Anyone know of a gpg-encrypted secrets sharing software that allows a client to hold different "bases/repositories" of secrets?

Christian Chavez x10an14 at gmail.com
Sat Jun 12 16:13:13 CEST 2021


Hi Klaus,

On Sat, Jun 12, 2021 at 2:44 PM Klaus Ethgen <klaus+gnupg at ethgen.ch> wrote:

> You can combine multiple pass repositories into one using, for example,
> git submodules. I used that over many years. Having a cron job that
> committed all submodules changes in the top pass git automatically.
>
Thank you so much for your suggestion! I will see if I can automate this
somehow without putting my private key (currently on a yubikey) on machine
=)
(If you - or anyone else - have got any tips/suggestions, I'm all ears)!


> In pass, you can have different keys for each subtree. See the man page
> for `pass init --path=sub-folder`.
>
This is indeed what "solves" my problem, but I fail to understand how I can
utilize this.
Maybe I'm interpreting the keyword "init" wrongly, but I was hoping to
avoid "hand-crafted" aliases/the like to reference different
subdirectories/trees of passwords.

My `man pass init` says the following;
>        init [ --path=sub-folder, -p sub-folder ] gpg-id...
>             Initialize new password storage and use gpg-id for
encryption. Multiple gpg-ids may be specified, in order to encrypt each
password with multiple ids. This command must be run first before a
password store can be used. If the specified gpg-id is different from
>             the  key used in any existing files, these files will be
reencrypted to use the new id. (...) If --path or -p is specified, along
with an argument, a specific gpg-id or set of gpg-ids is assigned for that
specific sub folder of the password store. (...)

My workflow so far has been:
1. `pass init <my public gpg key>`
2. Add secrets I want to unlock with pass with this specific key.
3. Use `pass git` to sync between clients.

So, in an attempt to clarify my confusion (nevermind the oxymoron that
becomes);
Are you supposed to `pass init --path <subfolder within
$PASSWORD_STORE_DIR><gpg key(s)>` within an already established
PASSWORD_STORE_DIR?
Is this the missing link in my understanding?

Something like this?
```
tree .password-store/
.password-store/
├── accountX
├── accountY
├── accountZ
├── ASSOCIATE_MY_SPECIFIED_GPG_ID(S)_FOR_ALL_ITEMS_HERE_ON_DOWNWARDS
├── work-teamA
│   └──
ASSOCIATE_ABOVE_REFERENCED_GPG_ID(S)_AND_THOSE_OF_TEAM_A_FOR_ALL_ITEMS_HERE_ON_DOWNWARDS
└── work-teamB
    └──
ASSOCIATE_ABOVE_REFERENCED_GPG_ID(S)_AND_THOSE_OF_TEAM_B_FOR_ALL_ITEMS_HERE_ON_DOWNWARDS
```

-- 
Med vennlig hilsen/Kind regards,
Christian Chavez
Phone/Tlf: +47 922 22 603
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20210612/6e94e5ef/attachment.html>


More information about the Gnupg-users mailing list