Pearpass

Scripts for managing secrets with Octopus and GnuPG.

[Octopus] 1 is an HTTP service that verifies a [YubiKey] 2 OTP against the YubiCloud verification service, then, if verified, HMACs a given payload using a server secret and the YubiKey's unique ID. Pearpass assigns each secret a unique ID. The Octopus hash of this ID is used as a password to encrypt and decrypt secrets using [GnuPG] 3. The ID itself is stored as a comment in the GnuPG output file. In addition, a user-specified public key is used for GnuPG asymmetric encryption. Pearpass secrets can therefore be decrypted using either the YubiKey that was used at encryption-time, or the secret key corresponding to the specified public key.

In order to use Pearpass, you need a YubiKey that can be verified with YubiCloud. You can purchase one from [Yubico] 2. You also need access to an Octopus server. Set the environment variable $OCTOPUS_URL to the url of the Octopus server you wish to use. Finally, you must set up GnuPG. Set $PEARPASS_KEYID to the keyid of the public key that you want Pearpass to use. Pearpass does not manage GnuPG keys or keyrings. The public key specified by $PEARPASS_KEYID is assumed to be in the default keyring.