[pass] Convert from individual to group/team key

Brian Mattern rephorm at rephorm.com
Wed Dec 26 23:48:20 CET 2012


I've been wondering what the best practice was for multiple devices as
well. Having separate IDs and group-encrypting sounds like it would
work, but requires re-encrypting the entire store for every device
added.

An alternative could be to have a separate ID specifically for
your password store and copy this around.  As long as you are able to
securely copy the key, this seems to be as secure as the above method,
but slightly less inconvenient. For some devices (e.g., phones),
importing an existing key is much more convenient than creating a new
key on the device. Also, if you are going to be editing passwords on
multiple devices, this removes the need to keep public keys synced on
all devices. (Although, I guess one could always store the public keys
in the password-store repository itself.)

Any reason why the multiple-key method should be preferred over a
password-store-specific key?

Brian

On Tue, 25 Dec 2012, Jason A. Donenfeld wrote:

> Hi Daniel,
> 
> I don't usually like to copy my private key all over the place. Group
> keys are a good way of doing this.
> 
> The gpg commands for making that happen are kind of odd. I was
> confused too at first. But, take a look at ~/.gnupg/gpg.conf. There
> should be comments in there that let you make a group my specifying it
> in the file. If yours is without comments, here are mine:
> 
> # Group names may be defined like this:
> #   group mynames = paige 0x12345678 joe patti
> #
> # Any time "mynames" is a recipient (-r or --recipient), it will be
> # expanded to the names "paige", "joe", and "patti", and the key ID
> # "0x12345678".  Note there is only one level of expansion - you
> # cannot make an group that points to another group.  Note also that
> # if there are spaces in the recipient name, this will appear as two
> # recipients.  In these cases it is better to use the key ID.
> 
> #group mynames = paige 0x12345678 joe patti
> 
> 
> Hope this helps.
> 
> Jason
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> http://lists.zx2c4.com/listinfo.cgi/password-store-zx2c4.com



More information about the Password-Store mailing list