travisshears / pass_backup

# Pass Password Store — Backup Recovery Guide ## How to Restore ### Prerequisites ```bash brew install age ssss pass ``` ### 1. Reconstruct the passphrase Collect any 3 of the 5 shares, then: ```bash ssss-combine -t 3 -q # paste 3 shares when prompted — outputs the passphrase ``` ### 2. Decrypt the archive ```bash age -d -o secrets.tar.gz secrets.tar.gz.age # paste the passphrase when prompted tar -xzf secrets.tar.gz ``` ### 3. Import GPG keys ```bash gpg --import new_pub.asc gpg --import new_secret.asc ``` Mark your own key as trusted: ```bash gpg --edit-key EAB14D8405F7F6CFFE8B26BC5B91EB2A6CA3B89F # at the gpg> prompt: trust # select 5 (ultimate) quit ``` ### 4. Restore the password store ```bash git clone pass_backup_YYYYMMDD.bundle ~/.password-store ``` Another option is to just clone it to a tmp dir and decrypt indivual files manually as needed ### 5. Verify ```bash pass ls ``` ## How the backup was created 1. Create secrets dir 1. Export GPG keys to secrets dir 1. Create Git Bundle and move it to secrets dir 1. Tar compress the secrets dir 1. Generate password 1. Use password to encrypt the sectets dir with age 1. split the password with ssss ### 1. Create Git Bundle ```bash mkdir /tmp/pass-backup cd ~/.password-store git bundle create /tmp/pass-backup/pass_backup_$(date +%Y%m%d).bundle --all ``` This exports the full repo with complete history. The resulting file can be cloned directly: ```bash git clone pass_backup_YYYYMMDD.bundle restored-password-store ``` ### 2. Export GPG Keys ```bash gpg --export xxxxxxxxxxx > new_pub.asc gpg --export-secret-keys --armor xxxxxxxxxx > new_secret.asc ``` ### 2. Encrypt the bundle with age ```bash $ brew install age $ age -p pass_backup_20260605.bundle > pass_backup_20260605.bundle.age ``` ### 3. Gen password ```bash openssl rand -base64 96 > pw.txt ``` Then go in and delete the newline ### 4. Split file with ssss ```bash cat pw.txt | ssss-split -t 3 -n 5 -q > splits.txt ```