question on security

Kenny Evitt kenny.evitt at gmail.com
Sun Jan 28 19:59:08 CET 2018


Exposing your password files shouldn't be any worse than, e.g. exposing the
same number of encrypted emails.

I do agree that it would be nice to not expose the Pass repo file names.
There are several ways to do this.

There's a Pass extension that will 'entomb' your entire repo, i.e. encrypt
the entire repo directory tree. Tho that isn't support for the Pass for iOS
app.

Another solution – one I use – is to use a Git remote helper that encrypts
the entire remote repo (including commit history and the Git internal
objects). I opened an issue for the Pass for iOS app to add support for
that remote helper <https://github.com/mssun/passforios/issues/143> (tho
it's currently unlikely to be added anytime soon).

Currently, I just rely on the security of the private repo host I'm using
to prevent exposing directory and file names. That's probably fine.

On Sun, Jan 28, 2018 at 5:06 AM, Ben Oliver <ben at bfoliver.com> wrote:

> On 18-01-28 10:25:31, Greg Minshall wrote:
>
>> hi.  thanks very much to the responsible parties for password-store,
>> which i'm happily using on lubuntu.
>>
>> i'm attracted to somehow synchronizing with my iphone.  the solution
>> (that i've seen) uses git for synchronizing.
>>
>> this tickles something that's worried me a bit since i started looking
>> at pass, which is, i *worry* that the security of exposing lots of tiny,
>> "known-format" (more or less) files, all encrypted with the same key,
>> may be less secure than exposing one large, known-format, file,
>> encrypted with that same key.
>>
>> (this is my intuition speaking to me and, of course, *my* intuition,
>> especially w.r.t. security, is infallible... :)
>>
>> does anyone have any opinions/numbers/facts?
>>
>> cheers, Greg
>>
>
> This is one of the main 'weaknesses' with pass - it exposes all of the
> file names and therefore (for most people I presume) website names.  There
> are ways around this but I'm not sure they work on iPhone.
>
> It's a risk I'm willing to take if the tradeoff is the excellent usability
> and simple, transparent mechanism pass uses to encrypt and send files.
>
> One thing I like about using gpg as a solution is that you can encrypt
> with multiple keys. This means you don't need to use the same key on your
> phone as on your PC.
>
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/password-store
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/password-store/attachments/20180128/02e78182/attachment.html>


More information about the Password-Store mailing list