Set up another PC to access pass's remote git repository

Harmen Stoppels harmenstoppels at
Mon Oct 16 12:37:09 CEST 2017

What would be the recommended way (if you don't have a yubikey) to safely
copy and store a private key on your android device?



2017-10-16 7:34 GMT+02:00 Thibault JAMET <thibault.jamet+pass at>:

> Hi,
> Mi personal setup is a bit different.
> I am using a yubikey to store my private gpg key and have published the
> public one.
> I am also using the gpg-agent as an ssh-daemon, so that it uses the
> yubikey's gpg key.
> Thus, none of my keys are written to disk nor has to be sync'd.
> My password store repo is sync'd with git on a repo hosted on a private
> server.
> To import the repo on a new computer I:
> - download my public key ( gpg search <>)
> - edit the gpg config to use it as a ssh agent
> - synchronize gpg agent  (gpg --card-status)
> - clone my password-store repository
> I personally do not wish to rely on the passphrase, not secure enough to
> me, as if your passphrase leaks, you still have the opportunity to change
> it and keep the same key if you always kept the private key private. In
> other cases, you will have to rotate your private key every time you have
> to rotate your passphrase.
> Best regards,
> Thibault
> Le lun. 16 oct. 2017 à 06:43, Radon Rosborough <radon.neon at> a
> écrit :
>> The way I've set it up, all of my passwords are random except for
>> three: my GitHub password, my SSH passphrase, and my GPG passphrase.
>> So when I set up a new machine, I clone my SSH keys from GitHub using
>> HTTPS; then I can clone any of my other repositories using SSH,
>> including my GPG keyring and my Pass repository. Finally, I can use my
>> GPG keyring to unlock any of my other passwords.
>> Certainly there are security implications to having my SSH and GPG
>> keys, as well as all my passwords, in private GitHub repositories.
>> However, I set up my security model under the assumption that if my
>> master passphrases are compromised then any other protection is just
>> security-through-obscurity. The idea is that an attacker would need to
>> get (machine access + GPG passphrase) or (GitHub password + GPG
>> passphrase) in order to compromise everything. Then it's a matter of
>> religiously using a dedicated pinentry program to enter the master GPG
>> passphrase, to avoid most attack vectors.
>> _______________________________________________
>> Password-Store mailing list
>> Password-Store at
> _______________________________________________
> Password-Store mailing list
> Password-Store at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Password-Store mailing list