Pearpass
Scripts for managing secrets with Octopus and GnuPG.
[Octopus] 1 is an HTTP service that verifies a [YubiKey] 2 OTP against the YubiCloud verification service, then, if verified, HMACs a given payload using a server secret and the YubiKey's unique ID. Pearpass assigns each secret a unique ID. The Octopus hash of this ID is used as a password to encrypt and decrypt secrets using [GnuPG] 3. The ID itself is stored as a comment in the GnuPG output file. In addition, a user-specified public key is used for GnuPG asymmetric encryption. Pearpass secrets can therefore be decrypted using either the YubiKey that was used at encryption-time, or the secret key corresponding to the specified public key.
In order to use Pearpass, you need a YubiKey that can be verified with
YubiCloud. You can purchase one from [Yubico] 2. You also need access to an
Octopus server. Set the environment variable $OCTOPUS_URL
to the url of the
Octopus server you wish to use. Finally, you must set up GnuPG. Set
$PEARPASS_KEYID
to the keyid of the public key that you want Pearpass to use.
Pearpass does not manage GnuPG keys or keyrings. The public key specified by
$PEARPASS_KEYID
is assumed to be in the default keyring.