Supplying GPG key password into Pass command

password-store at password-store at
Sun Feb 9 19:14:30 CET 2020

Am 09.02.20 um 18:52 schrieb Louis ProtonMail:
> I might not be understanding things well, but how is one supposed to
> access the plaintext saved passwords without having the keys used to
> encrypt them and the password to those keys? Where do you keep your GPG
> keys so that you can decrypt the pass entries?

I think this is exactly the issue here: you can't, unless you give up
some security. If a malicious actor gets into the remote server, he has
access to both private key and GPG encrypted files. He would be only one
passphrase away from your passwords.

I keep my GPG private key into a smartcard. Without this smartcard
attached to my device, I can't decrypt my passwords.

> Essentially this is correct, mainly as an educational exercise on
> understanding encryption and security principles better.

Ok, understood, thanks for confirming :-)
If I were to implement a remote service like that, I would download the
single encrypted password file I need and only *locally* decrypt it.
Which equals more or less to using pass offline or with syncthing.

I believe the intended use-case for pass is to store encrypted passwords
offline. Any other solution to use it "over the wire" would extend the
attack surface (imo).

More information about the Password-Store mailing list