thoughts about encrypting the paths / names in the tree

William Morris me at williammorris.com
Tue May 12 01:16:05 CEST 2020


Hello,

Based on some of our [work](https://github.com/HXR/pass-mount) to solve
a similar issue, I'd really look at handling this on the
plugin/applications side.

If you store the keys via random uuids
```
$ pass ekey
ekey
├── 296ebbf6-02b6-4c8b-8721-a8aaddc6d9b1
├── 981e900c-c031-433d-8e43-678cf5c99fc3
├── ef2b7e2b-df68-42a3-be58-48f5011fabad
└── lookup
```

Then you can just store the mapping table in another `pass` entry
```
$ pass ekey/lookup
www/example.com: 296ebbf6-02b6-4c8b-8721-a8aaddc6d9b1
www/router.local: 981e900c-c031-433d-8e43-678cf5c99fc3
www/office.internal: ef2b7e2b-df68-42a3-be58-48f5011fabad
```

Another, option would be to use pass-tomb or pass-mount to mount another
password store, perhaps as an overlay.

Finally, while maybe it isn't what you need, we have been trying to
figure out how build an extension to backup and synchronize
`~/.password-store` data across multiple machines without uploading the
keys to REDACTED.

The plan at the moment is to use `pass-mount` to mount a LUKS encrypted
USB drive. This provides a file-based git remote for the password store
to push to.
```
$ pass mount storage/2375db47-9f60-4c3b-a2bc-be0dc06a62ce
$ pass git remote get-url origin
/media/user/ENCRYPTED/.sync/password-store.git
$ pass git pull
$ pass git push
$ pass umount storage/2375db47-9f60-4c3b-a2bc-be0dc06a62ce
```

FWIW, `pass-mount` also supports `cryfs` if you want to upload an
encrypted version of `.password-store.git` to REDACTED.




More information about the Password-Store mailing list