[pass] [PATCH] Team pass: enable multiple keys and per directory

Brian Shore brian at networkredux.com
Wed Mar 19 17:36:56 CET 2014

On Wed, Mar 19, 2014 at 6:01 AM, Josh Cartwright <joshc at eso.teric.us> wrote:
> How do you deal with getting all the team's public keys to all the
> users?  Or is that outside the scope of this patch?
> Perhaps instead of maintaining a .gpg_id key list, a keyring with the
> teams' public keys should be used.

I find using a keyserver to be more convenient that having a dedicated
keyring that needs to be manually updated with exported keys, and then
all users having to export that keyring and import.  Using gpg's
recv-keys or refresh commands handle these tasks well.

You can run a private keyserver if you like, but public keyservers get
the job done and require no maintenance on your part.

New users could even fetch keys with something like this after pulling
from git (note: untested code):
find ~/.password-store/ -name .gpg_id -print0 |xargs -0 -n 1 gpg --recv-keys

I think it's important to note, however, than getting the keys
themselves is easier than validating them (especially if using a
keyserver).  When you have a bunch of people sharing a password store,
each user must trust every other user's key, and this is not something
that pass can address.  One option, of course, is for every user to
verify and sign every other key.  If you have more than a few users,
you might prefer to designate a couple (gpg-savvy) adminstrators who
validate all users' keys, and let all users validate and trust just
the admins' keys.

Brian Shore
Senior Systems Engineer, Security Architect
Network Redux, LLC
5200 SW Macadam Ave Ste 450
Portland, Oregon 97239
Desk:  503-274-9905 x503

More information about the Password-Store mailing list