Pass, pass-otp and nitrokey?

bqcuhvnvqs · August 22, 2022, 7:10pm

nku:

gpg --armor --export j.doe@example.com > public.asc
gpg --import public.asc
You could host the public key somewhere and then use gpg --card-edit followed by a ‘fetch’.

Then just copy over your password directory and you should be good.

Some people like to add the encrypted password store to git and use git clone via ssh to copy instances over. Afterwards you could commit changes and sync it by git fetch.

I also imported the secretkey.asc should i not have done that? How do i set up pass on another machine if i have public.asc and secret.asc? And pass init… Got any link or some tips for a few steps? What key ison the nitrokey? Oh… does the nitrokey have the secret so i should not import the secret key on the machine and in gpg?
Do you know how to set this up on other machines? I should copy the .password folder or whatever it was called… What else? Can i backup the passwords in one file or should i move the folder?

bqcuhvnvqs · August 22, 2022, 11:17pm

hey dude. I did try to copy .password-store and .gnupg to the homefolder in another debian machine…
And it’s progress i can copy all passwords with the nitrokey…

But when i try to generate a password i get:
“binary operator exptected” You know why? Some progress though and it’s with the pass -c generate test

If i use pass generate test i get:
bash: test: generate: unary operator expected

bqcuhvnvqs · August 24, 2022, 1:10am

Everything works good today… wierd. Maybe the reboot. No errors… So yeah i just imported the keys and copied over the folders and everything is working fine! Thanks anyways

bqcuhvnvqs · October 18, 2022, 6:15pm

Hey again dude…Thanks for sharing your knowledge… But i had to set up it on another machine, and i did import the public key, but then i like just copied over
hidden .gnupg and .password-store

I can copy passwords but i get this message and i edited out some info:
pass -c site/site.com
gpg: WARNING: unsafe permissions on homedir ‘/home/user/.gnupg’
Copied site/site.com to clipboard. Will clear in 45 seconds.

How do i fix the permissions? What permissions should i have on the folder or files in it? I had a bunch of files in .gnupg …

Thanks!

edit: Even when i try to init i get this… I must have set it up wrong, or the permissions where messed up from the other machine… How do i even fix that, any idea?

kinda like this as your example earlier and your generated code here… but my error instead.

"$ pass init AF45BC550B792328FDA8FDDF52C47BAA4A43C43D
mkdir: created directory ‘/home/user/.password-store/’
Password store initialized for AF45BC550B792328FDA8FDDF52C47BAA4A43C43D
gpg: WARNING: unsafe permissions on homedir ‘/home/user/.gnupg’
gpg: WARNING: unsafe permissions on homedir ‘/home/user/.gnupg’

nku · October 18, 2022, 8:04pm

chown -R $(whoami) ~/.gnupg/
chmod 600 ~/.gnupg/*
chmod 700 ~/.gnupg

bqcuhvnvqs · October 22, 2022, 12:17am

nku the it oracle… thanks! Works fine now after that and a reboot… pass is such a clean password manager! Enjoy your weekend.

bqcuhvnvqs · November 15, 2022, 12:40am

Hey again! Thanks for all of the support, but you could help me further even.
I did manage to copy all passwords to new machines it’s easy… But i only have one USB with the right key. And that one is glitchy and i can’t almost use it now i might have wrecked the usb contact with a plier some…
How do i copy over the GPG key to other usb sticks again? I have the secret key saved on another stick…
I get the "Please insert the card with the number: numbers

How do i cope over the identical keys to another stick if i have the secret gpg file? I should be able to use the same sticks for that and have multiple…
Thank you again.
This thread will be backup-ed, and a good reference for the future. The best pass solution ever. Just need to get this right with copying over the same key also to other nitrokeys… Backups are always good to have so you don’t loose all of your passwords if one stick is missing or broke! Might need to buy another nitrokey soon…

gpg --card-status
The encryption key is set to: Encryption key…: [none]
And same with General key info…: [none]

So i have to set it up again, but yeah i do have the secret key still saved… So i just import it?

bqcuhvnvqs · November 15, 2022, 3:21pm

How do i import a private or secret key to a new nitrokey? The answer is probably here right…
https://docs.nitrokey.com/pro/linux/openpgp-keygen-backup

But i don’t want to generate it… Could anyone help me today do you think with an answer? That would be great… If you know the solution you know… if anyone knows it. Thanks

bqcuhvnvqs · November 15, 2022, 3:27pm

nku:

You can backup the password store with the gpg encrypted secrets (3-2-1 backup strategy), take a note on how you installed pass and the plugins, maybe even backup the iso to install the os and the software packages in order to be able to install the exact same versions. As pass is very open, I doubt that the latter would be necessary but for completeness, I would back it up.

Make sure to also backup the PUBLIC key! Especially when created on the Nitrokey. It is a hassle/sometimes impossible to regenerate it!

The gpg key can be generated externally and stored on multiple Nitrokeys. After that, you could save the key in pass, store it somewhere safe (e.g. self-encrypted usb key), print it out or whatever suits your disaster recovery strategy.

Make sure to not loose User PIN and Admin PIN for your Nitrokeys.

That should be quite safe.

I backup top-most important data on steel plates with embossed letters/digits to be safe from fire.

I can still recover the secret key and make another nitrokey the card key correct? If i backed up the private or secret key right? I hope so…

bqcuhvnvqs · November 15, 2022, 6:15pm

I can temporarily access the nitrokey now… How do i backup everything on to another nitrokey? When i have some contact with one that’s broken. Thanks

nku · November 16, 2022, 5:58am

By design, key material needs to be backed up during key creation/personalization of the Nitrokey.

Keys stored in the OpenPGP portion of the Nitrokey cannot be extracted and would not have enough information to rebuild a gpg public/private key pair. A external backup can be created during key generation or when you create it using gpg externally and save the key to card. You need the secret and public keyring to do that.

While the Nitrokey is still available (does it have a hardware defect?) you could also eport the passwords in cleartext using a method as described here: scripting - Export passwords from the `pass` password manager - Unix & Linux Stack Exchange

bqcuhvnvqs · November 16, 2022, 11:19am

Ok, so it’s possible to have like 2 usb keys that unlocks the same passwords then? because it wants one serial number and usb at the moment… I have temporary access to it now yes… I might need to extract every password in clear-text and set it all up on another nitrokey then?
Yes the usb port is defect so it’s the hardware…
How would i do this in the best way? To send all in clear-text would take time… i’m not even a coder. I don’t really know how to even run that bash file you linked. I managed to follow your earlier step-by-step guides though. hehe
Can’t i just switch the key somehow from a half broken usb contact to a new nitrokey in some easy way instead? I do have the pubkey.asc and the secret.asc…
How do i fix this in the best or easiest way? And could i have multiple keys? I would want to set up multiple sometimes if i drop one you know… A step-by-step guide for that online or any place would be a great resource of knowledge when it comes to good password managing on unix overall! thanks

bqcuhvnvqs · November 16, 2022, 11:32am

If passwords can’t be copied from the nitrokey i can copy them manually from the broken nitrokey to another…
But i would really appreciate some step-by-step commands to how i switch the unlock key to the database… i do have the public.asc and the secret or private .asc keys… As a backup copy…
I don’t need to copy every password manually from both the nitrokey and then the .passwords database and set up a whole new nitrokey do i from the start? That would take some time…
I would have to read your guide at-least that was a good post.
I might need a clear text file then later on, and set up a whole new key and a whole new pass database then with the new serial and generate new keys or what…
Can’t i just import the secret.asc or public.asc then to a new nitrokey and unlock the .passwords folder?
And manually copy and paste passwords that are on the slots in the half broken nitrokey then? It did actually also get run over by a car like 6 months ago hehe. It fell out of my pocket on the ground once, and by chance a car went by 10 seconds after that happened… It still worked i used some tape… It was some pliers and some glitch issue now that was the cause… It did glitch before and i made it worse with some tool. So i gotta fix this. Thanks again for the answers!

bqcuhvnvqs · November 17, 2022, 5:23pm

So how do i set up two nitrokeys as keys to open passwords then? That was possible right?
You can’t just use one serial/card at a time or what? If i need to backup every passwords in clear-text from time to time… It’s easy to loose one nitrokey and that can’t be the only way to open passwords…
I’m thinking about starting over now with this usb being broken or 90% glitchy…

How would i set this up in the most optimal way really? From the beginning and starting over… I have some steps already to follow that’s good.

nku · November 17, 2022, 6:53pm

See here.

bqcuhvnvqs · January 23, 2023, 9:07pm

Yeah i need to set up this from start… And three keys, then i can use those… Why can’t someone make a step-by-step guide for that on the nitrokey wiki? Pass and multiple nitrokeys… GPG tokens on more smartcards for passwords. If they drop one, etc…
I have some steps already, gonna try and do that when i get the nitrokey, but yeah, it would be a good official guide… How to set up multiple token GPG keys on nitrokeys…
That you can use with pass and such… Maybe some moderators can write that? Just an idea… People would buy multiple nitrokeys just saying.

Why would you not write that? Clever solutions… Nitrokey creators. etc

bqcuhvnvqs · February 1, 2023, 6:55pm

Hello! I have had some progress now. I have the same sums in gpg --card-status

Signature key …: keys same on both nitrokeys
created …: date
Encryption key…: keys same on both nitrokeys
created …: date
Authentication key: keys same on both nitrokeys
created …: date

Those are the same on both keys!
But…always but.

General key info…: …
sec> keys same on both nitrokeys created: date expires: never
card-no: 1 different serial numbers on both keys, so i can’t unlock pass…
ssb> keys same on both nitrokeys created: date expires: never
card-no: 1
ssb> keys same on both nitrokeys created: date expires: never
card-no: 1 different serial numbers on both keys, so i can’t unlock pass…

The card-no is card 1 and that card/nitrokey only works! In pass…
I get the message with "insert the right serial number… "

How do i also add cards two serial number so i can use two tokens? I have done everything right this time i think…
It’s mostly the serial issue i believe…

I might have to use one nitrokey… And backup my passwords in plain-text. And then i could set up a new password store easily if i drop the usb key…
Or if i can just mirror one nitrokey with some mirror software instead???

Why can’t i just mirror a nitrokey like an ISO instead, and then have two with the same values? It’s still the serial i believe that needs to be added and the same, or two in the list instead of one. Then it should work!
Like this:
General key info…: …
sec> keys created: date expires: never
card-no: 1
card-no: 2

ssb> keys created: date expires: never
card-no: 1
card-no: 2
ssb> keys created: date expires: never
card-no: 1
card-no: 2

How do i add the second serial number? I have backed up the public and secret key right and everything… I did restore it on another key correctly i reckon… I just want two usb keys… With pass password manager. Can’t be that hard to set up right? Please help me out someone, i need to get this to work and have put in quite some time, from time to time, to get this setup to work now…
So why give up now?
Any help would be appreciated! Thanks!