Uses gopass, which must be installed first.
./vpass is simply an alias to gopass that sets the vault directory
to the current path.
These instructions presume that you are familiar with GPG. If not, read Getting Started with GNU Privacy Guard for a general overview, or Generating a new GPG key to learn how to create your own keys. We recommend EDDSA as the key type, but RSA (the default) is fine too.
./vpass init <your-gpg-id>
You can find your GPG id with gpg --list-keys your@email.com. The
ID looks something like 79DFFEFC5EC506356B7BCF00E5FEBCA4A034DD65.
After cloning a vault, you won't yet have all recipient public keys in your keychain. This means you can read entries, but not modify them or add new ones.
A copy of each recipient's public key is stored in .public-keys, and you can import them with:
cd .public-keys && gpg --import *
./vpass insert vault/name-of-site
./vpass edit vault/name-of-site
Or generate a new password:
./vpass generate vault/name-of-site # generate password for new password entry
./vpass generate -i vault/name-of-site # re-generate for existing password entry
See https://www.passwordstore.org/ for further detail.
./vpass # list all passwords
./vpass vault/site-name # show password for site-name
-
Find the GPG key ID of the recipient. This will be a hexadecimal string similar to
79DFFEFC5EC506356B7BCF00E5FEBCA4A034DD65, and can be found with:gpg --list-key user@email.com -
Add the recipient. The vault will be re-encrypted, including the new recipient:
./vpass recipients add 79DFFEFC5EC506356B7BCF00E5FEBCA4A034DD65
./vpass recipients
Removing a recipient will also re-encrypt the password vault, so that that persons no longer has access to future version of the vault. HOWEVER, since they have access to their existing copy, you should consider all secrets compromised and rotate them.
./vpass recipients rm 79DFFEFC5EC506356B7BCF00E5FEBCA4A034DD65