[thraxil]

The bigger issue with pass, IMO, is that there's no audit trail on secret access. At a previous job, the team used pass for shared ssh keys, passwords, etc. One developer got malware on their workstation. It was detected fairly quickly, but not before he'd used pass once or twice. At that point, we had to assume that the malware had been able to capture the PGP key and all the encrypted secrets. That meant that we had to rotate every single secret in all of our systems that were reachable from those. In a better setup with something like Hashicorp Vault, GCP Secrets Manager, etc, with auditing, we could've looked through audit logs to see which secrets were actually accessed during the vulnerable window and only had to rotate those.