Re: Anyone know of a gpg-encrypted secrets sharing software that allows a client to hold different "bases/repositories" of secrets?

Sat, 12 Jun 2021 14:58:43 -0700 

Hi Christian,

Am Sa den 12. Jun 2021 um 15:13 schrieb Christian Chavez:
> (If you - or anyone else - have got any tips/suggestions, I'm all ears)!

Was something like `cd $HOME/.password-store && git add -u && git commit
-m "autocommit"`. I do not still have the cron.

And the submodules was created with a normal pass init on a different
machine.

> > In pass, you can have different keys for each subtree. See the man page
> > for `pass init --path=sub-folder`.
> >
> This is indeed what "solves" my problem, but I fail to understand how I can
> utilize this.
> Maybe I'm interpreting the keyword "init" wrongly, but I was hoping to
> avoid "hand-crafted" aliases/the like to reference different
> subdirectories/trees of passwords.

The trick is, that there can be a .gpg-id anywhere in the subtree
changing the keys that can access the passes.

A `pass init -p ...` just create a .gpg-id inside that sub-folder. But
the content could be the same as in the top dir.

> So, in an attempt to clarify my confusion (nevermind the oxymoron that
> becomes);
> Are you supposed to `pass init --path <subfolder within
> $PASSWORD_STORE_DIR><gpg key(s)>` within an already established
> PASSWORD_STORE_DIR?

Yes.

You can even add/edit that .gpg-id manually, but then you have to handle
the reencryption yourself.

Be also aware, that (as you have that in git) if a user was able to
decrypt passes in the past, he will be in the future too. (just go back
the git history) So, if you plan to have limited access for a subtree
than in the main, then you have to start with that so. Keep also in
mind, that anybody with write access to git could write a .gpg-id with
his key included to let him access all furture stored passes in that
tree.

I had that this way:
- my private main password-store with main .gpg-id
  - ...
  - geschäftlich (a git submodule synced from different machine) That
    dir includes its own .gpg-id.
    There was even trees with more or less keys inside.

Have fun.

Regards
   Klaus
-- 
Klaus Ethgen                                       http://www.ethgen.ch/
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <kl...@ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C

Attachment: signature.asc
Description: PGP signature

_______________________________________________
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Reply via email to