[pass] Using pass for Teams

Johannes Rudolph jojo.rudolph at googlemail.com
Mon Sep 5 12:24:47 CEST 2016


Wow, that seems really, really useful!

I think we will opt for a flat-directory structure for now (e.g. encoding
key/usernames like service-user and adding more metadata via the multiline
trick as @btober suggested.

I still would like to pose the question of sub-dir handling to the
maintainers, e.g. I find it reasonable to assume that subdirs "inherit" the
gpg id file from their parent dir if none is found (recursively).  Is that
something you'd consider changing? I'd look into a PR, but my bash-skillz
are seriously lacking.

On Mon, Sep 5, 2016 at 12:02 PM, Héctor Rivas Gándara <keymon at gmail.com>
wrote:

> Hi,
>
> I use this project template for using pass with teams.
> https://github.com/keymon/password-store-for-teams
>
> It has a script to allow have different aliases for different teams (eg
> team1-pass in ~/.team1-pass)
>
> We have each one one gpg key, but you need to reencrypt on changes.
> Otherwise you can use a master key or so, shared with all members. But you
> are right about reencrypt subdirs. Maybe you can do a script to run pass
> init on each occurrence of .gpg-id
>
> About separated mail/pw, I tend to have 2x different files. I'm general,
> each value is a file, because it's easier to script.
>
> On 4 Sep 2016 21:57, "Johannes Rudolph" <jojo.rudolph at googlemail.com>
> wrote:
>
>> I'm evaluating to use pass for our team with git. I'm not sure I
>> understand some of the best-practices for using the tool so I wanted to ask
>> for clarification:
>>
>> (1) adding pgp-id's
>> when I add pgp-id's via pass init OLD NEW, pass does not reencrypt
>> password files in subdirs (e.g. a/test) - even if those subdirs don't have
>> their own .gpg-id file. I though pass would automatically assume to use the
>> parent .pgp-id applies in this case? Am I doing this wrong?
>>
>> Same for remove. It works with passwords in the root directory
>>
>> (2) recording pw-metadata
>> We sometimes have metadata for a password, e.g. username + email (the two
>> being separate). If I only create the password file with username, where
>> can I record the associated email address?
>>
>> (3) OS X autocompletion
>> I installed via brew on OS X. install instructions on website are wrong
>> (for me):
>> *$ echo "source /usr/local/etc/bash_completion.d/password-store" >>
>> ~/.bashrc*
>> should be
>> *$ echo "source /usr/local/etc/bash_completion.d/password-store" >>
>> ~/.bash_profile*
>>
>> Hope this input is valuable for you as well, looking forward to some
>> insight on 1 and 2. Thanks!
>>
>> Regards,
>> Johannes
>>
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at lists.zx2c4.com
>> http://lists.zx2c4.com/mailman/listinfo/password-store
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20160905/bf374865/attachment.html>


More information about the Password-Store mailing list