Monday, November 11, 2013

Learn git and migrate to password-store

A blog entry detailing how I learned something about administering git repositories and, at the same time, migrated my passwords from kwalletmanager (which I found difficult to back up and keep synchronized between machines), to password-store, a command-line application that optionally works with a git repository.

Git reading list

Install password-store

Installing password-store on openSUSE is not exactly user-friendly. The initiated can just go to the password-store project on the OpenSUSE Build Service and they will know what to do next. For the uninitiated, here are magic incantations for openSUSE 12.3 and openSUSE 13.1:
  • Since password-store isn't in the main openSUSE repo yet, I have to add the OBS repository corresponding to my openSUSE version:
    # ### for openSUSE 12.3
    # zypper ar \
    http://download.opensuse.org/repositories/security:/passwordmanagement/openSUSE_12.3/ \
    'security:passwordmanagement'
    # ### for openSUSE 13.1
    # zypper ar \
    http://download.opensuse.org/repositories/security:/passwordmanagement/openSUSE_13.1/ \
    'security:passwordmanagement'
    
  • Refresh the repo:
    # zypper ref 'security:passwordmanagement'
    
  • Install the package:
    # zypper in password-store
    
  • Read the manpage:
    # man pass
    

Set up a bare git repository

My setup for working on a directory tree from multiple computers is based on a "bare" git repository (i.e. one which is not simultaneously a working copy). This bare repository can be anywhere. For example, it could be on a dedicated server. Or it could it be on a workstation. Or on a laptop. The salient point being: don't make multiple copies of it. This is the master, or origin in git terminology, from which I will clone off working copies to each computer where I work.
  • Initialize the bare repository:
    $ git init --bare git-repo/password-store
    Initialized empty Git repository in /home/smithfarm/git-repo/password-store/
    
  • Clone the bare repository to ~/.password-store (which is where password-store looks for its data):
    $ cd
    $ git clone git-repo/password-store .password-store
    Cloning into '.password-store'...
    warning: You appear to have cloned an empty repository.
    done.
    

Initialize password store

Note: before I can go any further, I have to know my GPG key. (GPG keys are pretty easy to set up and administer, and help is just a Google away.)
  • Initialize my local password store:
    $ cd
    $ pass init [MY_GPG_KEY_ID]
    [master (root-commit) 1742584] Set GPG id to [MY_GPG_KEY_ID].
     1 file changed, 1 insertion(+)
     create mode 100644 .gpg-id
    
  • Verify that origin is the bare git repo I just set up:
    $ cd ~/.password-store
    $ git remote -v
    origin  /home/smithfarm/git-repo/password-store (fetch)
    origin  /home/smithfarm/git-repo/password-store (push)
    

Add a password

  • Add a password
    $ cd
    $ pass insert testpass
    Enter password for testpass: [type "test"]
    Retype password for testpass: [type "test" again]
    gpg: [MY_GPG_KEY_ID]: skipped: public key already present
    [master 2821d80] Added given password for testpass to store.
     1 file changed, 13 insertions(+)
     create mode 100644 testpass.gpg
    
  • List my password store:
    $ pass ls
    Password Store
    └── testpass
    
  • Push to the git repo:
    $ cd ~/.password-store
    $ git push
    Counting objects: 6, done.
    Delta compression using up to 8 threads.
    Compressing objects: 100% (4/4), done.
    Writing objects: 100% (6/6), 952 bytes, done.
    Total 6 (delta 0), reused 0 (delta 0)
    To /home/smithfarm/git-repo/password-store
     * [new branch]      master -> master
    

Clone the bare repo to another computer

Now I clone the bare repo containing my test password to a second computer (e.g. a laptop) where I also need the password store.
  • Make sure I'm really on the second computer:
    $ hostname --fqdn
    second.computer
    
  • Install password-store on this computer (it has to be installed on every computer where I intend to use it)
  • Clone the bare repo:
    $ cd
    $ git clone [MY_USERNAME]@[FIRST_COMPUTER]:git-repo/password-store .password-store
    Cloning into '.password-store'...
    Password: 
    remote: Counting objects: 6, done.
    remote: Compressing objects: 100% (4/4), done.
    remote: Total 6 (delta 0), reused 0 (delta 0)
    Receiving objects: 100% (6/6), done.
    Checking connectivity... done
    
  • List passwords:
    pass ls
    Password Store
    └── testpass
    
  • While I'm on the second computer, add a second test password:
    $ cd
    $ pass insert secondtestpass
    Enter password for secondtestpass: [type "test"]
    Retype password for secondtestpass: [type "test" again]
    [master f91c264] Added given password for secondtestpass to store.
     1 file changed, 13 insertions(+)
     create mode 100644 secondtestpass.gpg
    
  • List passwords again:
    $ pass ls
    Password Store
    ├── secondtestpass
    └── testpass
    
  • Push the updates to the remote (bare) git repository:
    $ cd ~/.password-store
    $ git push
    Password: [type my password on the first computer; 'git' is loggin in via SSH]
    Counting objects: 4, done.
    Delta compression using up to 4 threads.
    Compressing objects: 100% (3/3), done.
    Writing objects: 100% (3/3), 784 bytes | 0 bytes/s, done.
    Total 3 (delta 0), reused 0 (delta 0)
    To smithfarm@[FIRST_COMPUTER]:git-repo/password-store
       2821d80..f91c264  master -> master
    

Update the working copy on the first computer

To use 'secondtestpass' on the first computer, I have to update the working copy there:
  • Make sure I'm really on the first computer:
    $ hostname --fqdn
    first.computer
    
  • Update the working copy:
    $ cd ~/.password-storegit pull
    remote: Counting objects: 4, done.
    remote: Compressing objects: 100% (3/3), done.
    remote: Total 3 (delta 0), reused 0 (delta 0)
    Unpacking objects: 100% (3/3), done.
    From /home/smithfarm/git-repo/password-store
       2821d80..f91c264  master     -> origin/master
    Updating 2821d80..f91c264
    Fast-forward
     secondtestpass.gpg | 13 +++++++++++++
     1 file changed, 13 insertions(+)
     create mode 100644 secondtestpass.gpg
    
  • Prove to myself that all is good:
    $ pass ls
    Password Store
    ├── secondtestpass
    └── testpass
    

Summary

To summarize. When I add a password to the password store (on any machine), I should push to the remote repo as soon thereafter as possible. To make sure my working copy is up to date, I should pull from the remote often.

Note that this procedure can be used for any directory tree, not just the password-store one.

2 comments:

  1. Thank you for the introduction into this cool tool.
    I like it. ;)

    I`d like to change push command to this:

    cd .password-store/
    mcaj@my-machine:~/.password-store> git push
    Counting objects: 43, done.
    Delta compression using up to 8 threads.
    Compressing objects: 100% (42/42), done.
    Writing objects: 100% (42/42), 11.63 KiB | 0 bytes/s, done.
    Total 42 (delta 13), reused 0 (delta 0)
    To /home/mcaj/git-repo/password-store/
    d4fd587..f2e62d5 master -> master

    Then is more clear for git beginners thay have to be in the .password-store directory when thy want to push changes into local git-repo.

    ReplyDelete
    Replies
    1. Thanks, Martin -- good point. Fixed now.

      Delete