Setting up pass for ios using gpg serve key using https on a local network

setting up pass-for-ios using gpg-serve-key using https on a local network

intro

if you use pass to securely store your passwords, and have them backed up to a git repository and use pass-for-ios to access the passwords on an ios device, and want to set up pass-for-ios (SSH and PGP keys) using the gpg-serve-key utility, but don’t want to serve the passwords from an internet-accessible URL, here is a guide. (phew!)

this guide assumes you use letsencrypt to generate https (SSL) certificates for your other needs, on a machine running nginx. if you don’t use letsencrypt, or don’t run nginx, you may still be able to use this, changing those bits.

caveat: in addition to other ignorances, i’m particularly ignorant of things relating to gpg. in particular, in the invocation of gpg-serve-key below, i’m not sure if johndoe@example.com is really the best KEY_ID to use, rather than some other, maybe more specific, “key Id”.

background

on linux, i use pass to securely store my passwords, and i back up these passwords to a git repository. to make use of these passwords on my ios devices, i use pass-for-ios. setting up pass-for-ios requires transferring an SSH key [fn:: though you also have the option of using a password] to access the git repository holding the passwords, and the public and private PGP keys for the store. an easy way of doing this is using the gpg-serve-key utility.

the most straightforward way of using gpg-serve-key is to store your keys at a publically-accessible URL. this can be made fairly secure using https (and, gpg-serve-key’s methods of obscuring their URL (via random port numbers and a random string inserted into the URL). however, i’d rather not have even that level of exposure. so, i prefer transferring my keys on my local network.

assumptions

• there is a machine public.example.com
  • on the public internet
  • for which you have shell/root access
  • which runs nginx, and has a server entry for tmp.example.com.
  • and on which you have set up letsencrypt for tmp.example.com.
• assume you have access to, and control of, the DNS records for the domain example.com. (or, at least, a subdomain tmp.example.com.) and, that tmp.example.com points to public.example.com’s IP address. [fn:: For me, this is the normal configuration. but, whenever you need to change it, wait an hour or two for this to propagate; the time required will be defined in the DNS configuration for example.com or tmp.example.com.]
• assume you have a local machine from which you want to serve your keys, with a local IPv4 address of 192.168.5.23.
• assume you’ve installed gpg-serve-key on your local machine at ~/bin/password-store/passforios/gpg-serve-key/gpg-serve-key.
• assume that, on your local machine, your SSH private key is located in ~/.ssh/id_rsa.[fn:: If you use a password to access your git repository, ignore the bits about id_rsa below, and leave out the --serve-file argument to =gpg-serve-key.]

“pass-ios-serve-key-localnet.org” 130L, 6532B Last login: Mon May 23 15:46:38 on ttys000 mssun@Mingshens-MBP ~ % cd Downloads mssun@Mingshens-MBP Downloads % ls bili_mac.dmg googlechrome.dmg pass-ios-serve-key-localnet.org mssun@Mingshens-MBP Downloads % vi pass-ios-serve-key-localnet.org mssun@Mingshens-MBP Downloads % vi pass-ios-serve-key-localnet.org mssun@Mingshens-MBP Downloads % cat pass-ios-serve-key-localnet.org

intro

if you use pass to securely store your passwords, and have them backed up to a git repository and use pass-for-ios to access the passwords on an ios device, and want to set up pass-for-ios (SSH and PGP keys) using the gpg-serve-key utility, but don’t want to serve the passwords from an internet-accessible URL, here is a guide. (phew!)

this guide assumes you use letsencrypt to generate https (SSL) certificates for your other needs, on a machine running nginx. if you don’t use letsencrypt, or don’t run nginx, you may still be able to use this, changing those bits.

caveat: in addition to other ignorances, i’m particularly ignorant of things relating to gpg. in particular, in the invocation of gpg-serve-key below, i’m not sure if johndoe@example.com is really the best KEY_ID to use, rather than some other, maybe more specific, “key Id”.

background

on linux, i use pass to securely store my passwords, and i back up these passwords to a git repository. to make use of these passwords on my ios devices, i use pass-for-ios. setting up pass-for-ios requires transferring an SSH key [fn:: though you also have the option of using a password] to access the git repository holding the passwords, and the public and private PGP keys for the store. an easy way of doing this is using the gpg-serve-key utility.

the most straightforward way of using gpg-serve-key is to store your keys at a publically-accessible URL. this can be made fairly secure using https (and, gpg-serve-key’s methods of obscuring their URL (via random port numbers and a random string inserted into the URL). however, i’d rather not have even that level of exposure. so, i prefer transferring my keys on my local network.

assumptions

• there is a machine public.example.com
  • on the public internet
  • for which you have shell/root access
  • which runs nginx, and has a server entry for tmp.example.com.
  • and on which you have set up letsencrypt for tmp.example.com.
• assume you have access to, and control of, the DNS records for the domain example.com. (or, at least, a subdomain tmp.example.com.) and, that tmp.example.com points to public.example.com’s IP address. [fn:: For me, this is the normal configuration. but, whenever you need to change it, wait an hour or two for this to propagate; the time required will be defined in the DNS configuration for example.com or tmp.example.com.]
• assume you have a local machine from which you want to serve your keys, with a local IPv4 address of 192.168.5.23.
• assume you’ve installed gpg-serve-key on your local machine at ~/bin/password-store/passforios/gpg-serve-key/gpg-serve-key.
• assume that, on your local machine, your SSH private key is located in ~/.ssh/id_rsa.[fn:: If you use a password to access your git repository, ignore the bits about id_rsa below, and leave out the --serve-file argument to =gpg-serve-key.]

the procedure

update certificates and transfer them to your local machine

first, we need to get the right certificates on your local machine. we get them from the place that letsencrypt stores them on public.example.com

• on public.example.com, do

  sudo certbot --nginx renew
      

  to make sure the certificates for tmp.example.com are up-to-date.

• still on public.example.com, [fn:: active contains the current and past certificates; live contains symbolic links into active for the current certificate.]

  sudo tar cf temporary.tar /etc/letsencrypt/{archive,live}/tmp.example.com/
      

• then, on your local machine, build a temporary directory and copy those certificates.

  mkdir /var/tmp/pass-ios-serve-key-localnet
  cd /var/tmp/pass-ios-serve-key-localnet
  scp public.example.com:temporary.tar .
  tar xf temporary.tar && rm temporary.tar
      

• back on public.example.com, remove the .tar file.

  rm temporary.tar
      

point tmp.example.com to the local IP address of your local machine

• set the dns configuration for tmp.example.com to point to the local machine’s local network IPv4 address (which we assumed above to be 192.168..5.23). and, wait for that to propagate.

start gpg-serve-key on local machine

• figure out which public key you want to load. i.e.,

  gpg --list-public-keys
      

  assume the answer is johndoe@example.com.

• on local machine (just for ease):

  a=~/bin/password-store/passforios/gpg-serve-key/gpg-serve-key
      

• now, start gpg-serve-key

  ${a} --cert-file etc/letsencrypt/live/tmp.example.com/cert.pem --key-file etc/letsencrypt/live/tmp.example.com/privkey.pem --serve-file ~/.ssh/id_rsa johndoe@example.com
      

  it will print out a list of URLs, one for the private PGP key, one for the public PGP key, and one for the SSH key.

transfer the SSH and PGP keys to the ios device

• open Pass on IOS.
• “Settings:Password Repository”
• under “Authentication Method”, hit “I” (info, “?”-like) under “SSH Key”.
• choose “Download from URL”
• on the ios device, enter correct URL, for id_rsa, e.g.:

  https://tmp.example.com:41373/uvQzZ5rwixE/id_rsa
      

  (maybe copy this url, for use below accessing the PGP keys.)

• click “Done”. takes a few seconds, then should have SSH key imported.
• now, click “PGP Key” (currently lists as “Not Set”), and “Download from URL”
• download from URLs:

  https://tmp.example.com:41373/uvQzZ5rwixE/johndoe@example.com-public.key
  https://tmp.example.com:41373/uvQzZ5rwixE/johndoe@example.com-secret.key
      

  (note that order in IOS dialog reversed from that given out by gpg-serve-key)

• click “Save”
• settings:Password Repository: set repository URL

  git@example.com:johndoe/mypasswords.git
      

  (branch name “master”; username “git”

• click “Clone”
• ios settings, “Autofill Passwords”, “Autofill Passwords”, enable “Pass”. (maybe Pass does this automatically?)

clean up

• you probably want to remove /var/tmp/pass-ios-serve-key-localnet and its contents
• change your dns configuration to point tmp.example.com to same address as public.example.com. (to leave it in this configuation, to be ready the next time you do this.)