Set up another PC to access pass's remote git repository

Alexandre Pujol alexandre at
Mon Oct 16 14:06:00 CEST 2017

You should not need to copy a GPG secret key on Android. Simply generate
a second secret key on your android device (using openkeychain). You
protect this key with a master password. Then you send the public key to
you main computer and you re-encrypt your password store for the two
keys: 'pass init key1 key2'.

Therefore at no time one of your secret key leave its dedicated device.

On 16/10/17 11:37, Harmen Stoppels wrote:
> What would be the recommended way (if you don't have a yubikey) to
> safely copy and store a private key on your android device?
> Best,
> Harmen
> 2017-10-16 7:34 GMT+02:00 Thibault JAMET <thibault.jamet+pass at
> <mailto:thibault.jamet+pass at>>:
>     Hi,
>     Mi personal setup is a bit different.
>     I am using a yubikey to store my private gpg key and have published
>     the public one.
>     I am also using the gpg-agent as an ssh-daemon, so that it uses the
>     yubikey's gpg key.
>     Thus, none of my keys are written to disk nor has to be sync'd.
>     My password store repo is sync'd with git on a repo hosted on a
>     private server.
>     To import the repo on a new computer I:
>     - download my public key ( gpg search <>)
>     - edit the gpg config to use it as a ssh agent
>     - synchronize gpg agent  (gpg --card-status)
>     - clone my password-store repository
>     I personally do not wish to rely on the passphrase, not secure
>     enough to me, as if your passphrase leaks, you still have the
>     opportunity to change it and keep the same key if you always kept
>     the private key private. In other cases, you will have to rotate
>     your private key every time you have to rotate your passphrase.
>     Best regards,
>     Thibault
>     Le lun. 16 oct. 2017 à 06:43, Radon Rosborough <radon.neon at
>     <mailto:radon.neon at>> a écrit :
>         The way I've set it up, all of my passwords are random except for
>         three: my GitHub password, my SSH passphrase, and my GPG passphrase.
>         So when I set up a new machine, I clone my SSH keys from GitHub
>         using
>         HTTPS; then I can clone any of my other repositories using SSH,
>         including my GPG keyring and my Pass repository. Finally, I can
>         use my
>         GPG keyring to unlock any of my other passwords.
>         Certainly there are security implications to having my SSH and GPG
>         keys, as well as all my passwords, in private GitHub repositories.
>         However, I set up my security model under the assumption that if my
>         master passphrases are compromised then any other protection is just
>         security-through-obscurity. The idea is that an attacker would
>         need to
>         get (machine access + GPG passphrase) or (GitHub password + GPG
>         passphrase) in order to compromise everything. Then it's a matter of
>         religiously using a dedicated pinentry program to enter the
>         master GPG
>         passphrase, to avoid most attack vectors.
>         _______________________________________________
>         Password-Store mailing list
>         Password-Store at
>         <mailto:Password-Store at>
>         <>
>     _______________________________________________
>     Password-Store mailing list
>     Password-Store at <mailto:Password-Store at>
>     <>
> _______________________________________________
> Password-Store mailing list
> Password-Store at

More information about the Password-Store mailing list