undefined | Better HN

0 pointsaeorgnoieang10y ago0 comments

> having filenames in plaintext

Why is this a limitation? Are you stating that each file in the 'repo' is encrypted separately? I figured it was the entire repo as a directory, in which case, when it's 'at rest', the whole thing is encrypted as a blob.

0 comments

2 comments · 1 top-level

drdaeman10y ago· 1 in thread

> the whole thing is encrypted as a blob

No, it's not.

With pass (just to be sure - we're talking about zx2c4's one, right?), the store contains a bunch of independent gpg-encrypted text files. However, the filenames are not encrypted or obfuscated by any means.

This has pros and cons. On the good side, you don't have to decrypt anything (which means, actually use your GPG key, which is best kept on an unplugged HSM) to just check if the credential's in the store (think auto-fill suggestion). Also, this architecture allows dead-simple (plain rsync or git!) approach for synchronization when there are no entry-level conflicts. On the bad side, anyone who has access to the filenames (local filesystem access or a clone of git repo) can figure out which resources you have credentials for. That's the price of the simplicity.

I.e. what you see in the very first example at https://www.passwordstore.org/ in the "Using the password store" section are the actual at-rest filenames. Run `ls -lR ~/.password-store` if you don't believe me ;)

Use of ecryptfs/encfs or git-remote-gcrypt was suggested to mitigate this, but those aren't perfect. Well, everything depends on the threat scenarios you consider.

aeorgnoieangOP10y ago

Sorry if this is too late to not be annoying.

What're the downsides or limitations of ecryptfs/encfs or git-remote-gcrypt – I was looking over Pass again and realized all of what you stated. I figured ecryptfs/encfs would work well enough to encrypt the Pass repo itself.

j / k navigate · click thread line to collapse