Managing secrets with Gopass and Age

Scroll down and skip to the Secrets Management section if you just want that and skip all of my yammering. This post is mostly geared towards techies.

So do you save your sensitive data somewhere on a piece of paper or in a text file in your laptop / PC? Do you sign up on multiple online platforms with same password everywhere? Very scary stuff!

May be you already use Google's browser to store those passwords. But anyone using your browser can now see those passwords. Or maybe you use services like the one from Lastpass (a company whose users' data have been leaked multiple times) to store your sensitive data.

And how far anti-viruses will help you protect from malware looking for sensitive data on your machine? Yes, its very convenient to use these services but ...

Data breaches have become a thing these days. They are happening so much often that, one might even question reliability of such companies who offer services to entitle our data security. Its a mess.

Even when its not your personal data at stake, you may still be involved with certain types of data that requires proper care.

In the tech world, teams have to deal with secrets more often than otherwise. Database passwords, SSH keys, API keys, ERP passwords. The list is quite long.

Hence, having a toolkit for managing secrets can help them tremendously. Although there are many options out there today, the one I personally use is Gopass because of its ease of use. And this is the topic of this post.

Secrets Management

This post is geared towards working with handling secrets with the help of 2 powerful tools, Gopass and Age on a Linux Ubuntu 22 server. Any Linux based OS will work and infact it does not even have to be Linux or a Linux server. Take this as a starting point if you will and tweak accordingly as it fits within your realm.

• [x] Age is a fast and modern encryption software

• [x] Gopass is a secrets management software. Its uses Age (among other tools) to encrypt and decrypt your sensitive data.

Gopass works quite well on desktop machines as well and comes with a browser extension too. Just that, its not the focus of this post.

Prerequisite

• Have Gopass installed and available on $PATH

1. Configure terminal for Gopass.

Because Gopass primarily is a cli software which can work with old GPG encryption technology pretty well, we need to set this environment variable as given below, even when not using gpg. Yes, we are using Age and we still need to set this!

export GPG_TTY=$(tty) 

Also the setting above is strictly when using OSes that do not have Desktop Environments, like the Ubuntu server we are using. You can still use this on a Desktop OS if you like to type your passwords on terminals.

2. A little about Age

Age is pronounced as Aagae

Age supports both symmetric and asymmetric encryption mechanisms. Gopass generates the Age keypair first. A keypair is composed of public and private parts. In Gopass, the private half is encrypted using the password you provide whereas the public half is referred to as the recipient. You can find recipients by asking gopass:

gopass recipients

Hence, Gopass expects users to provide Age password every time they want to see their secrets.

You can provide the password manually when prompted or a better way would be to use a specific environment variable provided by Gopass called GOPASS_AGE_PASSWORD. Depending on the use case one can use manual option or via an environment variable. We will use the latter option as its much faster to deal with secrets this way, when such tasks are recurring. So, lets define it:

export  GOPASS_AGE_PASSWORD="yourAgePassword"

3. Now run the initial setup

gopass setup --crypto age

This command will either prompt you to provide the Age password or use the password from the environment variable you already declared above. Upon success, it will setup the store for you. With this, Gopass now creates a recipient. What it means in simple terms is that, whenever you encrypt something, you are telling Gopass who you want to encrypt the secrets for. Meaning who is the recipient of this encrypted data. Only those recipients can decrypt that data with the password. And anyone who knows the recipient can encrypt the secrets.

By default Gopass

1. Creates their stores at ~/.local/share/gopass/stores

2. Stores their config at ~/.config/gopass/config

3. Stores Age identities at ~/.config/gopass/age/identities.

4. Zsh completion setup (optional)

Now if you are using zsh shell, then I would recommend using zsh completion feature for Gopass. Gopass also has support for bash and probably other shell types, however we will focus on zsh.

With zsh completion, gopass will be able to suggest sub commands and fill in values saving you some extra time. All you have to to is type gopass followed by tab

Create our completion workspace

mkdir -p ~/.zsh

Create gopass completion script

echo "source <(gopass completion zsh)" > ~/.zsh/_gopass

Open your text editor/IDE and start modifing. Now in order for zsh completion to do its magic, you will have to add this line of code, if not already added, at the very top the ~/.zshrc file.

autoload -U compinit && compinit

Here we use the zsh compinit module responsible to help us with auto completion

After the above line has been added, add another line below as seen below which will consume the gopass completion script that we created above.

source ~/.zsh/_gopass

Finally exit the IDE and refresh zsh settings on the terminal

source ~/.zshrc

Play time

5. Create our first secret

gopass insert mysql_db1

The above command will prompt you to add your new secret. Here, we create the key called mysql_db1. Now, anytime you want to find out the secret all you do is:

gopass show mysql_db1

or simply

gopass mysql_db1

It will prompt you for a password if you did not already set the environment variable discussed earlier above.

And there it is. Thats how simple it is. But wait, you can also add your secrets using this command:

gopass new

This will ask you whether you are trying to save this secret for a website or is it just a PIN. Just choose the option you like and follow along the prompts and you are done. To retrieve, we use the exact same command mentioned above.

But wait, there is more. You can ask Gopass to show the secret in QRcode format like so:

gopass show -qr mysql_db1

How cool 😎

But wait, there is more. If you are using Gopass on your Desktop machine, you can ask Gopass to copy the secret directly into your clipboard like so:

gopass --clip mysql_db1

Very nice!

One last thing. You can also generate random string. Use them on random websites. Then come here and save those in Gopass.

gopass pwgen

Gopass can do many things. Use gopass --help to see all possibilities.

Last, but certainly not the least, remove your precious password

unset GOPASS_AGE_PASSWORD

Conclusion

Having tools like Gopass can bring confidence with handling sensitive data. While it may feel cumbersome at times, in a long run this grows into you. I am sure there are many options out there today for similar task, so if you haven't already invested your time and effort into it then now is the time.