Using GnuPG as a safe password manager.

Keywords: GnuPG, password manager, Git Custom Credential Helper

Using GnuPG-based password manager for Git command-line over HTTPS.

Github requires to use a personal access token in case of using the Two-factor authentication (2FA). Your generated token should be used as a password. It's impossible to remember it by heart. GnuPG seems to be the best alternative to store your passwords (tokens and over non-public information) in a safe way. GPG-key's passphrase for encryption/decryption is actually a master password.

* First, make new gpg key-pair for signing and encryption purposes. It will show its user ID.

* Second, encrypt a password (token): copy it into memory (Ctrl+C), then run:

gpg -e -o [PATH_TO_ENCRYPTED_TOKEN] -r "[USER_ID]"

paste the token with (Ctrl+Shift+V), then press Ctrl+D for ending input.

* Third, add a BASH file (flag executable=ON) with name git-credential-[HELPER_LAST_NAME] (without SH extension):

#!/bin/bash
token=`gpg -d -r "[USER_ID]" [PATH_TO_ENCRYPTED_TOKEN] 2>/dev/null`
echo protocol=https
echo host=[YOUR_HOST]
echo username=[YOUR_USER_NAME]
echo password=$token

Add the path to this file into the environment variable PATH (in file ~/bashrc). Also add this string: "export GPG_TTY=$(tty)" into ~/bashrc for GnuPG password caching (see info/man gpg-agent).

* Fourth, add this helper into git config:

git config --global credential.helper [HELPER_LAST_NAME]
#then check it (password will be printed as plain text!!!):
git credential-[HELPER_LAST_NAME]

Disadvantage - gpg-agent serves a saved passphrase for any process under the current user, so if a swindler manage to run a process while your passphrase is cached, then it probably can decrypt and steal your information. It's desirable that gpg-agent serves a passphrase depending on a process ID, i.e. if you run another shell (terminal), then gpg-agent will ask and save a passphrase only for this process. Or gpg-agent can use a simpler but still effective solution: gpg-agent always must highlight the use of a cached passphrase, i.e. show a modal window about this. So set default-cache-ttl in gpg-agent.conf as minimum as possible.

MS Windows.

Just checked it out on MS Windows 10. Git 2.30.1 was installed by default except "Choose credential helper" to "None" instead of "New Cross-platform version of Git Credential manager". Git-bash works in the same way as on Linux. Create .bashrc file in your home - C:\users\[user_name], but use UNIX file separator "/" instead of "\". Run in git-bash "echo $PATH" to understand paths, it will show C:/users/[user_name]/bin among others. So, create bin folder in your home and put the credential helper there. I put GnuPG's folder with key-stores from my Linux into C:\users\[user_name], and it works fine.

Using GnuPG-based password manager for Maven projects.

Maven-based passwords encryption never ask you for a key to unlock passwords/keys. There is this project https://github.com/jelmerk/maven-settings-decoder that can decrypt Maven passwords. GnuPG is a much more safe crypto system. Any way, using your only GPG key-payr's passphrase as a master-password seems to be very convenient.

To make an encrypted password's file use this Bash script:

#!/bin/bash
#set environment variable: GPG_USER_ID
read -p "Enter encrypted password's file name: " epfile_name
read -s -p "Enter password: " passw
echo $passw | gpg -e -o $epfile_name -r "$GPG_USER_ID"

Make environment variable GPG_USER_ID for your GPG key-pair.

Use decrypted passwords(passphrases) via variables, e.g. for maven-gpg-plugin configuration in pom.xml:

...
  <configuration>
    <keyname>${gpgkeyname}</keyname>
    <passphraseServerId>GPGID1</passphraseServerId>
  </configuration>
...

and in ~/.m2/settings.xml

<settings>
  <servers>
     <server>
      <id>GPGID1</id>
      <passphrase>${gpgpass}</passphrase>
    </server>
    ...

Then make Bash script for building Maven project:

#!/bin/bash
#set environment variables: GPG_USER_ID, GPG_KEY_NAME, JAR_KEY_ALIAS, JAR_PASS_PATH, GPG_PASS_PATH, OSSRH_PASS_PATH
jarpassw=`gpg --no-verbose -d -r "$GPG_USER_ID" $JAR_PASS_PATH 2>/dev/null`
ossrhpassw=`gpg --no-verbose -d -r "$GPG_USER_ID" $OSSRH_PASS_PATH 2>/dev/null`
gpgpassw=`gpg --no-verbose -d -r "$GPG_USER_ID" $GPG_PASS_PATH 2>/dev/null`
mvn clean install -Prelease -Dossrhpass=$ossrhpassw -Dsignpass=$jarpassw -Dsignalias=$JAR_KEY_ALIAS -Dgpgpass=$gpgpassw -Dgpgkeyname=$GPG_KEY_NAME

Make encrypted passwords files for JARSIGNER, Sonatype and GnuPG (in case if you use another GPG-key-pair for signing this Maven project), and add their path into environment variables.

References:

https://git-scm.com/book/en/v2/Git-Tools-Credential-Storage