Best practice for multiple-client use keys

Wolfgang Schildbach pws at
Sat Jan 14 09:58:03 UTC 2023


I would like to use pass in a situation where a number of PCs/laptops 
all have access to the keystore, as well as one or two mobile devices. 
We can assume the laptops to be a mix of linux and windows. The mobile 
devices are Android. I have a git server running in my home network.

My question is what are best practices when it comes to (pgp) key 
management in this situation, and the documentation seems fairly light 
in this respect.

 From what I can see, there are two options.

1) Create a different public/private key pair for each machine, and 
encrypt the store for all of them (i.e. pass init with multiple keys).

I have successfully done this but it is a N² problem -- every time a new 
machine is added, its public key needs to be distributed to all the 
different machines. This becomes unwieldy very soon, specifically if you 
take into account that the public keys should really be signed by a 
master key. And if you forget to do a pass git pull/push around the 
operations and need to merge -- specifically with the .gpg-id file -- 
then things become a bit scary.

I have toyed with the idea of setting up a keyserver but discarded that 
for now as it seemed to be more complexity than I was ready for.

2) Stick with one key pair, and distribute the private key to all machines.

This avoids the N² problem and seems operationally easier all around. 
However, there appear to be two different problems with this approach:

a) Shipping private keys around is generally frowned upon. It runs 
counter the entire public/private key setup at the heart of pgp. Also, 
the keys still somehow need to be verified so the process can't be quite 

b) It seems easy enough to build a script with scp/ssh to do the key 
distribution to a new machine, but there is no straightforward way to do 
the same with a mobile device, or even with a windows laptop.

So my question is, how are others handling this situation, and am I 
overlooking an option? Should I be looking at 1) with a keyserver?

Thanks for your help,

- Wolfgang

More information about the Password-Store mailing list