How to secure secrets with gopass and summon

using-secrets-with-gopass-and-summon.org

Using Gopass and Summon to Secure Secrets Inside the Enterprise and Out

*Gopass cheatsheet*

Windows user?

Install scoop

Set-ExecutionPolicy RemoteSigned -scope CurrentUser
iwr -useb get.scoop.sh | iex

Use scoop to install gopass

scoop install gopass

Linux user?

Install gopass

First install go on your platform of choice. Then, to install gopass, do:

go get github.com/gopasspw/gopass

You can upgrade gopass in the future with:

go get -u github.com/gopasspw/gopass

Up and running with gopass

Gopass works on the basis of Pretty Good Privacy, a standard that uses private and public keys to prove you are who you say you are.

Generate your own key

First, generate a PGP key if you don’t already have one:

Get and mount the secrets repository

When asked, accept all default prompts by pressing the ENTER key.

Bootstrap team store

gopass --yes setup --remote [email protected]:MQSdk/secrets.git --alias secrets --name "Jane Doe" --email "[email protected]"

If you already have your own secrets repository at the .password-store directory you can mount the team secrets repository as an additional substore:

gopass clone [email protected]:MQSdk/secrets.git secrets --sync gitcli

Want a graphical interface? Install Gopass UI.

Import and trust your team’s keys

Now, we will ultimately trust your team’s keys using the below trust script. This is necessary for gopass to use your keys to decrypt team secrets.

for fpr in $(gpg --list-keys --with-colons  | awk -F: '/fpr:/ {print $10}' | sort -u); do  echo -e "5\ny\n" |  gpg --command-fd 0 --expert --edit-key $fpr trust; done

When onboarding new users, it’s important to first add them as a recipient. If they have a GitHub account this is as easy as

curl -sSL https://github.com/MQS-mark.gpg | gpg --import
gopass recipients add [email protected]
gopass sync

followed by the above trust script.

Working with secrets

Below is offered an example of a number of operations you might do when working with gopass.

To print a secret to your shell:

gopass secrets/hetzner/gitea/worldofgeese

You can use fuzzy searching to find a secret too:

gopass worldofgeese

will show any secrets containing worldofgeese. If it’s the only secret, it will display it.

You can copy secrets directly to the clipboard

gopass -c worldofgeese

Generate a new secret

gopass generate secrets/pizza-delivery-passcode

Add a new user to our secrets store

gopass recipients add $USER_EMAIL
gopass sync

Using gopass and summon to manage container secrets

What is summon?

Summon injects secrets as environment variables into any process. For our purposes we will be using summon with the aid of gopass to inject secrets into our Docker containers without leaving a trace.

Gopass acts as a provider to summon, offering secrets to summon that summon then passes into our containers.

Using summon

We assume we have a postgres database backing our Gitea container and that our database password has been saved to our secrets repository in the format gitea/gitea-db using the command gopass insert gitea/gitea-db.

summon -p /usr/local/bin/gopass --yaml 'POSTGRES_PASSWORD: !var gitea/gitea-db' docker run -e $POSTGRES_PASSWORD postgres:9.6

This command is intentionally verbose to demonstrate how summon passes on secrets to our docker container. In production we will use a secrets.yaml file to greatly simplify.

Using a secrets.yml file

Define your keys in secrets.yml within the directory of your docker-compose.yml:

POSTGRES_PASSWORD: !var gitea/gitea-db

DB_PASSWD: !var gitea/gitea-db

Bring up your containers:

summon -p /usr/local/bin/gopass -e common docker-compose --env-file @SUMMONENVFILE up -d

If this command fails, you may need the latest version of docker-compose, which supports passing --env-file:

nix-env -i docker-compose