I maintain my primay root key offline on paper
- That root key has both a root Certify key, and a working subkey that can Sign, Encrypt, and Authenticate
- I generate working sub-keys that I load on a Yubikey with a one year validity
- I maintain a backup root key offline on paper
- That backup root key has both a root Certify key, and a working subkey that can Sign, Encrypt, and Authenticate
- I generate backup working sub-keys that I load on a separate Yubikey
- I make sure the my primary and backup working subkeys have offset expiries by at least one month
This creates a dance (like I’m experiencing right now) where I need to:
- Pull out my root key from the safe and load it up
- Generate a new set of working primary subkeys, load that into my main Yubikey
- Change the recipients of my Gopass store to target my new subkeys by editing
.gpg-idand specifying subkeys in the0xSUBKEY!format.- This allows me to encrypt secrets for multiple subkeys for the same root signing key
- Re-encrypt all my secrets with
gopass fsck --decrypt- This is a new feature available in Gopass
> 1.13.1from commit8e3c066onwards
- This is a new feature available in Gopass
- Update my SSH key which is derived from my Yubikey’s Authenticate subkey in
all my everythings …
- Personal servers
- Work servers
- Personal source control
- Work source control
- Yay securitah …
I’ll end up doing the same thing again in a few weeks’ time for the backup keys. The result is that I maintain a Gopass store that can be decrypted with:
- Either of my primary or backup offline keys
- Either of my primary of backup Yubikeys
Phew … but why do I have so many backups of my keys you ask? F*****g up
makes you a little bit more paranoid every time. >_>