Best practice for multiple-client use keys

Kjetil Torgrim Homme kjetil.homme at
Wed Jan 18 12:52:16 UTC 2023

Den 14/01/2023 10:58, skreiv Wolfgang Schildbach:
> My question is what are best practices when it comes to (pgp) key 
> management in this situation, and the documentation seems fairly light 
> in this respect.
>  From what I can see, there are two options.
> 1) Create a different public/private key pair for each machine, and 
> encrypt the store for all of them (i.e. pass init with multiple keys).
> I have successfully done this but it is a N² problem -- every time a new 
> machine is added, its public key needs to be distributed to all the 
> different machines. This becomes unwieldy very soon, specifically if you 
> take into account that the public keys should really be signed by a 
> master key. And if you forget to do a pass git pull/push around the 
> operations and need to merge -- specifically with the .gpg-id file -- 
> then things become a bit scary.
> I have toyed with the idea of setting up a keyserver but discarded that 
> for now as it seemed to be more complexity than I was ready for.

There is a simpler version: Add the public key to your pass Git repo so 
it can be easily imported on all the other hosts.  Whether you trust the 
new key explicitly on each host or you sign it using your trusted master 
key is up to you, I guess it will depend on how many hosts there are. 
You need the full set of public keys to do a new pass init, but they 
need to be trusted.

Kjetil T. Homme
Redpill Linpro - Changing the game

More information about the Password-Store mailing list