[dancek]

I'd love to start using pass but I find managing gpg keys troubling (perhaps due to my lack of knowledge). Does your setup require copying the same key to each device? What would happen if someone got your gpg key? What would happen if you lost the key?

[woile]

I've made a cheatsheet[1] for gopass, which is the same but also includes multi stores (you could have a personal store, and a shared store with your work team, synchronizing to different git repos).

Edit: to export the public key you can search Google, I'd recommend saving it in a yubikey or in a usb with encryption.

1: https://woile.github.io/gopass-cheat-sheet/

[_-___________-_]

pass can encrypt to multiple keys. I use one key for my laptop and one for my phone. If someone gets your gpg key then they can decrypt all your passwords if they also get the repository. It would be prudent to change all your passwords in this case (pass-rotate could help a little with this). If you lose the key, you lose access to all your passwords.

[_-___________-_]

worth also noting that that when I used to use Android, I didn't need multiple keys - my GPG key was on my yubikey neo, and i could plug it into my laptop to decrypt passwords there or tap it to my phone to decrypt passwords there. not possible on iOS due to Apple not opening up NFC to developers, so now I have pass set up to encrypt to two keys.

[spondyl]

I think GPG keys get a lot of flack for not being the most user friendly thing and probably fair enough. The nature of them having to remain secret, makes managing them a bit confusing. I don't use mine for anything more than signing commits and (rarely) encrypting secrets

Personally, I use OpenKeychain[1] on Android, Kleopatra[2] on Linux, GPG Suite[3] on macOS and Pass[4] for iOS/iPadOS

Phew, that's a lotta apps but you can just pick and choose whatever you prefer. I have no idea about Windows myself. Once I imported my keys (public + private) into each application, I never really had to touch them again.

As I mentioned, I use my GPG key for signing my commits. I think I saved my password to my laptops keychain so it automatically signs my commits without my interaction.

Similarly, Pass automatically encrypts and decrypts everything without my interaction. Whether that's a good idea security wise aside, it works fairly seamlessly. Pass on my iPad is quite literally just a pull to refresh. I would have thought it'd be much more painful with all the GPG nonsense in play!

So, back to your questions:

> Does your setup require copying the same key to each device?

Yes but only once. It may also require entering your password anywhere from everytime to never depending on your settings. For my android device, I have to do it once every restart but after that, a process keeps my "store" open for example.

> What would happen if someone got your gpg key?

Presumably they could take all of my passwords and sign my Git commits as if they were me.

Personally, I have no strong investment in my GPG key, nor am I someone well known so this would have little to no effect beyond being a big annoyance. I would still own my email account so I'd still be able to reset the majority of my passwords.

Actually, I don't know my email password (since it's randomly generated) so I'd have to cross my fingers and hope the attacker hasn't revoked any of my sessions. Once again, no different than any other password manager. At least losing the key would be my fault, and not that of a third party I suppose.

> What would happen if you lost the key?

Presumably I'd lose all of my passwords but once again, that's no different than the single master password setup of those cloud based password managers.

I didn't realize until I looked it up just now but you can apparently generate a revocation certificate, separate from your key. From what it says on the tin, I imagine you can keep that safe and if you did lose your key, use it to tell any of the popular key servers that it's gone.

That wouldn't do anything to get your password back though, it would just signal to anyone looking up your key, that they shouldn't trust it.

Anyway, that was a bit of a tangent but the best way to learn is to just play around with GPG keys. The only reason I know the little I do is purely through making mistake :) I went through heaps of keys myself (I forget why) before I finally settled on my current one. You can even see some revoked ones here http://keys.gnupg.net/pks/lookup?search=marcus%40thingsima.d...

[1] https://www.openkeychain.org/ [2] https://www.openpgp.org/software/kleopatra/ and https://kde.org/applications/utilities/org.kde.kleopatra [3] https://gpgtools.org/ [4] https://github.com/mssun/passforios

[jarfil]

For Windows there is Gpg4win, which includes a port of Kleopatra.

[spondyl]

Thanks! I'm actually moving to a Windows environment for development shortly so this is handy to know. I'll likely just use pass via WSL2 but I might give gpg4win a shot too

[dancek]

Thanks for taking the time to answer! It's great to hear the system has good usability on multiple platforms once set up.

I guess my problem has been trying to make things perfect at once, and learning about subkeys and revocation certificates and how they apply to pass (they don't, I think) is a lot of work.

Maybe I'll just try it out, keeping my email and money-related passwords out of the equation for now.

[_-___________-_]

> Pass on my iPad is quite literally just a pull to refresh. I would have thought it'd be much more painful with all the GPG nonsense in play!

FWIW, the pull to refresh effectively just runs `git pull`. GPG isn't involved.

[spondyl]

Ah yup yup, that is true. For some reason, I always have this idea that it's pulling and decrypting everything. Gotta remind myself that computers are actually fast and decryption can happen on the fly :)