[omtose]

I'm also a user of pass, but the fact that all the metadata is in clear is a big beef for me. How do you solve that, if at all?

[aban]

Fellow pass user here.

freepass [0] seems like it could be a potential candidate, somewhere between pass and LessPass, but I haven't tried it out for myself yet.

[0]: https://github.com/myfreeweb/freepass

[adilparvez]

You can use a hash of the site appended with a .pass wide pepper as the name of the directory storing credentials for a particular site, then use a wrapper script that hashes its input before passing it to pass.

Also full disk encryption.

[omtose]

This is all a lot of effort, if I went down that road I might as well skip "pass" and handle the passwords myself. What I like about pass is that there isn't much setup.

Full disk encryption also doesn't prevent a running application from seeing the directory structure. But I guess this is not a very realistic attack vector.

[adilparvez]

Yes, under that threat model you would lose with all of these password managers.

[omtose]

How so? If the entire directory structure is also encrypted then no program can easily know which sites or services I have passwords for.

[adilparvez]

I was meaning if your machine was compromised.

[JetSpiegel]

You could encrypt the password store folder with another gpg container. That would be your master password.

[supergreg]

Maybe you can put the whole .pass directory inside an encfs directory.

Encryption all the way down.