[pass] Multi-user pass / group pass

[Jason A. Donenfeld]

Hi Roman,

On Fri, Sep 21, 2012 at 9:31 AM, Roman Shtylman <shtylman at gmail.com> wrote:
> One way to make this happen would be to drop a gpgid file into any of those subfolders and have that be used for that subfolder and those under it? This would probably require a new command line option --key or something for generate and insert which would let you specify the key? Or maybe just allow the init command to take a subfolder argument meaning "initialize new storage with this key under this folder in .password-store"

There are actually two ways to do this. The PASSWORD_STORE_DIR
environment variable, if set, controls the location of the password
store. So using this, you can pretty easily have multiple password
stores. You could even nest password stores inside each other in
subfolders, as you alluded to before.

One easy way to automate this is with a bash alias:

alias tpass="PASSWORD_STORE_DIR=$HOME/.password-store/Team pass"

I guess "tpass" is short for "team pass", but you could call it what
you want. Then, you can do this:

tpass init team-group-id-blah
tpass insert Twitter/empirejs2012
tpass generate GApps/admin 25
tpass --clip Twitter/empirejs2012

And similar. Since they're nested, you can also do:

pass --clip Team/Twitter/empirejs2012

Because each GPG file contains the id of the keys that encrypted it,
you can run the "show" command from either pass or tpass, and it will
decrypt successfully.



The other method (which I've just added a moment ago as commit
9dcae25) is to use the environment variable PASSWORD_STORE_KEY, which
overrides the key used with pass init. The same bash alias trick works
here too:

alias tpass="PASSWORD_STORE_KEY=team-group-id-blah pass"

And then you can use the usual:

tpass generate Twitter/this-is-encrypted-with-the-team-keys 20
pass generate Twitter/this-is-encrypted-with-only-my-key 16


So things are pretty flexible.


Jason