Open danielkrajnik opened 1 year ago
When you enter pass open
, the encrypted file coffin.tar.gpg
has to be decrypted, which leaves you with coffin.tar
, which is then extracted. If you want to retrieve just a single password store secret, we can do that but at this point, the entire password store has already been decrypted into a tar file, so I don't see how extracting a single file would be relatively more secure, not to mention that this would make opening and closing the coffin more complex (How do we know if an existing coffin or tar file contains the entire password store?).
Programs that don't support gpg require secrets stored in plain text.
In this case, you're better served by programs like age and ansible-vault. I remember that chezmoi supports decrypting age-encrypted plain text files at runtime. gpg also supports storing secrets as plain text files though with --armor
.
Thanks for explaining, that makes sense.
In this case, you're better served by programs like age and ansible-vault.
Interesting, thanks for sharing. The main reason why I stick with gpg instead of age is the "ecosystem" (hardware keys, gpg-agent etc.). But if age has a standard way to handle plain text files that may be a good reason to switch.
You can also use zsh's "temporary file process substitution" to decrypt .gpg files in runtime (e.g. =(gpg -d secret.gpg)
), but it won't work well with GUI programs.
I think that it would be more secure if there was an option not to open the whole coffin, but only a selected file inside it, e.g.:
pass open password-account-1
Besides general privacy it would be also useful for secret files that other programs use - for example
aws-cli-credentials
file (aws-cli). Programs that don't support gpg require secrets stored in plain text. It would be more secure if these were not extracted from the coffin until explicitly instructed (or if you could blacklist them somehow).It's just an idea, maybe there is a simpler way to achieve the same thing. Occurred to me when looking at .env files in web development. Curious to know what you think.