The way I've set it up, all of my passwords are random except for three: my GitHub password, my SSH passphrase, and my GPG passphrase. So when I set up a new machine, I clone my SSH keys from GitHub using HTTPS; then I can clone any of my other repositories using SSH, including my GPG keyring and my Pass repository. Finally, I can use my GPG keyring to unlock any of my other passwords.
Certainly there are security implications to having my SSH and GPG keys, as well as all my passwords, in private GitHub repositories. However, I set up my security model under the assumption that if my master passphrases are compromised then any other protection is just security-through-obscurity. The idea is that an attacker would need to get (machine access + GPG passphrase) or (GitHub password + GPG passphrase) in order to compromise everything. Then it's a matter of religiously using a dedicated pinentry program to enter the master GPG passphrase, to avoid most attack vectors. _______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
