Using Vault to unlock GPG keys

Some weeks ago I wrote about using LastPass stored passwords to unlock ssh-keys. Some of you gave feedback, using LastPass to store those quite confidential passwords might not be the best idea. Also when there is no internet connection it’s just not possible to unlock the SSH keys (for example to access local VMs).

That’s the reason I thought about this and switched to using a local Vault instance to store those passwords. The unlock key for that Vault instance is still stored in LastPass but I only need that key once per reboot / Vault reload and also its not possible for anyone (even if they get access to my unlock keys) to use them with my local vault instance.

Now that GitHub supports signed commits with a badge in its interface I’m using my GPG key way more often to sign all the commits I’m creating so I needed a more easy way to enter the password for it. Given that also my GPG keys do not have a password someone could remember (especially as there is not only one key but seven of them) this also should be done using a script.

To use the script I embedded below you need to have a GPG-Agent running which is started using the parameter --allow-preset-passphrase. Also you need a Vault instance containing your GPG key password which is unlocked so you can do a vault read /secret/gpg-key/<your key-id>. To setup Vault please refer to the official documentation.

When you’ve met all those requirements you simply can test whether it works by executing echo "hi" | gpg -sa before and after executing the script. If everything is working it should ask for a password before the script execution but not after. The cache timeout after which the password is dropped from the gpg-agent cache can be configured. For the configuration of the gpg-agent please refer to a documentation you have trust in.