It's definitely a well respected choice. But after I learn more about security, I'm kind of concerned about it's security defenses (against local attacks), such as memory safety or so. At least it hasn't undergone any security audits which might be vital for such a sensitive program 🤔
If it doesn't offer keyfile + masterpassword function, I'll give it a pass 😐
I likes me a beefy keyfile in addition to masterpass.
BTW, #askfediverse , Should i leave my master secret key on my daily machine and use it to encrypt or sign?
> it seems doesn’t support the encryption from a #subkey. I have to use my password store from where my master #pgp keys are available. Sounds not elegant.
What? I’m using pass for years and it uses my encryption subkey just fine. I’ve also migrated encryption subkeys and pass rotated secrets just fine (with pass init IIRC).
> Should i leave my master secret key on my daily machine and use it to encrypt or sign?
No. Leave the master secret key on your offline computer (what? you don’t have one? Give back your paranoid nerd club card! ;) ) and the subkeys of course need to be in a tamper-resistant hardware security module (e.g. Yubikeys).
Do not accept compromise! Ultimate security or nothing! ;)
I did exaggerate a little bit but I’m using pass with the same exact setup as above and it really works great :) Have a nice evening!
Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.