-
-
Notifications
You must be signed in to change notification settings - Fork 106
Setting up pass for ios using gpg serve key using https on a local network
if you use pass to securely store your passwords, and have them backed
up to a git repository and use pass-for-ios to access the passwords on
an ios device, and want to set up pass-for-ios
(SSH
and PGP
keys) using the gpg-serve-key utility, but don’t want to serve the
passwords from an internet-accessible URL, here is a guide. (phew!)
this guide assumes you use letsencrypt to generate https
(SSL
)
certificates for your other needs, on a machine running nginx. if you
don’t use letsencrypt
, or don’t run nginx
, you may still be able
to use this, changing those bits.
caveat: in addition to other ignorances, i’m particularly ignorant of
things relating to gpg. in particular, in the invocation of
gpg-serve-key
below, i’m not sure if johndoe@example.com
is really
the best KEY_ID
to use, rather than some other, maybe more specific,
“key Id”.
on linux, i use pass
to securely store my passwords, and i back up
these passwords to a git repository. to make use of these passwords
on my ios devices, i use pass-for-ios
. setting up pass-for-ios
requires transferring an SSH
key [fn:: though you also have the
option of using a password] to access the git repository holding the
passwords, and the public and private PGP
keys for the store. an
easy way of doing this is using the gpg-serve-key
utility.
the most straightforward way of using gpg-serve-key
is to store your
keys at a publically-accessible URL. this can be made fairly secure
using https
(and, gpg-serve-key
’s methods of obscuring their URL
(via random port numbers and a random string inserted into the URL).
however, i’d rather not have even that level of exposure. so, i
prefer transferring my keys on my local network.
- there is a machine
public.example.com
- on the public internet
- for which you have shell/root access
- which runs
nginx
, and has a server entry fortmp.example.com
. - and on which you have set up
letsencrypt
fortmp.example.com
.
- assume you have access to, and control of, the DNS records for the
domain
example.com
. (or, at least, a subdomaintmp.example.com
.) and, thattmp.example.com
points topublic.example.com
’s IP address. [fn:: For me, this is the normal configuration. but, whenever you need to change it, wait an hour or two for this to propagate; the time required will be defined in the DNS configuration forexample.com
ortmp.example.com
.] - assume you have a local machine from which you want to serve your
keys, with a local IPv4 address of
192.168.5.23
. - assume you’ve installed
gpg-serve-key
on your local machine at~/bin/password-store/passforios/gpg-serve-key/gpg-serve-key
. - assume that, on your local machine, your
SSH
private key is located in~/.ssh/id_rsa
.[fn:: If you use apassword
to access your git repository, ignore the bits aboutid_rsa
below, and leave out the--serve-file
argument to =gpg-serve-key.]
“pass-ios-serve-key-localnet.org” 130L, 6532B Last login: Mon May 23 15:46:38 on ttys000 mssun@Mingshens-MBP ~ % cd Downloads mssun@Mingshens-MBP Downloads % ls bili_mac.dmg googlechrome.dmg pass-ios-serve-key-localnet.org mssun@Mingshens-MBP Downloads % vi pass-ios-serve-key-localnet.org mssun@Mingshens-MBP Downloads % vi pass-ios-serve-key-localnet.org mssun@Mingshens-MBP Downloads % cat pass-ios-serve-key-localnet.org
if you use pass to securely store your passwords, and have them backed
up to a git repository and use pass-for-ios to access the passwords on
an ios device, and want to set up pass-for-ios
(SSH
and PGP
keys) using the gpg-serve-key utility, but don’t want to serve the
passwords from an internet-accessible URL, here is a guide. (phew!)
this guide assumes you use letsencrypt to generate https
(SSL
)
certificates for your other needs, on a machine running nginx. if you
don’t use letsencrypt
, or don’t run nginx
, you may still be able
to use this, changing those bits.
caveat: in addition to other ignorances, i’m particularly ignorant of
things relating to gpg. in particular, in the invocation of
gpg-serve-key
below, i’m not sure if johndoe@example.com
is really
the best KEY_ID
to use, rather than some other, maybe more specific,
“key Id”.
on linux, i use pass
to securely store my passwords, and i back up
these passwords to a git repository. to make use of these passwords
on my ios devices, i use pass-for-ios
. setting up pass-for-ios
requires transferring an SSH
key [fn:: though you also have the
option of using a password] to access the git repository holding the
passwords, and the public and private PGP
keys for the store. an
easy way of doing this is using the gpg-serve-key
utility.
the most straightforward way of using gpg-serve-key
is to store your
keys at a publically-accessible URL. this can be made fairly secure
using https
(and, gpg-serve-key
’s methods of obscuring their URL
(via random port numbers and a random string inserted into the URL).
however, i’d rather not have even that level of exposure. so, i
prefer transferring my keys on my local network.
- there is a machine
public.example.com
- on the public internet
- for which you have shell/root access
- which runs
nginx
, and has a server entry fortmp.example.com
. - and on which you have set up
letsencrypt
fortmp.example.com
.
- assume you have access to, and control of, the DNS records for the
domain
example.com
. (or, at least, a subdomaintmp.example.com
.) and, thattmp.example.com
points topublic.example.com
’s IP address. [fn:: For me, this is the normal configuration. but, whenever you need to change it, wait an hour or two for this to propagate; the time required will be defined in the DNS configuration forexample.com
ortmp.example.com
.] - assume you have a local machine from which you want to serve your
keys, with a local IPv4 address of
192.168.5.23
. - assume you’ve installed
gpg-serve-key
on your local machine at~/bin/password-store/passforios/gpg-serve-key/gpg-serve-key
. - assume that, on your local machine, your
SSH
private key is located in~/.ssh/id_rsa
.[fn:: If you use apassword
to access your git repository, ignore the bits aboutid_rsa
below, and leave out the--serve-file
argument to =gpg-serve-key.]
first, we need to get the right certificates on your local machine.
we get them from the place that letsencrypt
stores them on
public.example.com
- on
public.example.com
, dosudo certbot --nginx renew
to make sure the certificates for
tmp.example.com
are up-to-date. - still on
public.example.com
, [fn::active
contains the current and past certificates;live
contains symbolic links intoactive
for the current certificate.]sudo tar cf temporary.tar /etc/letsencrypt/{archive,live}/tmp.example.com/
- then, on your local machine, build a temporary directory and copy
those certificates.
mkdir /var/tmp/pass-ios-serve-key-localnet cd /var/tmp/pass-ios-serve-key-localnet scp public.example.com:temporary.tar . tar xf temporary.tar && rm temporary.tar
- back on
public.example.com
, remove the.tar
file.rm temporary.tar
- set the dns configuration for
tmp.example.com
to point to the local machine’s local network IPv4 address (which we assumed above to be192.168..5.23
). and, wait for that to propagate.
- figure out which public key you want to load. i.e.,
gpg --list-public-keys
assume the answer is
johndoe@example.com
. - on local machine (just for ease):
a=~/bin/password-store/passforios/gpg-serve-key/gpg-serve-key
- now, start
gpg-serve-key
${a} --cert-file etc/letsencrypt/live/tmp.example.com/cert.pem --key-file etc/letsencrypt/live/tmp.example.com/privkey.pem --serve-file ~/.ssh/id_rsa johndoe@example.com
it will print out a list of URLs, one for the private
PGP
key, one for the publicPGP
key, and one for theSSH
key.
- open Pass on IOS.
- “Settings:Password Repository”
- under “Authentication Method”, hit “I” (info, “?”-like) under “SSH Key”.
- choose “Download from URL”
- on the ios device, enter correct URL, for id_rsa, e.g.:
https://tmp.example.com:41373/uvQzZ5rwixE/id_rsa
(maybe copy this url, for use below accessing the PGP keys.)
- click “Done”. takes a few seconds, then should have SSH key imported.
- now, click “PGP Key” (currently lists as “Not Set”), and “Download from URL”
- download from URLs:
https://tmp.example.com:41373/uvQzZ5rwixE/johndoe@example.com-public.key https://tmp.example.com:41373/uvQzZ5rwixE/johndoe@example.com-secret.key
(note that order in IOS dialog reversed from that given out by gpg-serve-key)
- click “Save”
- settings:Password Repository: set repository URL
git@example.com:johndoe/mypasswords.git
(branch name “master”; username “git”
- click “Clone”
- ios settings, “Autofill Passwords”, “Autofill Passwords”, enable “Pass”. (maybe Pass does this automatically?)
- you probably want to remove
/var/tmp/pass-ios-serve-key-localnet
and its contents - change your dns configuration to point
tmp.example.com
to same address as public.example.com. (to leave it in this configuation, to be ready the next time you do this.)
Table of contents generated with markdown-toc.