Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How about 'pass open'ing only a specific file from the coffin instead of everything? #15

Open
danielkrajnik opened this issue Jun 22, 2023 · 2 comments
Open

How about 'pass open'ing only a specific file from the coffin instead of everything? #15

danielkrajnik opened this issue Jun 22, 2023 · 2 comments

Comments

@danielkrajnik
Copy link

danielkrajnik commented Jun 22, 2023
edited
Loading

I think that it would be more secure if there was an option not to open the whole coffin, but only a selected file inside it, e.g.:

pass open password-account-1

Besides general privacy it would be also useful for secret files that other programs use - for example aws-cli-credentials file (aws-cli). Programs that don't support gpg require secrets stored in plain text. It would be more secure if these were not extracted from the coffin until explicitly instructed (or if you could blacklist them somehow).

It's just an idea, maybe there is a simpler way to achieve the same thing. Occurred to me when looking at .env files in web development. Curious to know what you think.
@danielkrajnik danielkrajnik changed the title How about 'pass open'ing only a specific file from the coffin instead of the whole coffin? How about 'pass open'ing only a specific file from the coffin instead of everything? Jun 22, 2023
@ayushnix
Copy link
Owner

When you enter pass open, the encrypted file coffin.tar.gpg has to be decrypted, which leaves you with coffin.tar, which is then extracted. If you want to retrieve just a single password store secret, we can do that but at this point, the entire password store has already been decrypted into a tar file, so I don't see how extracting a single file would be relatively more secure, not to mention that this would make opening and closing the coffin more complex (How do we know if an existing coffin or tar file contains the entire password store?).

Programs that don't support gpg require secrets stored in plain text.

In this case, you're better served by programs like age and ansible-vault. I remember that chezmoi supports decrypting age-encrypted plain text files at runtime. gpg also supports storing secrets as plain text files though with --armor.

@danielkrajnik
Copy link
Author

danielkrajnik commented Jun 25, 2023
edited
Loading

Thanks for explaining, that makes sense.

In this case, you're better served by programs like age and ansible-vault.

Interesting, thanks for sharing. The main reason why I stick with gpg instead of age is the "ecosystem" (hardware keys, gpg-agent etc.). But if age has a standard way to handle plain text files that may be a good reason to switch.

You can also use zsh's "temporary file process substitution" to decrypt .gpg files in runtime (e.g. =(gpg -d secret.gpg)), but it won't work well with GUI programs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danielkrajnik @ayushnix