HOW.md
· 1.9 KiB · Markdown
原始檔案
# Pass Password Store — Backup Recovery Guide
## How to Restore
### Prerequisites
```bash
brew install age ssss pass
```
### 1. Reconstruct the passphrase
Collect any 3 of the 5 shares, then:
```bash
ssss-combine -t 3 -q
# paste 3 shares when prompted — outputs the passphrase
```
### 2. Decrypt the archive
```bash
age -d -o secrets.tar.gz secrets.tar.gz.age
# paste the passphrase when prompted
tar -xzf secrets.tar.gz
```
### 3. Import GPG keys
```bash
gpg --import new_pub.asc
gpg --import new_secret.asc
```
Mark your own key as trusted:
```bash
gpg --edit-key EAB14D8405F7F6CFFE8B26BC5B91EB2A6CA3B89F
# at the gpg> prompt:
trust
# select 5 (ultimate)
quit
```
### 4. Restore the password store
```bash
git clone pass_backup_YYYYMMDD.bundle ~/.password-store
```
Another option is to just clone it to a tmp dir and decrypt indivual files manually as needed
### 5. Verify
```bash
pass ls
```
## How the backup was created
1. Create secrets dir
1. Export GPG keys to secrets dir
1. Create Git Bundle and move it to secrets dir
1. Tar compress the secrets dir
1. Generate password
1. Use password to encrypt the sectets dir with age
1. split the password with ssss
### 1. Create Git Bundle
```bash
mkdir /tmp/pass-backup
cd ~/.password-store
git bundle create /tmp/pass-backup/pass_backup_$(date +%Y%m%d).bundle --all
```
This exports the full repo with complete history. The resulting file can be cloned directly:
```bash
git clone pass_backup_YYYYMMDD.bundle restored-password-store
```
### 2. Export GPG Keys
```bash
gpg --export xxxxxxxxxxx > new_pub.asc
gpg --export-secret-keys --armor xxxxxxxxxx > new_secret.asc
```
### 2. Encrypt the bundle with age
```bash
$ brew install age
$ age -p pass_backup_20260605.bundle > pass_backup_20260605.bundle.age
```
### 3. Gen password
```bash
openssl rand -base64 96 > pw.txt
```
Then go in and delete the newline
### 4. Split file with ssss
```bash
cat pw.txt | ssss-split -t 3 -n 5 -q > splits.txt
```
Pass Password Store — Backup Recovery Guide
How to Restore
Prerequisites
brew install age ssss pass
1. Reconstruct the passphrase
Collect any 3 of the 5 shares, then:
ssss-combine -t 3 -q
# paste 3 shares when prompted — outputs the passphrase
2. Decrypt the archive
age -d -o secrets.tar.gz secrets.tar.gz.age
# paste the passphrase when prompted
tar -xzf secrets.tar.gz
3. Import GPG keys
gpg --import new_pub.asc
gpg --import new_secret.asc
Mark your own key as trusted:
gpg --edit-key EAB14D8405F7F6CFFE8B26BC5B91EB2A6CA3B89F
# at the gpg> prompt:
trust
# select 5 (ultimate)
quit
4. Restore the password store
git clone pass_backup_YYYYMMDD.bundle ~/.password-store
Another option is to just clone it to a tmp dir and decrypt indivual files manually as needed
5. Verify
pass ls
How the backup was created
- Create secrets dir
- Export GPG keys to secrets dir
- Create Git Bundle and move it to secrets dir
- Tar compress the secrets dir
- Generate password
- Use password to encrypt the sectets dir with age
- split the password with ssss
1. Create Git Bundle
mkdir /tmp/pass-backup
cd ~/.password-store
git bundle create /tmp/pass-backup/pass_backup_$(date +%Y%m%d).bundle --all
This exports the full repo with complete history. The resulting file can be cloned directly:
git clone pass_backup_YYYYMMDD.bundle restored-password-store
2. Export GPG Keys
gpg --export xxxxxxxxxxx > new_pub.asc
gpg --export-secret-keys --armor xxxxxxxxxx > new_secret.asc
2. Encrypt the bundle with age
$ brew install age
$ age -p pass_backup_20260605.bundle > pass_backup_20260605.bundle.age
3. Gen password
openssl rand -base64 96 > pw.txt
Then go in and delete the newline
4. Split file with ssss
cat pw.txt | ssss-split -t 3 -n 5 -q > splits.txt