Is a PGP-based password manager a good idea in 2019?
Brian Exelbierd
bex at pobox.com
Thu Aug 29 12:04:30 CEST 2019
On Thu, Aug 29, 2019, at 11:36 AM, Lenz Weber wrote:
> GPG doesn't get a lot love because it has a lot of backwards
> compatibility with algorithms that shouldn't be used any more and the
> APIs and CLI tools are a mess of UX.
>
>
>
> The second part is completely mitigated by using pass - you get a
> simple, clear CLI interface that is almost impossible to mis-use.
>
> The first part is partially on you: if you create a gpg key with very
> weak encryption, you've got a problem.
>
> But if you create a modern GPG key, you're perfectly fine. The
> cryptography of modern algorithms in GPG is not part of that debate as
> far as I know.
+1 to this entire answer. I only add that I haven't seen anyone propose a replacement tool for the pass use case yet. Everything I have seen in the current discussions focuses on messaging and email. There are some libraries for application secrets which could theoretically be adapted for this use and and at least one whole new program being written, but nothing ready for use.
regards,
bex
>
>
>
> On 8/29/19 11:24 AM, Sylvia Gough wrote:
> > First, I'd like to thank Jason for all the amazing crypto work he's been doing.
> >
> > Now to my question. I'm considering using pass as my password manager, and security is obviously a top concern for this roll. I know that pass is using GPG under the hood, and as far as I can see GPG doesn't get much love among cryptographers[1][2].
> >
> > What's your opinion about this?
> >
> > [1]: https://latacora.micro.blog/2019/07/16/the-pgp-problem.html
> > [2]: https://blog.filippo.io/giving-up-on-long-term-pgp/
> >
> > _______________________________________________
> Password-Store mailing list
> > Password-Store at lists.zx2c4.com
> > https://lists.zx2c4.com/mailman/listinfo/password-store
> _______________________________________________
> Password-Store mailing list
> Password-Store at lists.zx2c4.com
> https://lists.zx2c4.com/mailman/listinfo/password-store
>
More information about the Password-Store
mailing list