user gone and expiring access

Jonathan Proulx jon at csail.mit.edu
Fri Feb 22 16:37:37 CET 2019


On Fri, Feb 22, 2019 at 03:27:33PM +0000, Kevin Lyda wrote:
:On Fri, Feb 22, 2019 at 2:40 PM Jonathan Proulx <jon at csail.mit.edu> wrote:
:> 2) For malicious actors you just need to change all secrets they
:>    ever had access to because they could have recorded plain text.
:
:And to add to that, this is why limiting access is a good idea. I use
:several password stores to limit access to people who need them.
:Enough that I sometimes think about making a "git pass" subcommand but
:then I feel like I'm alternating turtles all the way down.
:
:Kevin

^^ Yes!

BTW I belive you can use .gpg-id per subdirectory to keep all secrets
in one repo, but still segregate access.  We have a pretty small team
so all or nothing works OK for us so no direct experience with that,
but man page says:

~/.password-store/.gpg-id

  Contains the default gpg key identification used for encryption and
  decryption.  Multiple gpg keys may be specified in this file, one
  per line. If this file exists in any sub directories, passwords
  inside those sub directories are encrypted using those keys. This
  should be set using the init command.

-Jon


More information about the Password-Store mailing list