<span>> This means NOT storing your encrypted keys on a local device, but storing them in a (online) place where you can easily revoke access to.</span><div><br></div><div>This still requires trusting the user though. If a user *ever* had access to the plaintext credentials (which includes having access to them in an encrypted form that the user was capable of decrypting), you cannot reasonably consider them to be secured against misuse by that person, regardless of how well those credentials are subsequently protected. If you no longer trust them with those credentials (and a departed employee shouldn't be trusted in that manner), then the credentials *must* be changed. Any other approach just gives a false sense of security, and ultimately doesn't achieve the desired goal.</div><div><br></div><div>If changing credentials is something that is really important to avoid for some reason, then an additional factor should be used to secure the system in question (e.g. password plus U2F token, TOTP code etc) - then when the user departs, you can lock out their token / invalidate their TOTP seed etc. and it no longer matters so much that they retain the password, because they still can't log in without compromising another user's 2FA who still has access. For the avoidance of doubt, please note that I'm talking about securing target systems using 2FA, *not* about securing the password store.</div><div><br></div><div>Cheers,</div><div>Steve</div><div><br></div><div>2019, 14:05 Jake Yip, <<a href="mailto:jake.yip@ardc.edu.au" target="_blank">jake.yip@ardc.edu.au</a>> wrote:<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div dir="ltr"><br></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Feb 22, 2019 at 9:37 AM higuita <<a href="mailto:higuita@gmx.net" target="_blank">higuita@gmx.net</a>> wrote:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Of course i'm not talking about a malicious user directly, those can dump <br>
everything as plain text, it's more protecting "personal" backups and copies <br>
stored in other places that we may not trust in a long run.<br><br></blockquote><div> </div><div><div>This means NOT storing your encrypted keys on a local device, but storing them in a (online) place where you can easily revoke access to. I have found keybase and their keybase filesystem to work for me (<a href="https://keybase.io/docs/kbfs" target="_blank">https://keybase.io/docs/kbfs</a>). </div></div><div> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Maybe pass could generate a key that expires after x days and double encrypt<br>
everything using first the key with the expiration date and then the user key.<br>
A small deamon (or even a cron) could keep the expiration key valid by generating<br>
a new one and reencrypt. Users that still have access can do a git pull and<br>
get the updated info. Users that fail to update will be unable to decrypt the<br>
content after the key was expired.<br>
<br>
Pass could remove the expired key automatically if expired, to avoid the faketime <br>
loophole of timetravel back to when the key was still valid.<br></blockquote></div><div><div><br></div><div>It works similarly to your double encrypt idea. The encrypted pass files on KBFS is encrypted again with a device specific key. The pass files are streamed to your machine and decrypted when needed. You can revoke a device and it will not be able to get the encrypted pass files anymore.</div></div><div><br></div><div>Regards,</div>-- <br><div dir="ltr" class="m_5815157656112610906m_1901617791109855090gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"></div><div dir="ltr"><table cellpadding="0" cellspacing="0" border="0" style="font-family:"Times New Roman";background:none;border:0px;margin:0px;padding:0px"><tbody><tr><td valign="top" style="padding:0px 7px 0px 0px;border-width:0px;border-style:initial;border-color:initial"><table cellpadding="0" cellspacing="0" border="0" style="background:none;border:0px;margin:0px;padding:0px"><tbody><tr><td style="padding:0px"><table cellpadding="0" cellspacing="0" border="0" style="background:none;border:0px;margin:0px;padding:0px"><tbody><tr><td colspan="2" style="padding-bottom:5px;color:rgb(31,31,31);font-size:16px;font-family:Georgia,Times,"Times New Roman",serif;font-weight:bold">Jake Yip<br></td></tr><tr><td colspan="2" style="padding-bottom:20px;color:rgb(31,31,31);font-size:12px;font-family:Arial,Helvetica,sans-serif">DevOps Engineer<br></td></tr><tr><td colspan="2" style="padding-bottom:20px;color:rgb(31,31,31);font-size:12px;font-family:Arial,Helvetica,sans-serif;line-height:16.2px"><span style="font-weight:bold">M</span> <a href="tel:+61+383+443+669" style="color:rgb(31,31,31);line-height:16.2px" target="_blank">+61 383 443 669</a><br><a href="mailto:tsuey.cham@ardc.edu.au" style="color:rgb(31,31,31);line-height:16.2px" target="_blank">jake.yip@ardc.edu.au</a> <br><a href="http://www.ardc.edu.au" style="color:rgb(31,31,31);font-weight:bold;line-height:16.2px" target="_blank">ardc.edu.au</a></td></tr></tbody></table></td></tr><tr style="padding-top:0px"><td valign="top" style="padding:0px 7px 0px 0px;border-width:0px;border-style:initial;border-color:initial"><a href="http://ardc.edu.au" style="color:rgb(31,31,31);font-weight:bold;font-size:12px;line-height:16.2px" target="_blank"><img src="https://lh3.googleusercontent.com/jkSF_JUFoEFHgiv-uuus2iSzlFA40l_jCKsjgAxQwMGvA_we1qP8yd5H7qrF6Ap9iJf6ZgeUXoN9-CSKYmcDSXK-GwxVckZ_7k2aAmml4N8SMMC2ZuVEYHQoEQgiLUm9ySyU1uMVfSP6qLa3mzZX0oAmjOarkhm5gp-fdzoPtmH8fWpuW-c2ih_M6sXfAs0Sqv95hYXo9nstxt4-ednQF9CIHh2pNpja4iBnaDNJbfNOMaNglLyIZTVnWhsczrUHXy4Du7JGhKipWssfzZsISuUcoSnxsRWsvQVbH4-K0QqmdRWpOOUZitq-iu80fRtcj3yJKSubSfMyws2sOolMK3rLR8WY4LabO_8UhHQRcnTjz_9UvHv3FUvfvvAqF9yClsxMnT05udatNO_ptUrHk-8C_ODDx0PxsJHVqsJahgaXZ4yGKBF89XZgJ1Q4nU-hz7V72Yk5-CAH2GPSrcboJvIjOhOSSo7r5S5mGcd5hjJsG9K5uyPxs8NeJPp1r8ND61ux_oD9PoS-meQaPI50xwfqQrQfdEDs-shAKWCUjnGT_ZudXTH36K6R-9R9OvueDY3OnwI4UA5jS6NohW2KtDhGOw=w320-h200-k" width="200" height="66" alt="ardc.edu.au" style="width:200px;height:66px;color:rgb(29,30,42);font-family:Arial,Helvetica,sans-serif"></a></td></tr></tbody></table></td></tr><tr><td valign="top" style="padding:25px 0px 0px;border-width:0px;border-style:initial;border-color:initial"><table cellpadding="0" cellspacing="0" border="0" style="background:none;border:0px;margin:0px;padding:0px"><tbody><tr><td valign="top" style="padding:0px 12px 20px 0px;border-width:0px;border-style:initial;border-color:initial"><img src="https://lh3.googleusercontent.com/w4V8Osu0QNOl62CfxqjvlCn8w82UcqLZn_15yM8cbSVIqhIt0lm34n7wr2PSr5pMtPggb_oGZuxUj9enUeoT4lQOywiFxcPxFYMUXG_Q9oAqwXzuOmAVlHcCTQBcI2h18W0R3jzzslH_wsnrFuU4jTKXCsWsc8MKlR73WfEnyhR0lzs23zmUO8CO1uVM-AfcOd5jCT4n2vhpdzBx6S7slFPNUn74SQJaIOC_yh3-MM0R4NgJ5L5Qgv2I1JJkP_evDjSY205-EUavuFpMiSTsRSl5PWT0l9HL81x3b8OhpiVr6TGJOpKUbMOvD_JkjijKzJTjySfjDywrfo1ZeRnyHKDt8YBY7cQlIAYmhyGC3CFqYrrurwtch3_BcNPKe96bnimHddlJJ4gbi0IPGAXeEyyQAe05TTSSmu3Rdyd9NLQDTxRpHdS-moDsuaZle-6gBuXlkGfmdiuSMX2nokjyL1bih1uDW0rOHWkSL_G1WheJ0pPJdkS9J56QOLtO3YxE6lSizKq7ifTuECHx5eBJA-x0zhdkBpV1Q2iCgLeDetRE1QkiwHtrxjdFA2N3FfmSZcP6D17kePxxaFx6n_8NNmgtDw=w320-h200-k" width="68" height="49" style="color:rgb(102,102,102);font-size:12px;font-family:Arial,Helvetica,sans-serif"></td></tr></tbody></table></td></tr><tr><td valign="top" style="padding-bottom:5px;padding-left:0px;padding-right:0px;border-width:0px;border-style:initial;border-color:initial"><table cellpadding="0" cellspacing="0" border="0" style="background:none;border:0px;margin:0px;padding:0px"><tbody><tr><td valign="top" style="padding:0px 12px 0px 0px;border-width:0px;border-style:initial;border-color:initial"><a href="https://twitter.com/ands_nectar_rds" target="_blank"><img src="https://lh3.googleusercontent.com/mq9gMXdFq5POuTV9v9pdedYaKS4kCOCpaBr2dtZjIqtejxtE4-M8lrMCjXAzh5ZteRRmLcuNgJTDEbZ6Qd8PeinVqIw_5a3_SsjAWCMbihFF8bppWp3VfOimLjT3Krpg4MxpLoW9tHL_Qz0I1x6eOms_vQukMCpTK2rkKCGTGLKVmqFXBsT0ZvCZzjbGGJvTPnhdako3Rh9vE7N8MXth6guh2oaMeKN-7RRmIapEdZK_vIvq6zxsc8WRzGBKb6Yv6nJ51Qdvd-HBJXtRisu84j30OVs2sJpClZNqOf057EVHOvsN9FH44Pog_WK_0zVZS0XRgIye_pcnnUvV5UxPH9nGZvVY4mB0XlK0a8SSuhbXgNW0vckjqfl_a3oVA3YynREr2pWTS77ZxI8YUDxgEevCrIkF9jCrzn0Yr_9xmWKaWSgXnOaSfv9P-BuF1eQMLBty84TAE-69L6NwVTVzPJ6L9H8Caq3x5S3Rs85xQIeumxk_pzP4GAGmIlHHMVKxeQWDiHgmlN8QwykHu3F3vgHTG74uyVreg5-3BmxvYyIs28I_cp2OMYBBFWfBvcCbZNk9gNfPtc9SyVnacNeHcx9C5Q=w320-h200-k" width="16" height="16" style="color:rgb(102,102,102);font-size:12px;font-family:Arial,Helvetica,sans-serif"></a></td><td valign="top" style="padding:0px 12px 0px 0px;border-width:0px;border-style:initial;border-color:initial"><a href="https://www.youtube.com/user/andsdata" target="_blank"><img src="https://lh3.googleusercontent.com/Niao3q9A99V4w1LhlPKvWWbzBQeEjiQWKPjnohFU37VH4J50eGVESL2y_AoW_M1XEKndyDIqQCtQPc4x0_5_Q4h9rs3ISDpta-VwHYW-eEnHDDb1KidNlTdFUG-7H7ctfM6JZXeF1SWXQh94euRGGnzOII2YW3_fqqCia6PujJH3fVNkEmoruNkDxbdz36GT3FegLEpaIm4Mb4U_BKbls47e_HkLXiq921tY4ElztauY_3ATt2BwhxkRnfgn_GOagslNoLwVnAjuEx25K0H7IHZHTiQjh4KztfGPj75BotkvmyvFrbgVbUPu7vhM6N2UjZ5W_ohOPWz7QzTRl_oSjZMbv1YMvTzvVFY91tHFnJbiTx8gMh1BIdg2tjI3GedntKhgDn_6Jum0mhNhjdkwf3f7RQScwbKwYloDIGBMNzIjlD5m7mqd8Dn6aQ095ulzm6yAKUAwecVrixCPpKM3qK45-_O04vlP9pNJoXoLTXlCLIZ-rAEp7wwAX7my3g0VOk0ZqH8OJoFfR67yr0MoTlooRBiTmsbxH93MBPgU7gaaGAkuFzBY-Xhpvmi5vXy7Im0wEaO43WpWs3NhX_WYSYSjTQ=w320-h200-k" width="16" height="16" style="color:rgb(102,102,102);font-size:12px;font-family:Arial,Helvetica,sans-serif"></a></td></tr></tbody></table></td></tr><tr><td valign="top" style="padding:10px 0px 0px;border-width:0px;border-style:initial;border-color:initial"><table cellpadding="0" cellspacing="0" border="0" style="background:none;border:0px;margin:0px;padding:0px"><tbody><tr><td style="padding-bottom:5px;padding-right:12px;color:rgb(102,102,102);font-size:10px;font-family:Arial,Helvetica,sans-serif;font-style:italic;line-height:13.5px">ARDC acknowledges the Traditional Owners of the lands <br>that we live and work on across Australia and pays its respect <br>to Elders past and present.</td></tr><tr><td style="padding-bottom:20px;padding-right:12px;color:rgb(102,102,102);font-size:10px;font-family:Arial,Helvetica,sans-serif;font-style:italic;line-height:13.5px">Please consider the environment before printing this e-mail.</td></tr></tbody></table></td></tr></tbody></table></div></div></div></div></div></div></div>
_______________________________________________<br>
Password-Store mailing list<br>
<a href="mailto:Password-Store@lists.zx2c4.com" target="_blank">Password-Store@lists.zx2c4.com</a><br>
<a href="https://lists.zx2c4.com/mailman/listinfo/password-store" rel="noreferrer" target="_blank">https://lists.zx2c4.com/mailman/listinfo/password-store</a><br>
</blockquote></div></div><span>-- </span><br><div dir="ltr" class="m_5815157656112610906gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><p dir="ltr">Cheers,</p>
<p dir="ltr"><b>Steve Gilberd</b><br>
<span style="color:rgb(102,102,102)">Erayd LTD </span><span style="color:rgb(102,102,102)"><b>·</b></span><span style="color:rgb(102,102,102)"> Consultant</span><br>
<span style="color:rgb(102,102,102)"><i>Phone: +64 4 974-4229 </i></span><span style="color:rgb(102,102,102)"><i><b>·</b></i></span><span style="color:rgb(102,102,102)"><i> Mob: +64 27 565-3237</i></span><br>
<span style="color:rgb(102,102,102)"><i>PO Box 10019, The Terrace, Wellington 6143, NZ</i></span></p>
</div></div><span>
</span>