Quoting Dashamir Hoxha (2016-01-23 15:03:31) > Why do you use asymmetric encryption (public/private keys). > I think that symmetric encrypion is easier, stronger, and simpler > (you don't need to generate and maintain a key, all you need is > a passphrase). It can be done with `gpg -c ...`.
I have two question/concerns about the use of symmetric encryption. I assume that I store one password (or one secret) under each name in pass. GPG symmetric encryption needs a passphrase for each symmetrically encrypted file. 1. But that leads to a situation where I have to remember one GPG passphrase for every secret I want to store in pass. In my opinion this kills the main feature of a password manager: To store many secrets and unlock them with few/one (preferably strong) passphrase(s). 2. I could reuse the same passphrase for several secrets in pass (in order to circumvent point one). But then I still have to type in the same passphrase for every new secret I add to pass. And I would have to enter the passphrase for every secret in pass separately when retrieving them. This is because gpg-agent can and should never notice that to different files (both symmetrically encrypted) have the same passphrase. Point two can be tested like this: Encrypt two files and enter the same passphrase each time (say "foo"): echo test1 | gpg -c > test1.gpg echo test2 | gpg -c > test2.gpg Now kill the gpg-agent (neccessary as it did store the passphrases after encryption): pkill gpg-agent Then try to decrypt the two test files in any order repeatedly: gpg -q < test1.gpg gpg -q < test1.gpg gpg -q < test2.gpg gpg -q < test2.gpg You will notice that gpg asks you for the passphrase of each file on the first run it decrypts *this* file, regardless if another file with the same passphrase was already decrypted and the passphrase stored in the gpg-agent. So regardless of any strength considerations about symmetric and asymmetric encryption I do not see any advantage in the interaction with pass when using symmetric encryption. Cheers Lucas PS: Don't let the length of this argument stop you from proofing me wrong :)
signature.asc
Description: signature
_______________________________________________ Password-Store mailing list [email protected] http://lists.zx2c4.com/mailman/listinfo/password-store
