ayushnix
commented
1 year ago When you enter pass open, the encrypted file coffin.tar.gpg has to be decrypted, which leaves you with coffin.tar, which is then extracted. If you want to retrieve just a single password store secret, we can do that but at this point, the entire password store has already been decrypted into a tar file, so I don't see how extracting a single file would be relatively more secure, not to mention that this would make opening and closing the coffin more complex (How do we know if an existing coffin or tar file contains the entire password store?).
Programs that don't support gpg require secrets stored in plain text.
In this case, you're better served by programs like age and ansible-vault. I remember that chezmoi supports decrypting age-encrypted plain text files at runtime. gpg also supports storing secrets as plain text files though with --armor.
danielkrajnik
I think that it would be more secure if there was an option not to open the whole coffin, but only a selected file inside it, e.g.:
pass open password-account-1Besides general privacy it would be also useful for secret files that other programs use - for example
aws-cli-credentialsfile (aws-cli). Programs that don't support gpg require secrets stored in plain text. It would be more secure if these were not extracted from the coffin until explicitly instructed (or if you could blacklist them somehow).It's just an idea, maybe there is a simpler way to achieve the same thing. Occurred to me when looking at .env files in web development. Curious to know what you think.