Re: [pass] Key rotation

Sun, 13 Dec 2015 16:23:45 -0800 

Hello,

On 2015-12-06 23:34, Lucas Hoffmann wrote:

The man page says you should use "pass init [-p subfolder] newid".  Or
do you need some info that is not in the man page?


On 2015-12-07 12:22, Martijn van Dijk wrote:

I just did this, you can run pass init <key ID 1> <key ID 2> and it 
will

re-encrypt all the stored passwords with both key 1 and 2. You can
probably use this to remove the old key too.



My bad, I should have RTFM more carefully (I only greped "rotation"). 
That's exactly what I was looking for.


Thank you.

On 2015-12-06 23:37, Emil Lundberg wrote:

I'd like to provide a friendly reminder that if you do that, make sure 
to
also (securely) delete all copies of your password store encrypted with 
the

old key(s) as they can still be decrypted with the old key(s). This

includes old commits if you use git to version your repository, as well 
as

any backups you may have.


I'm not saying rotating keys is a bad idea, just that this is something 
you

need to keep in mind if you do.


Of course.

On 2015-12-07 08:32, Mike Charlton wrote:

On 7 December 2015 at 08:37, Emil Lundberg <lundberg.e...@gmail.com> 
wrote:

I'm not saying rotating keys is a bad idea, just that this is 
something

you need to keep in mind if you do.



I'm not sure  why it would be considered a good idea.  Unless I'm 
missing

something the reason for rotating your password is to ensure that if

someone has gotten access to it somehow, they have limited time to make 
use
of it.   Since your old key is still active, that argument doesn't 
apply.
It just makes key management more difficult.  Unless you export 
everything

out and re-encrypt it, I would say that rotating keys *is* a bad idea.



Because at some point, you might want/need to change key: because you 
believe it could have been compromised (and therefore want to re-encrypt 
your password-store and get rid of the version encrypted with the 
potentially compromised key asap) ; because you want to use stronger 
crypto (generate a new – longer – key, switch to ECC,...), … There are 
tens of reasons I can think of that would require key rotation.

_______________________________________________
Password-Store mailing list
Password-Store@lists.zx2c4.com
http://lists.zx2c4.com/mailman/listinfo/password-store






















					Reply via email to