Supplying GPG key password into Pass command

mailinglisten at posteo.de mailinglisten at posteo.de
Sat Feb 15 02:39:11 CET 2020


Am 09.02.20 um 19:14 schrieb password-store at storiepvtride.it:
> Am 09.02.20 um 18:52 schrieb Louis ProtonMail:
>> I might not be understanding things well, but how is one supposed to
>> access the plaintext saved passwords without having the keys used to
>> encrypt them and the password to those keys? Where do you keep your GPG
>> keys so that you can decrypt the pass entries?
> 
> I think this is exactly the issue here: you can't, unless you give up
> some security. If a malicious actor gets into the remote server, he has
> access to both private key and GPG encrypted files. He would be only one
> passphrase away from your passwords.
> 
> I keep my GPG private key into a smartcard. Without this smartcard
> attached to my device, I can't decrypt my passwords.
> (...)

For a long time I have wondered, if I can run a full blown class 3 card
reader with its own pinpad on an Android smartphone :-) It´s soon time
to try :-)
Though, I´d never run a simple card reader without pinpad on an Android
device, the fear, the pin could get eavesdropped is too big. Smartphones
are inherently insecure.




More information about the Password-Store mailing list