PGP, gpg-agent, and KDF criticisms?

TRS-80 trs-80 at
Tue Oct 27 19:48:17 CET 2020

Hello gang!

I just joined the mailing list.  I have been a long time KeePass user,
but have been looking into pass more recently.

I had an old Issue on KeepassXC GitHub[0] requesting some enhancement,
which the devs did not want to do.  Which is fine.  I had actually
forgotten all about it, until someone else had bumped it a little more

I then mention in passing (yesterday) that I have been considering
pass[1], as it is essentially free-form text files with no limits on
what you can put in them, in case anyone else following the issue
wants to expand their options, as I have been thinking about doing.

Pretty quickly thereafter, both of main devs reply[2] with some
criticisms of PGP, gpg-agent, and some other concept (KDF?) which I am
not actually even familiar with.  The following are their comments,
which I quote in full:

> droidmonkey
> Pass offers the barest minimal protections. I would never endorse
> the product because it is very easy to expose all of your secrets to
> any program by using gpg-agent to remember your credentials. There
> is also no concept of a KDF so brute forcing is an option, in fact
> their encryption method is undocumented or at least not readily
> apparent from their website.

> phoerious
> It's PGP, the worst possible way to encrypt stuff in 2020.

Now, I know enough about crypto to know that it is the sort of thing
best left in the hands of people that know more about it than me.
OTOH, I did not think their criticisms of PGP/GPG were really on the
mark (unless they are referring to implementation details, which I
understand are of course important to get right).  But there again, I
am but a low level wizard myself, so I thought it best perhaps to pose
this criticism to the mailing list, instead.



More information about the Password-Store mailing list