Exposing your password files shouldn't be any worse than, e.g. exposing the same number of encrypted emails.
I do agree that it would be nice to not expose the Pass repo file names. There are several ways to do this. There's a Pass extension that will 'entomb' your entire repo, i.e. encrypt the entire repo directory tree. Tho that isn't support for the Pass for iOS app. Another solution – one I use – is to use a Git remote helper that encrypts the entire remote repo (including commit history and the Git internal objects). I opened an issue for the Pass for iOS app to add support for that remote helper <https://github.com/mssun/passforios/issues/143> (tho it's currently unlikely to be added anytime soon). Currently, I just rely on the security of the private repo host I'm using to prevent exposing directory and file names. That's probably fine. On Sun, Jan 28, 2018 at 5:06 AM, Ben Oliver <[email protected]> wrote: > On 18-01-28 10:25:31, Greg Minshall wrote: > >> hi. thanks very much to the responsible parties for password-store, >> which i'm happily using on lubuntu. >> >> i'm attracted to somehow synchronizing with my iphone. the solution >> (that i've seen) uses git for synchronizing. >> >> this tickles something that's worried me a bit since i started looking >> at pass, which is, i *worry* that the security of exposing lots of tiny, >> "known-format" (more or less) files, all encrypted with the same key, >> may be less secure than exposing one large, known-format, file, >> encrypted with that same key. >> >> (this is my intuition speaking to me and, of course, *my* intuition, >> especially w.r.t. security, is infallible... :) >> >> does anyone have any opinions/numbers/facts? >> >> cheers, Greg >> > > This is one of the main 'weaknesses' with pass - it exposes all of the > file names and therefore (for most people I presume) website names. There > are ways around this but I'm not sure they work on iPhone. > > It's a risk I'm willing to take if the tradeoff is the excellent usability > and simple, transparent mechanism pass uses to encrypt and send files. > > One thing I like about using gpg as a solution is that you can encrypt > with multiple keys. This means you don't need to use the same key on your > phone as on your PC. > > _______________________________________________ > Password-Store mailing list > [email protected] > https://lists.zx2c4.com/mailman/listinfo/password-store >
_______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
