<div dir="ltr"><div><div><div><div><div><div dir="ltr"><div>Hi Klaus,</div><div><br></div></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jun 12, 2021 at 2:44 PM Klaus Ethgen <<a href="mailto:klaus%2Bgnupg@ethgen.ch">klaus+gnupg@ethgen.ch</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
You can combine multiple pass repositories into one using, for example,<br>
git submodules. I used that over many years. Having a cron job that<br>
committed all submodules changes in the top pass git automatically.<br></blockquote><div>Thank you so much for your suggestion! I will see if I can automate this somehow without putting my private key (currently on a yubikey) on machine =)<br></div><div>(If you - or anyone else - have got any tips/suggestions, I'm all ears)!<br></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
In pass, you can have different keys for each subtree. See the man page<br>
for `pass init --path=sub-folder`.<br clear="all"></blockquote><div>This is indeed what "solves" my problem, but I fail to understand how I can utilize this.<br></div><div>Maybe I'm interpreting the keyword "init" wrongly, but I was hoping to avoid "hand-crafted" aliases/the like to reference different subdirectories/trees of passwords.<br></div><div><br></div><div>My `man pass init` says the following;<br>> init [ --path=sub-folder, -p sub-folder ] gpg-id...<br>> Initialize new password storage and use gpg-id for encryption. Multiple gpg-ids may be specified, in order to encrypt each password with multiple ids. This command must be run first before a password store can be used. If the specified gpg-id is different from<br>> the key used in any existing files, these files will be reencrypted to use the new id. (...) If --path or -p is specified, along with an argument, a specific gpg-id or set of gpg-ids is assigned for that specific sub folder of the password store. (...)<br></div></div><br></div>My workflow so far has been:<br></div>1. `pass init <my public gpg key>`<br></div>2. Add secrets I want to unlock with pass with this specific key.<br></div>3. Use `pass git` to sync between clients.<br></div><div><br></div><div>So, in an attempt to clarify my confusion (nevermind the oxymoron that becomes);<br></div><div>Are you supposed to `pass init --path <subfolder within $PASSWORD_STORE_DIR><gpg key(s)>` within an already established PASSWORD_STORE_DIR? <br>Is this the missing link in my understanding? <br><br>Something like this?</div>```<br>tree .password-store/<br>.password-store/<br>├── accountX<br>├── accountY<br>├── accountZ<br>├── ASSOCIATE_MY_SPECIFIED_GPG_ID(S)_FOR_ALL_ITEMS_HERE_ON_DOWNWARDS<br>├── work-teamA<br>│ └── ASSOCIATE_ABOVE_REFERENCED_GPG_ID(S)_AND_THOSE_OF_TEAM_A_FOR_ALL_ITEMS_HERE_ON_DOWNWARDS<br>└── work-teamB<br> └── ASSOCIATE_ABOVE_REFERENCED_GPG_ID(S)_AND_THOSE_OF_TEAM_B_FOR_ALL_ITEMS_HERE_ON_DOWNWARDS<br>```<br><div><div><div><div><div><div><div><div><div><div><br><div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div><span style="font-size:12.8px">Med vennlig hilsen/Kind regards,</span><br></div><div><div>Christian Chavez</div><div>Phone/Tlf: +47 922 22 603</div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div>