Only need [E] subkey in vault

• Don't touch main(sec) key
• Don't touch [S] and [C] key.

export PGP_SUB_E_ID=YOUR_PGP_SUBKEY_FOR_ENCRYPTION_ID

It should be same as pass init [gpg-id] # content of $PASSWORD_STORE_DIR/.gpg-id.

gopass init "$PGP_SUB_E_ID"

age-keygen | age --passphrase --armor > "$PASSAGE_IDENTITIES_FILE"
age --decrypt "$PASSAGE_IDENTITIES_FILE" | age-keygen -y > "$PASSAGE_RECIPIENTS_FILE"
mkdir -p "$PASSAGE_DIR"
passage git init
<~/.ssh/id_ed25519 passage insert --multiline ssh
<"$(rclone config file | tail -1)" passage insert --multiline rclone

1. Restore vaults

   # If you are using GitHub private repository, use `gh auth login; gh repo clone example_org/password-store "$PASSWORD_STORE_DIR"`
   # gh auth login will pass even if making config.yml permission error. It is written in hosts.yml
   git clone 'https://private.example.com/password-store.git' "$PASSWORD_STORE_DIR"
   git clone 'git@private.example.org:passage-store.git' "$PASSAGE_DIR"
   hx "$PASSAGE_IDENTITIES_FILE" # Make sure the editor is not enabling backup features
   
   # Don't include this in passage store to avoid circular references
   age --decrypt --identity "$PASSAGE_IDENTITIES_FILE" "pgp-sub-${PGP_SUB_E_ID}.age" | gpg --import
   # Make sure other keys are listed but having `#` in the suffix of `sec` and `ssb`
   gpg --list-secret-keys

2. Load minimum secrets from the vaults

   passage show 'ssh' > ~/.ssh/id_ed25519
   chmod 400 ~/.ssh/id_ed25519
   ssh-add ~/.ssh/id_ed25519
   
   rclone config touch
   passage show 'rclone' > "$(rclone config file | tail -1)"

3. Restore shell history - Work in Progress

4. Remove used vaults from local

   # Don't trust `shred --remove` and `srm` when using SSD. Use tomb, rclone or OS provided solution to encrypt the disk
   rm -rf "$PASSAGE_DIR"
   rm "$PASSAGE_IDENTITIES_FILE"

• gpg: change-usage: https://security.stackexchange.com/a/206766
• sq: No options for now.
  • https://gitlab.com/sequoia-pgp/sequoia-sq/-/issues/37
  • https://gitlab.com/sequoia-pgp/sequoia-sq/-/issues/208

• No. gpg --edit-key, uid n, notation is another feature.

gpg --quick-set-expire 'FINGERPRINT-MAIN-C' 2y '*'
gpg --armor --export --export-options export-minimal 'FINGERPRINT-SUB-S' # Upload to Git hosting services

See GH-830

I prefer gpg-sq for the alt, however it and the wrappers do not support much of features likely edit and agents. Therefore basically you also still need gpg for now.

If you faced to decrypt error with gpg-sq, check it with sq decrypt. It displays error details.
For example, 1: AEAD Encrypted Data Packet v1 is not considered secure
This is caused by encrypted non configured gpg for the AEAD. Disable it with showpref/setpref if you still use gpg.

TODO:

• Abbreviations

  • sec = SECret key
  • ssb = Secret SuBkey

• Symbols in list

  From man

         --list-secret-keys
         -K     List the specified secret keys.  If no keys are specified, then all known secret keys are listed.  A # after the initial tags sec or ssb means that the secret key or subkey is currently not usable.  We also say that this key has been taken offline (for example, a
                primary key can be taken offline by exporting the key using the command --export-secret-subkeys).  A > after these tags indicate that the key is stored on a smartcard.  See also --list-keys.
  

• How to list keys?

  • 1. gpg --list-secret-keys --keyid-format=long # The sec first section displays same text as pub by gpg --list-keys --keyid-format=long

• How to add subkey?

  • 1. gpg --edit-key PUBKEY
  • 2. addkey
  • 3. save

• How to revoke subkey?

  • 1. gpg --edit-key PUBKEY
  • 2. key n n is the index of subkey
  • 3. revkey
  • 4. save
  • 5. Replace uploaded pubkey with new one, see https://github.com/kachick/dotfiles/pull/311#issuecomment-1715812324 for detail

• How to get pubkey to upload?

  • gpg --armor --export --export-options export-minimal | wl-copy # If only 1 pair of keys in your keyring

• How to export private key?

  • gpg --export-secret-subkeys --armor "${PGP_SUB_E_ID}\!" > "pgp-sub-${PGP_SUB_E_ID}" && age --encrypt --armor --identity "$PASSAGE_IDENTITIES_FILE" --output "pgp-sub-${PGP_SUB_E_ID}.age" "pgp-sub-${PGP_SUB_E_ID}" && rm "pgp-sub-${PGP_SUB_E_ID}"
    • Append ! suffix
    • Don't use pipe. I have faced errors in connecting to age...
  • gpg --export-secret-keys --armor > gpg-private.keys.bak # You should avoid this as much as possible. This way is including all keys.