<div dir="ltr">I think that you gave the answer of (1) on point (2).<div>About point (2), is it the problem that you have to give the passphrase</div><div>each time that you want to show a password? I don't quite get it.</div><div><br></div><div>Another problem (related to (1)) can be that maybe you can enter</div><div>a different passphrase, by mistake, and then you will fail to decrypt it.</div><div>This is a drawback, I think.</div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 26, 2016 at 3:45 PM, Lucas Hoffmann <span dir="ltr"><<a href="mailto:l-m-h@web.de" target="_blank">l-m-h@web.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Quoting Dashamir Hoxha (2016-01-23 15:03:31)<br>
<span class="">> Why do you use asymmetric encryption (public/private keys).<br>
> I think that symmetric encrypion is easier, stronger, and simpler<br>
> (you don't need to generate and maintain a key, all you need is<br>
> a passphrase). It can be done with `gpg -c ...`.<br>
<br>
</span>I have two question/concerns about the use of symmetric encryption. I<br>
assume that I store one password (or one secret) under each name in<br>
pass. GPG symmetric encryption needs a passphrase for each<br>
symmetrically encrypted file.<br>
<br>
1. But that leads to a situation where I have to remember one GPG<br>
passphrase for every secret I want to store in pass. In my opinion<br>
this kills the main feature of a password manager: To store many<br>
secrets and unlock them with few/one (preferably strong)<br>
passphrase(s).<br>
2. I could reuse the same passphrase for several secrets in pass (in<br>
order to circumvent point one). But then I still have to type in the<br>
same passphrase for every new secret I add to pass. And I would have<br>
to enter the passphrase for every secret in pass separately when<br>
retrieving them. This is because gpg-agent can and should never<br>
notice that to different files (both symmetrically encrypted) have<br>
the same passphrase.<br>
<br>
Point two can be tested like this: Encrypt two files and enter the same<br>
passphrase each time (say "foo"):<br>
<br>
echo test1 | gpg -c > test1.gpg<br>
echo test2 | gpg -c > test2.gpg<br>
<br>
Now kill the gpg-agent (neccessary as it did store the passphrases after<br>
encryption):<br>
<br>
pkill gpg-agent<br>
<br>
Then try to decrypt the two test files in any order repeatedly:<br>
<br>
gpg -q < test1.gpg<br>
gpg -q < test1.gpg<br>
gpg -q < test2.gpg<br>
gpg -q < test2.gpg<br>
<br>
You will notice that gpg asks you for the passphrase of each file on the<br>
first run it decrypts *this* file, regardless if another file with the<br>
same passphrase was already decrypted and the passphrase stored in the<br>
gpg-agent.<br>
<br>
So regardless of any strength considerations about symmetric and<br>
asymmetric encryption I do not see any advantage in the interaction with<br>
pass when using symmetric encryption.<br>
<br>
Cheers<br>
<span class="HOEnZb"><font color="#888888">Lucas<br>
</font></span><br>
PS: Don't let the length of this argument stop you from proofing me<br>
wrong :)<br>
</blockquote></div><br></div>