Mailing List Archive

Hi Christian,

When I read the subject, I was thinking exactly of pass.

Am Fr den 11. Jun 2021 um 18:44 schrieb Christian Chavez via Gnupg-users:
> Does anyone know of a tool/software that works much like pass/git secret,
> but also easily/simply allows you to access two different
> bases/repositories (like my personal passwords/totp and team one above)
> with the same tool/cli?

You can combine multiple pass repositories into one using, for example,
git submodules. I used that over many years. Having a cron job that
committed all submodules changes in the top pass git automatically.

In pass, you can have different keys for each subtree. See the man page
for `pass init --path=sub-folder`.

Regards
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C

Hi Klaus,

On Sat, Jun 12, 2021 at 2:44 PM Klaus Ethgen <klaus+gnupg@ethgen.ch> wrote:

> You can combine multiple pass repositories into one using, for example,
> git submodules. I used that over many years. Having a cron job that
> committed all submodules changes in the top pass git automatically.
>
Thank you so much for your suggestion! I will see if I can automate this
somehow without putting my private key (currently on a yubikey) on machine
=)
(If you - or anyone else - have got any tips/suggestions, I'm all ears)!


> In pass, you can have different keys for each subtree. See the man page
> for `pass init --path=sub-folder`.
>
This is indeed what "solves" my problem, but I fail to understand how I can
utilize this.
Maybe I'm interpreting the keyword "init" wrongly, but I was hoping to
avoid "hand-crafted" aliases/the like to reference different
subdirectories/trees of passwords.

My `man pass init` says the following;
> init [ --path=sub-folder, -p sub-folder ] gpg-id...
> Initialize new password storage and use gpg-id for
encryption. Multiple gpg-ids may be specified, in order to encrypt each
password with multiple ids. This command must be run first before a
password store can be used. If the specified gpg-id is different from
> the key used in any existing files, these files will be
reencrypted to use the new id. (...) If --path or -p is specified, along
with an argument, a specific gpg-id or set of gpg-ids is assigned for that
specific sub folder of the password store. (...)

My workflow so far has been:
1. `pass init <my public gpg key>`
2. Add secrets I want to unlock with pass with this specific key.
3. Use `pass git` to sync between clients.

So, in an attempt to clarify my confusion (nevermind the oxymoron that
becomes);
Are you supposed to `pass init --path <subfolder within
$PASSWORD_STORE_DIR><gpg key(s)>` within an already established
PASSWORD_STORE_DIR?
Is this the missing link in my understanding?

Something like this?
```
tree .password-store/
.password-store/
??? accountX
??? accountY
??? accountZ
??? ASSOCIATE_MY_SPECIFIED_GPG_ID(S)_FOR_ALL_ITEMS_HERE_ON_DOWNWARDS
??? work-teamA
? ???
ASSOCIATE_ABOVE_REFERENCED_GPG_ID(S)_AND_THOSE_OF_TEAM_A_FOR_ALL_ITEMS_HERE_ON_DOWNWARDS
??? work-teamB
???
ASSOCIATE_ABOVE_REFERENCED_GPG_ID(S)_AND_THOSE_OF_TEAM_B_FOR_ALL_ITEMS_HERE_ON_DOWNWARDS
```

--
Med vennlig hilsen/Kind regards,
Christian Chavez
Phone/Tlf: +47 922 22 603

Hi Christian,

Am Sa den 12. Jun 2021 um 15:13 schrieb Christian Chavez:
> (If you - or anyone else - have got any tips/suggestions, I'm all ears)!

Was something like `cd $HOME/.password-store && git add -u && git commit
-m "autocommit"`. I do not still have the cron.

And the submodules was created with a normal pass init on a different
machine.

> > In pass, you can have different keys for each subtree. See the man page
> > for `pass init --path=sub-folder`.
> >
> This is indeed what "solves" my problem, but I fail to understand how I can
> utilize this.
> Maybe I'm interpreting the keyword "init" wrongly, but I was hoping to
> avoid "hand-crafted" aliases/the like to reference different
> subdirectories/trees of passwords.

The trick is, that there can be a .gpg-id anywhere in the subtree
changing the keys that can access the passes.

A `pass init -p ...` just create a .gpg-id inside that sub-folder. But
the content could be the same as in the top dir.

> So, in an attempt to clarify my confusion (nevermind the oxymoron that
> becomes);
> Are you supposed to `pass init --path <subfolder within
> $PASSWORD_STORE_DIR><gpg key(s)>` within an already established
> PASSWORD_STORE_DIR?

Yes.

You can even add/edit that .gpg-id manually, but then you have to handle
the reencryption yourself.

Be also aware, that (as you have that in git) if a user was able to
decrypt passes in the past, he will be in the future too. (just go back
the git history) So, if you plan to have limited access for a subtree
than in the main, then you have to start with that so. Keep also in
mind, that anybody with write access to git could write a .gpg-id with
his key included to let him access all furture stored passes in that
tree.

I had that this way:
- my private main password-store with main .gpg-id
- ...
- gesch?ftlich (a git submodule synced from different machine) That
dir includes its own .gpg-id.
There was even trees with more or less keys inside.

Have fun.

Regards
Klaus
--
Klaus Ethgen http://www.ethgen.ch/
pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <Klaus@Ethgen.ch>
Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C