using pass with multiple keys

Sean Murphy sean at
Sat Jan 20 17:05:35 CET 2018


I've been using pass for a couple of months now and I like it
a lot.

I'm creating a more sophisticated password management
setup and I'd appreciate some pointers/tips from more
experienced users.

I have just received a yubikey 4 and would like to move my
gpg key there. However, I'm not sure of the best way to do
this: my primary use case (for now) is as the means to control

My understanding is that good practice when working with
yubikeys is not to put the primary key there, but rather use
it to store subkeys which can be used for password decryption
(and keep the primary key away from any devices). However,
if I lose the yubikey and the subkeys residing on the yubikey,
then I lose access to all my passwords. Perhaps one solution
is to encrypt all passwords with multiple subkeys - one which is
on the yubikey and one which is kept in a safe place. Does this
make sense? Is it possible to auto encrypt all password with
multiple gpg subkeys hanging off one primary key? Is it possible
to eg perform a batch job to ensure that all paawords on my
git server have the dual encryption (as I guess that some clients
such as mobile apps would not have support for working with
multiple keys).

Any thoughts/pointers greatly appreciated.


More information about the Password-Store mailing list