What happens if one person leaves the team and another enters with a new key?<br><br><div class="gmail_quote">On Fri, Sep 21, 2012 at 10:46 AM, Lucas Arduini <span dir="ltr"><<a href="mailto:st_luke@me.com" target="_blank">st_luke@me.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The Internet is freakin awesome<br>
<div class="HOEnZb"><div class="h5"><br>
<br>
On Sep 20, 2012, at 8:42 PM, "Jason A. Donenfeld" <<a href="mailto:Jason@zx2c4.com">Jason@zx2c4.com</a>> wrote:<br>
<br>
> Hey Luke & Roman,<br>
><br>
> I saw your twitter conversation about pass -- namely that it doesn't<br>
> support multiple users. Interestingly enough, just yesterday someone<br>
> emailed the pass mailing list about this (both copied), and I replied<br>
> that although it doesn't support it, it'd be trivial to add. Then,<br>
> thirty seconds later, I realized that due to a super nice GPG feature,<br>
> pass does in fact already support this. Check it out:<br>
><br>
> Fundamentally, pass comes down to this gpg command:<br>
><br>
> gpg -r "Some user provided id" -e -o "output file name"<br>
><br>
> gpg can support multiple recipients by adding more -r commands -- this<br>
> is the trivial change I was talking about. But it can also do<br>
> something much better and more robust. GPG has a notion of "groups",<br>
> where you can assign one recipient ID to multiple recipients. So, this<br>
> command:<br>
><br>
> gpg -r "team" -e -o "output file name"<br>
><br>
> winds up expanding to all of the individuals on the team, encrypting<br>
> each password efficiently and securely with each of their public keys,<br>
> allowing any one of their private keys to decipher it.<br>
><br>
><br>
> But nevermind all these technical details. How does it work in<br>
> practice? Super simple:<br>
><br>
> You set up a GPG group using "gpg --group". This simply adds a line to<br>
> ~/.gnupg/gpg.conf that looks like "group team = paige 0x12345678 joe<br>
> patti".<br>
><br>
> Then, you init pass using "team" instead of your key:<br>
><br>
> pass init team<br>
><br>
> Simple as that. From now on, passwords will be encrypted using multiple keys.<br>
><br>
><br>
> Hope this helps. Let me know if you have any questions, and please<br>
> don't hesitate to join the pass mailing list:<br>
> <a href="http://lists.zx2c4.com/listinfo.cgi/password-store-zx2c4.com" target="_blank">http://lists.zx2c4.com/listinfo.cgi/password-store-zx2c4.com</a><br>
><br>
> Jason<br>
_______________________________________________<br>
Password-Store mailing list<br>
<a href="mailto:Password-Store@lists.zx2c4.com">Password-Store@lists.zx2c4.com</a><br>
<a href="http://lists.zx2c4.com/listinfo.cgi/password-store-zx2c4.com" target="_blank">http://lists.zx2c4.com/listinfo.cgi/password-store-zx2c4.com</a><br>
</div></div></blockquote></div><br>