[pass] Multi-user pass / group pass

Jason A. Donenfeld Jason at zx2c4.com
Fri Sep 21 02:42:53 CEST 2012


Hey Luke & Roman,

I saw your twitter conversation about pass -- namely that it doesn't
support multiple users. Interestingly enough, just yesterday someone
emailed the pass mailing list about this (both copied), and I replied
that although it doesn't support it, it'd be trivial to add. Then,
thirty seconds later, I realized that due to a super nice GPG feature,
pass does in fact already support this. Check it out:

Fundamentally, pass comes down to this gpg command:

gpg -r "Some user provided id" -e -o "output file name"

gpg can support multiple recipients by adding more -r commands -- this
is the trivial change I was talking about. But it can also do
something much better and more robust. GPG has a notion of "groups",
where you can assign one recipient ID to multiple recipients. So, this
command:

gpg -r "team" -e -o "output file name"

winds up expanding to all of the individuals on the team, encrypting
each password efficiently and securely with each of their public keys,
allowing any one of their private keys to decipher it.


But nevermind all these technical details. How does it work in
practice? Super simple:

You set up a GPG group using "gpg --group". This simply adds a line to
~/.gnupg/gpg.conf that looks like "group team = paige 0x12345678 joe
patti".

Then, you init pass using "team" instead of your key:

pass init team

Simple as that. From now on, passwords will be encrypted using multiple keys.


Hope this helps. Let me know if you have any questions, and please
don't hesitate to join the pass mailing list:
http://lists.zx2c4.com/listinfo.cgi/password-store-zx2c4.com

Jason



More information about the Password-Store mailing list