Am 09.02.20 um 18:52 schrieb Louis ProtonMail: > I might not be understanding things well, but how is one supposed to > access the plaintext saved passwords without having the keys used to > encrypt them and the password to those keys? Where do you keep your GPG > keys so that you can decrypt the pass entries?
I think this is exactly the issue here: you can't, unless you give up some security. If a malicious actor gets into the remote server, he has access to both private key and GPG encrypted files. He would be only one passphrase away from your passwords. I keep my GPG private key into a smartcard. Without this smartcard attached to my device, I can't decrypt my passwords. > Essentially this is correct, mainly as an educational exercise on > understanding encryption and security principles better. Ok, understood, thanks for confirming :-) If I were to implement a remote service like that, I would download the single encrypted password file I need and only *locally* decrypt it. Which equals more or less to using pass offline or with syncthing. I believe the intended use-case for pass is to store encrypted passwords offline. Any other solution to use it "over the wire" would extend the attack surface (imo). _______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
