On Thu, 2023-03-02 at 23:53 -0500, efeizbudak wrote: > > Doesn't this sort of defeat the purpose of using pass? I mean if > > it's > > always decryptable then is it really useful to have it encrypted in > > the first place (assuming you have full disk encryption set up)?
Yes and no. Yes in the sense that a rouge piece of software or a bad human actor could execute `pass $path` and acquire the given secrets, so long as the gpg-agent is holding the provided password. No in the sense of that the file itself (remember pass stores individual files for each secret) is still encrypted at rest. That is to say, unless someone or some software is specifically looking for gpg-encrypted files and knows how to use gpg or pass, they cannot access the data. The original point I was trying to make (in the previous message) is that usability and security are always going to compromise one another, and it is up to each of us to decide where the right balance lies. Since I don't consider local malware a legitimate threat, my concerns are limited to bad human actors. Working from home, and locking my computers when leaving them, gpg-agent being unlocked for eight hours after the start of the work day is sufficient security. People who use gnome-keyring (myself included!) probably don't think twice about the fact that the keyring gets unlocked *once* and stays unlocked until the user's session ends. Heck some of my sessions can last *months* on some machines. Sure, most of us have rigged it up to use a pam library, but the the situations parallel. The access agent is still "unlocked" for long periods of time, while the data on disk remains encrypted at rest.