thoughts about encrypting the paths / names in the tree

William Morris me at
Tue May 12 01:16:05 CEST 2020


Based on some of our [work]( to solve
a similar issue, I'd really look at handling this on the
plugin/applications side.

If you store the keys via random uuids
$ pass ekey
├── 296ebbf6-02b6-4c8b-8721-a8aaddc6d9b1
├── 981e900c-c031-433d-8e43-678cf5c99fc3
├── ef2b7e2b-df68-42a3-be58-48f5011fabad
└── lookup

Then you can just store the mapping table in another `pass` entry
$ pass ekey/lookup
www/ 296ebbf6-02b6-4c8b-8721-a8aaddc6d9b1
www/router.local: 981e900c-c031-433d-8e43-678cf5c99fc3
www/office.internal: ef2b7e2b-df68-42a3-be58-48f5011fabad

Another, option would be to use pass-tomb or pass-mount to mount another
password store, perhaps as an overlay.

Finally, while maybe it isn't what you need, we have been trying to
figure out how build an extension to backup and synchronize
`~/.password-store` data across multiple machines without uploading the
keys to REDACTED.

The plan at the moment is to use `pass-mount` to mount a LUKS encrypted
USB drive. This provides a file-based git remote for the password store
to push to.
$ pass mount storage/2375db47-9f60-4c3b-a2bc-be0dc06a62ce
$ pass git remote get-url origin
$ pass git pull
$ pass git push
$ pass umount storage/2375db47-9f60-4c3b-a2bc-be0dc06a62ce

FWIW, `pass-mount` also supports `cryfs` if you want to upload an
encrypted version of `.password-store.git` to REDACTED.

More information about the Password-Store mailing list