Hello,
On 2015-12-06 23:34, Lucas Hoffmann wrote:
The man page says you should use "pass init [-p subfolder] newid". Or
do you need some info that is not in the man page?
On 2015-12-07 12:22, Martijn van Dijk wrote:
I just did this, you can run pass init <key ID 1> <key ID 2> and it
will
re-encrypt all the stored passwords with both key 1 and 2. You can
probably use this to remove the old key too.
My bad, I should have RTFM more carefully (I only greped "rotation").
That's exactly what I was looking for.
Thank you.
On 2015-12-06 23:37, Emil Lundberg wrote:
I'd like to provide a friendly reminder that if you do that, make sure
to
also (securely) delete all copies of your password store encrypted with
the
old key(s) as they can still be decrypted with the old key(s). This
includes old commits if you use git to version your repository, as well
as
any backups you may have.
I'm not saying rotating keys is a bad idea, just that this is something
you
need to keep in mind if you do.
Of course.
On 2015-12-07 08:32, Mike Charlton wrote:
On 7 December 2015 at 08:37, Emil Lundberg <lundberg.e...@gmail.com>
wrote:
I'm not saying rotating keys is a bad idea, just that this is
something
you need to keep in mind if you do.
I'm not sure why it would be considered a good idea. Unless I'm
missing
something the reason for rotating your password is to ensure that if
someone has gotten access to it somehow, they have limited time to make
use
of it. Since your old key is still active, that argument doesn't
apply.
It just makes key management more difficult. Unless you export
everything
out and re-encrypt it, I would say that rotating keys *is* a bad idea.
Because at some point, you might want/need to change key: because you
believe it could have been compromised (and therefore want to re-encrypt
your password-store and get rid of the version encrypted with the
potentially compromised key asap) ; because you want to use stronger
crypto (generate a new – longer – key, switch to ECC,...), … There are
tens of reasons I can think of that would require key rotation.
_______________________________________________
Password-Store mailing list
Password-Store@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/password-store