encrypted file and directory names?

Kevin Lyda kevin at ie.suberic.net
Mon Feb 6 10:09:48 CET 2017


Encrypted path and filenames would be an extreme complication for zero
gain. Pass is a simple wrapper around git and gpg and works very well
because of that.

If someone is on your system and can look in your $HOME then they can find
the sites you visit from you shell history files, browser history and cache
files, SSH config files, mysql history files and so forth.

The files are encrypted because even with that information (which you
should assume they know) they still can't get the secrets.

Overcomplicating security tools makes them harder to use, which makes them
less used, which reduces security overall. So please don't do that.

Kevin

On Sat, 4 Feb 2017, 17:51 Adam Spiers, <pass at adamspiers.org> wrote:

> Hi all,
>
> I was delighted to discover this project recently.  It seems to be
> almost exactly the perfect solution needed to avoid the unpleasant
> situation of being reliant on a proprietary password manager.
>
> There is one feature which I consider pretty essential, and as far as
> I can see, it's not supported by pass yet, which is to keep the entire
> metadata encrypted, including the directory names and file names.
> Without this it doesn't seem to provide 100% privacy protection, since
> for example it potentially exposes which websites you use.  Is that
> right, or am I missing something?
>
> If I'm right, would this be an easy thing to solve architecturally?
> For example, the directory names and file names could be converted
> into some kind of digest (e.g. SHA-256), and then a mapping between
> digests and the original names could be tracked in a separate
> encrypted file at the top level of the store.
>
> Thanks!
> Adam
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/password-store
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20170206/06d33003/attachment.html>


More information about the Password-Store mailing list