Wednesday, 14 October 2015

Using docker as a password manager!



Alert, this is click-bait peeps. I'm not really using Docker as a password manager, i'm using a password manager ran inside of a docker container. 

In fact even that's not exactly true, i'm using Docker to run a Git server, and i'm using Pass (http://www.passwordstore.org/) to PGP encrypt password files. I thought I would write a quick little howto guide in case anyone was interested. 

With this particular solution you get a password sync solution that can be used easily on Linux and Andriod, I have no idea how well it runs on Apple or Windows, but i'm guessing you could use Docker to fix that for you too.

So why am I using Docker? Because the revolution will be containerized people! Or more importantly, because I can. Secondly, i've found running a git installation with in Docker to be really, really, easy. So, i've played with GitLab, and yes its very nice and shiny. However I really like Gogs (Go git services http://gogs.io/), its light weight, does everything we need and its also lightweight. I guess what I like the most about Gogs is how lightweight it is, however experience has taught me when something is lightweight it is also buggy. I'm glad to report Gogs doesn't break the axiom, which makes it ideal for running in a container. No seriously, ideal because its not going to hose everything because its in a container.

So lets start with the obvious, you must have docker installed. I hate that fact we're in a world where I have to say this, but then again we have to tell people not to use hair-driers in showers, so I guess I can't grumble. I'm not going to tell you how to install Docker, because there is nearly 6 million hits on Google and if you can't work that out, this guide is way beyond your pay-grade.

Once you have a working Docker installation we can pull Gogs down (you can build it via the Dockerfile too)

# Pull image from Docker Hub.
$ docker pull gogs/gogs

# Create local directory for volume.
$ sudo mkdir -p /srv/docker/gogs/

# Use `docker run` for the first time.
$ docker run --name=gogs -p 10022:22 -p 10080:3000 -v /srv/docker/gogs:/data gogs/gogs

# Use `docker start` if you have stopped it.
$ docker start gogs

zomg, zomg, zomg, you've just set up git server with persistent storage and it was less than 4 commands. Now here we go, go to your web browser and visit in 127.0.0.1:10080 and follow the install instructions.

Feel free to plug this into your MySQL deployment if you want (as far as I know, this image doesn't have MySQL installed, and it won't be persistent), but i'd suggest you just use the sqlite3 for now (yay, sqlite3 will be persistent as its stored in the /data folder).

I'd also suggest changing “Domain*” to the IP of the box you want to run this container from (i.e. 192.168.2.22 for example), also “Application URL*” (i.e. 192.168.2.22:10080, this will be handy later on). Also, for the love of god remember to change the SSH port too, to 10022.

Why not set up an admin account now, because nothing sucks more than not being an administrator from the get go.

Once that's complete you may get an error from your web browser as it points to (localhost:10080 instead of 192.168.2.22:10080 if this has happened, its because you didn't read the instruction above properly).

Now you're in Gogs (and logged in as your user) select “New Repository” fill in the details, you can name this repository anything you want, I don't care, its a blog post not a lifestyle choice.

Click “Create Repository”

Now click on the “Dashboard” tab again, and then the “Account Settings” button. Once there select SSH keys and add your SSH key there (if you don't know how to generate an SSH key I have no idea how you got this far, but I'm going to do you a solid and give you this link https://help.github.com/articles/generating-ssh-keys/).

Now for the fun part, you need some PGP keys. Now you could use the ones you already have, i'm not going to judge you for that, but hey why not generate specific keys for a specific job? If you're going to ignore that piece of advice then that's cool just ignore the next few steps (Just don't forget to install pass). In Ubuntu (or whatever Linux you're running) do the following;

$ sudo apt-get -y install -y pass gnupg #only in ubuntu 

Now you can run the code below in any Linux

$ gpg --gen-key 

The default option “1” is fine, but make sure the keysize is 4096 in the next option, and the final default option is fine too. Fill in the other options, however when you get to the passphrase option choose something strong!!!! I mean, this is going to be your master-password for your password-manager so lets no choose password123 or some other equally dumb password.

You'll need to move the mouse around a bit and maybe type whilst gpg is getting some entropy, this bit always sucks for me, it might suck for you too. Practice some patience, you'll get there.

Once that's done, you need to grab the key-id like this;

$ gpg --list-key

Then you need to initiate the key with pass show it knows which key to encrypt your passwords with

$ pass init D64AA6BE 
$ cd .password-store/
$ git init
$ git config --global user.email "your email address here" 
$ git config --global user.name "your username here"
$ touch README.md
$ git add README.md
$ git commit -m "first commit"
$ git remote add origin ssh://git@127.0.0.1:10022/finux/pass-for-alba13.git 
$ git push -u origin master
 
The stuff in the red is specific to you! Now lets generate a password with pass and push it to gogs-container

$ pass generate blogpost/test 24
$ pass git push -u origin master

You can view your password with the following command

$ pass show blogpost/test

I'd also suggest this;

$ man pass 

and then read the documentation.  If you're going to use a password manager it makes sense to read the documentation.

You'll be asked to enter your gpg password and boom, you'll have your password in front of you for copying and pasting. Superb, now a decentralized password manager. Which is cool, you can now sync your passwords on your all your Linux boxes. But that's not just it. You can also use the Android app too (there is an IOS app but I know nothing about it) (https://play.google.com/store/apps/details?id=com.zeapo.pwdstore) they're few GUI's as well, but you'll find out more info at http://www.passwordstore.org/

Side-note, you'll need to put your SSH key and Your GPG keys on your phone to sync/pull/push, don't be stupid and gmail them to your self. Get a USB cable and do it that way.

The documentation is pretty good, but it'll take you a little while to get used to it. I like this solution, its easy to run and deploy, and I don't have to trust anyone with my passwords.

This was suppose to be a fun little guide to get your up and running, nothing definitive. If this isn't the thing for you, then that's okay too. Have fun

Finux

[UPDATE] if you get this error message;

"Binary and template file version does not match, did you forget to recompile?"

Run this command

$ sudo rm -rf /srv/docker/gogs/templates