Is a PGP-based password manager a good idea in 2019?

Brian Exelbierd bex at
Sun Sep 1 11:13:09 CEST 2019

On Fri, Aug 30, 2019, at 6:46 PM, Allan Odgaard wrote:
> On 30 Aug 2019, at 15:18, Henrik Christian Grove wrote:
> > [...] one might consider the passwords application
> >  data and implement a password manager using libsodium (as recommended by
> >  that article, but I think I've heard that recommended before) for them.
> >  The result would probably end up quite far from the Unix philosophy,
> Indeed, `pass` would have to invent its own key management 
> infrastructure, its own authentication agent protocol, and it would 
> lose compatibility with OpenPGP cards [1] and the existing 
> authentication agents which exist (e.g. on macOS I get a graphical 
> dialog when `pass` needs to access my PGP private key).
> [1]

I think this may be a matter of use case.  The "dump PGP" articles seem to be both specific that you can and should use different programs/techniques for different use and that they have more narrow use case definitions that PGP.  In many ways PGP is a multi-function knife.  It has mediocre everything, but if you sharpen and focus you can make the two or three tools on it you use work super well.  Otherwise it is just meh.

In my case, I don't currenly use an OpenPGP card/Yubikey like object.  Losing that functionality wouldn't hurt me.  Having pass generate a key I would need to manage is just like PGP keys needing to be managed.  In theory an alternate program, using libsodium or whatever, that stored the shareable config (nonce, etc.) in the password repo and that used the same pinentry as GPG would go unnoticed by me.  That doesn't mean it would go unnoticed by everyone else though.

> > But once an alternative for single file encryption becomes available,
> >  I'm sure people will start thinking of porting pass to use that.
> Yes, once `age` is at feature parity with PGP for single-file 
> encryption, it should be trivial to make `pass` use `age` instead of 
> PGP and re-encrypt passwords.
> In that sense, I am happy that `pass` is not using some proprietary 
> storage format (based on libsodium) for my passwords.

How is libsodium, or any other format, proprietary when compared to GPG?  It seems they just have different formats which mean different programs can read them.  It seems that just as a GPG encrypted file can be read on any machine with GPG installed, a libsodium encrypted file has the same properties.

> As for `age` though, I cannot find anything beyond the Google document 
> and this blog post [1], no source code seems available, so don’t know 
> how far along the project is.

I do wish we could see more than a design spec here.




More information about the Password-Store mailing list