<div dir="ltr">Exposing your password files shouldn't be any worse than, e.g. exposing the same number of encrypted emails.<div><br></div><div>I do agree that it would be nice to not expose the Pass repo file names. There are several ways to do this.</div><div><br></div><div>There's a Pass extension that will 'entomb' your entire repo, i.e. encrypt the entire repo directory tree. Tho that isn't support for the Pass for iOS app.</div><div><br></div><div>Another solution – one I use – is to use a Git remote helper that encrypts the entire remote repo (including commit history and the Git internal objects). I opened <a href="https://github.com/mssun/passforios/issues/143">an issue for the Pass for iOS app to add support for that remote helper</a> (tho it's currently unlikely to be added anytime soon).</div><div><br></div><div>Currently, I just rely on the security of the private repo host I'm using to prevent exposing directory and file names. That's probably fine.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Jan 28, 2018 at 5:06 AM, Ben Oliver <span dir="ltr"><<a href="mailto:ben@bfoliver.com" target="_blank">ben@bfoliver.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 18-01-28 10:25:31, Greg Minshall wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
hi. thanks very much to the responsible parties for password-store,<br>
which i'm happily using on lubuntu.<br>
<br>
i'm attracted to somehow synchronizing with my iphone. the solution<br>
(that i've seen) uses git for synchronizing.<br>
<br>
this tickles something that's worried me a bit since i started looking<br>
at pass, which is, i *worry* that the security of exposing lots of tiny,<br>
"known-format" (more or less) files, all encrypted with the same key,<br>
may be less secure than exposing one large, known-format, file,<br>
encrypted with that same key.<br>
<br>
(this is my intuition speaking to me and, of course, *my* intuition,<br>
especially w.r.t. security, is infallible... :)<br>
<br>
does anyone have any opinions/numbers/facts?<br>
<br>
cheers, Greg<br>
</blockquote>
<br></span>
This is one of the main 'weaknesses' with pass - it exposes all of the file names and therefore (for most people I presume) website names. There are ways around this but I'm not sure they work on iPhone.<br>
<br>
It's a risk I'm willing to take if the tradeoff is the excellent usability and simple, transparent mechanism pass uses to encrypt and send files.<br>
<br>
One thing I like about using gpg as a solution is that you can encrypt with multiple keys. This means you don't need to use the same key on your phone as on your PC.<div class="HOEnZb"><div class="h5"><br>
______________________________<wbr>_________________<br>
Password-Store mailing list<br>
<a href="mailto:Password-Store@lists.zx2c4.com" target="_blank">Password-Store@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/password-store" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailma<wbr>n/listinfo/password-store</a><br>
</div></div></blockquote></div><br></div>