On Lu, 09 dec 19, 18:35:46, Celejar wrote: > > I understand that many recommend encrypting the password store, but I > haven't yet done this. 'pass', recommended by Jonas in another message > in this thread, uses gpg to do this, and your recommendation of scrypt, > IIUC, would serve a similar goal. > > I don't want to have to constantly enter a master password to access my > passwords. pass recommends using gpg-agent, but then how much does one > really gain by the encryption? I use full disk encryption (cryptsetup / > LUKS), so the password file is secure at rest, and when I'm actually > using the system, if gpg-agent is used, then anyone with access to the > machine can access the password file anyway. I guess one gets some > additional security in the case where one walks away from > the machine and leaves it running (and an attacker doesn't get there > before gpg-agent evicts the password from the cache), and similar cases. > > I admit that I'm not that familiar with gpg-agent, and am no expert in > the topics under discussion. Please feel free to explain / remind > me of aspects of the issues that I'm missing.
The recommendation to encrypt the password store is meant to avoid storing password in clear text on un-encrypted media, which is not much more secure than sticking them on post-its on your monitor. Let's not forget https://www.xkcd.com/538/. Kind regards, Andrei -- http://wiki.debian.org/FAQsFromDebianUser
signature.asc
Description: PGP signature