https://wiki.bitsy.services/wiki/security/ Recent content in Security on Bitsy Services Wiki Hugo en https://wiki.bitsy.services/wiki/security/pass/ Mon, 01 Jan 0001 00:00:00 +0000 https://wiki.bitsy.services/wiki/security/pass/ <p><code>pass</code> (<a href="https://www.passwordstore.org/">passwordstore.org</a>) is a thin shell wrapper over <a href="https://wiki.bitsy.services/wiki/security/gpg">GPG</a> and git. It is built for exactly the problem of secrets scattered across <code>.env</code> files, exported private keys, and API tokens pasted into notes: it pulls them into one encrypted, versioned, greppable tree on disk.</p> <p>This guide covers one-time setup (including the WSL Ubuntu wrinkles), the daily workflow, migrating your existing secrets in, scripting against the store, and the <a href="https://wiki.bitsy.services/wiki/security/yubikey">YubiKey</a> hardening path. It assumes you are comfortable on the command line.</p> https://wiki.bitsy.services/wiki/security/gpg/ Mon, 01 Jan 0001 00:00:00 +0000 https://wiki.bitsy.services/wiki/security/gpg/ <p><strong>GnuPG</strong> (GPG) is the free, complete implementation of the OpenPGP standard. It provides public-key encryption and digital signatures from the command line, and it is the encryption engine underneath <a href="https://wiki.bitsy.services/wiki/security/pass"><code>pass</code></a>: every secret in a password store is an individual file encrypted to your GPG public key, decryptable only with the matching private key.</p> <p>The model is asymmetric. A <strong>key pair</strong> has a public half (used to encrypt <em>to</em> you, safe to share) and a private half (used to decrypt, guarded by a passphrase and never shared). A modern GPG identity is usually a primary key plus subkeys for signing, encryption, and authentication &ndash; which is what lets the private key be moved onto hardware like a <a href="https://wiki.bitsy.services/wiki/security/yubikey">YubiKey</a> one subkey at a time.</p> https://wiki.bitsy.services/wiki/security/yubikey/ Mon, 01 Jan 0001 00:00:00 +0000 https://wiki.bitsy.services/wiki/security/yubikey/ <p>A <strong>YubiKey</strong> is a small USB (and NFC) hardware authenticator made by Yubico. Among several applets it implements an <strong>OpenPGP smartcard</strong>, which can hold <a href="https://wiki.bitsy.services/wiki/security/gpg">GPG</a> private keys on the device itself. Once a key is moved onto the card, the private material never exists on disk and never leaves the hardware &ndash; cryptographic operations happen <em>on</em> the YubiKey, and the host only sends in ciphertext and gets back plaintext.</p> <p>This makes it the natural hardening step for a <a href="https://wiki.bitsy.services/wiki/security/pass"><code>pass</code></a> store: the GPG key that can decrypt every secret stops being a file an attacker can copy and becomes a physical object you hold. With a touch policy enabled, each decryption also requires a deliberate tap, so malware cannot silently drain the store even while the key is plugged in.</p>