Second OpenPGP-card
Jacob Bachmeyer
jcb62281 at gmail.com
Thu Feb 29 00:41:01 CET 2024
Matthias Apitz wrote:
> El día miércoles, febrero 28, 2024 a las 10:32:43 +0100, Werner Koch via Gnupg-users escribió:
>
>> On Tue, 27 Feb 2024 20:52, Jacob Bachmeyer said:
>>
>>
>>> Therefore, pass(1) almost certainly has its own list of keys stored
>>>
>> pass stores the fingerprints of the keys in a .gpg-id file and allows to
>> set different ones per directories.
>>
>
> Werner,
>
> I have only one .gpg-id file on my L5 mobile in my password-store:
>
> purism at pureos:~$ find .password-store/ -name .gpg-id
> .password-store/.gpg-id
>
> purism at pureos:~$ cat .password-store/.gpg-id
> CCID L5
>
That .gpg-id file would be the list I was talking about. It seems that
pass(1) stores the actual keys on your main GPG keyring, but keeps a
list of /which/ keys should be able to decrypt passwords separately.
(Also ensure that there is never a rogue PASSWORD_STORE_KEY variable in
your environment: if set, it overrides the search for a .gpg-id file.)
There is also a facility for maintaining GPG signatures on those .gpg-id
files, which would make sneaking in Mallory's key far more difficult if
you were to use it. I suspect that the pass(1) manpage has more
information and may be interesting reading. Overall, this seems to be a
good design.
I would also suggest using the key fingerprints instead of names when
you reencrypt your password store, as I suspect that your new and old
smartcard keys may have similar names.
As Werner mentioned, you can also have different .gpg-id files for
different parts of your password store, if you wanted some passwords to
only be available with certain smartcards.
-- Jacob
More information about the Gnupg-users
mailing list