Is a PGP-based password manager a good idea in 2019?

shawn wilson at
Sat Aug 31 00:32:56 CEST 2019

On Thu, Aug 29, 2019, 05:25 Sylvia Gough <q0h8xdveje at> wrote:

> First, I'd like to thank Jason for all the amazing crypto work he's been
> doing.
> Now to my question. I'm considering using pass as my password manager, and
> security is obviously a top concern for this roll. I know that pass is
> using GPG under the hood, and as far as I can see GPG doesn't get much love
> among cryptographers[1][2].

I'm going to assume "role" refers to a part you have in a larger
organization. If this is the case, I've found pgp a pain to try to
implement in a corporate environment (mainly due to lack of tracking, and
no ocsp or similar revocation mechanism). If this is the case, you may be
interested in making your hardware tokens pkcs8 (iirc - pkcs version of pgp
cars anyway) and using keycloak (redhat?) -> vault (hashicorp). The later
should be adding pgp support too (which I want for fim and rpm signing)
which you /should/ be able to get to directly work with pass.

That said, I haven't gotten this all setup at home and am still happy with
pass for personal use.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Password-Store mailing list