Anyone know of a gpg-encrypted secrets sharing software that allows a client to hold different "bases/repositories" of secrets?

Klaus Ethgen klaus+gnupg at
Sat Jun 12 23:23:40 CEST 2021

Hi Christian,

Am Sa den 12. Jun 2021 um 15:13 schrieb Christian Chavez:
> (If you - or anyone else - have got any tips/suggestions, I'm all ears)!

Was something like `cd $HOME/.password-store && git add -u && git commit
-m "autocommit"`. I do not still have the cron.

And the submodules was created with a normal pass init on a different

> > In pass, you can have different keys for each subtree. See the man page
> > for `pass init --path=sub-folder`.
> >
> This is indeed what "solves" my problem, but I fail to understand how I can
> utilize this.
> Maybe I'm interpreting the keyword "init" wrongly, but I was hoping to
> avoid "hand-crafted" aliases/the like to reference different
> subdirectories/trees of passwords.

The trick is, that there can be a .gpg-id anywhere in the subtree
changing the keys that can access the passes.

A `pass init -p ...` just create a .gpg-id inside that sub-folder. But
the content could be the same as in the top dir.

> So, in an attempt to clarify my confusion (nevermind the oxymoron that
> becomes);
> Are you supposed to `pass init --path <subfolder within
> $PASSWORD_STORE_DIR><gpg key(s)>` within an already established


You can even add/edit that .gpg-id manually, but then you have to handle
the reencryption yourself.

Be also aware, that (as you have that in git) if a user was able to
decrypt passes in the past, he will be in the future too. (just go back
the git history) So, if you plan to have limited access for a subtree
than in the main, then you have to start with that so. Keep also in
mind, that anybody with write access to git could write a .gpg-id with
his key included to let him access all furture stored passes in that

I had that this way:
- my private main password-store with main .gpg-id
  - ...
  - geschäftlich (a git submodule synced from different machine) That
    dir includes its own .gpg-id.
    There was even trees with more or less keys inside.

Have fun.

Klaus Ethgen                             
pub  4096R/4E20AF1C 2011-05-16            Klaus Ethgen <Klaus at>
Fingerprint: 85D4 CA42 952C 949B 1753  62B3 79D0 B06F 4E20 AF1C
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 688 bytes
Desc: not available
URL: <>

More information about the Gnupg-users mailing list