On Sat, 15 Feb 2020 02:39:11 +0100 "[email protected]" <[email protected]> wrote:
> Am 09.02.20 um 19:14 schrieb [email protected]: > > Am 09.02.20 um 18:52 schrieb Louis ProtonMail: > >> I might not be understanding things well, but how is one supposed to > >> access the plaintext saved passwords without having the keys used to > >> encrypt them and the password to those keys? Where do you keep your GPG > >> keys so that you can decrypt the pass entries? > > > > I think this is exactly the issue here: you can't, unless you give up > > some security. If a malicious actor gets into the remote server, he has > > access to both private key and GPG encrypted files. He would be only one > > passphrase away from your passwords. > > > > I keep my GPG private key into a smartcard. Without this smartcard > > attached to my device, I can't decrypt my passwords. > > (...) > > For a long time I have wondered, if I can run a full blown class 3 card > reader with its own pinpad on an Android smartphone :-) It´s soon time > to try :-) > Though, I´d never run a simple card reader without pinpad on an Android > device, the fear, the pin could get eavesdropped is too big. Smartphones > are inherently insecure. > > > _______________________________________________ > Password-Store mailing list > [email protected] > https://lists.zx2c4.com/mailman/listinfo/password-store Hi guys I'm chiming in : sshfs + changing temporarly the PASSWORD_STORE_DIR system variable to the remote mounted password store dir works ? have you tried it or in your use case you can't use ssh ? Maybe customize your script with a PASSWORD_STORE_DIR_SSHFS, so your keys aren't sitting on the remote device. I know the Termux app on android have sshd capabilities. Kind regards, -- Miquel Lionel <[email protected]>
pgpC5fnfsbQpB.pgp
Description: PGP signature
_______________________________________________ Password-Store mailing list [email protected] https://lists.zx2c4.com/mailman/listinfo/password-store
