explicit GPG subkey for a subdir causes the whole subdir to be reencrypted when password is moved there

Maciej S. Szmigiero mail at maciej.szmigiero.name
Sat Mar 20 11:52:08 UTC 2021 

Hi,

When an explicit GPG subkey is set for a particular subdirectory pass will
reencrypt every password in that subdirectory each time a password file is
moved to that subdirectory.

Example:
$ gpg -K --with-subkey-fingerprint
--------------------
sec   rsa3072 2021-03-20 [SC] [expires: 2023-03-20]
       516D78BC5D57C26F9CE377F5B95E1094B5C79F48
uid           [ultimate] Testkey
ssb   rsa3072 2021-03-20 [E] [expires: 2023-03-20]
       703A13EF8D0F5F4991703CE0F1C59A5C51C33BC0
ssb   rsa3072 2021-03-20 [E] [expires: 2023-03-20]
       BE9F1A1A9DFC99381EA1B408E99DED808FC9DABC

There are two encryption subkeys for this PGP key,
BE9F1A1A9DFC99381EA1B408E99DED808FC9DABC is younger so gpg will use it by
default, but 703A13EF8D0F5F4991703CE0F1C59A5C51C33BC0 can be used, too,
if it is explicitly selected.

$ pass init 516D78BC5D57C26F9CE377F5B95E1094B5C79F48
Password store initialized for 516D78BC5D57C26F9CE377F5B95E1094B5C79F48
$ pass init -p Subdir '703A13EF8D0F5F4991703CE0F1C59A5C51C33BC0!'
Password store initialized for 703A13EF8D0F5F4991703CE0F1C59A5C51C33BC0! (Subdir)

Now the password store contains two directories: root set to the default
encryption subkey of key 516D78BC5D57C26F9CE377F5B95E1094B5C79F48,
that is, subkey E99DED808FC9DABC, and subdirectory "Subdir" explicitly
set to the encryption subkey 703A13EF8D0F5F4991703CE0F1C59A5C51C33BC0
(or shorter: F1C59A5C51C33BC0).

$ pass add Subdir/Test1
Enter password for Subdir/Test1:
Retype password for Subdir/Test1:
$ pass add Subdir/Test2
Enter password for Subdir/Test2:
Retype password for Subdir/Test2:
$ pass add MainDirPass
Enter password for MainDirPass:
Retype password for MainDirPass:

So far so good.

Now let's try to move MainDirPass password file to Subdir:
$ pass mv MainDirPass Subdir/
renamed '/tmp/pass/MainDirPass.gpg' -> '/tmp/pass/Subdir/MainDirPass.gpg'
Subdir/Test1: reencrypting to E99DED808FC9DABC F1C59A5C51C33BC0
Subdir/Test2: reencrypting to E99DED808FC9DABC F1C59A5C51C33BC0
Subdir/MainDirPass: reencrypting to E99DED808FC9DABC F1C59A5C51C33BC0

One can see that the existing password files in "Subdir" are being
reencrypted, too, and, for some reason, using both E99DED808FC9DABC and
F1C59A5C51C33BC0 encryption keys even though only F1C59A5C51C33BC0 is
actually set for that subdirectory.

Thankfully, the actual gpg command line is correct in this case and the
password files are actually reencrypted only to key F1C59A5C51C33BC0 and
not both of the keys.
But still, these existing password files should not be getting reencrypted
at all as they are using the right key already.

It is worth noting that this behavior does not happen if a subdirectory
uses a different PGP key (rather than just a different subkey).

The above reencryption will happen every time a password file is
moved to such subdirectory, making the moving process O(n^2).

Thanks,
Maciej

More information about the Password-Store mailing list