Robin, thank you for interest. I have not seen 'pwstore' before, but I don't like the idea to store headers inside the file. As it might break things. But I love the idea of groups and access rights. It is a direction I would like to follow. Also I like your suggestion about the key's white-list. That's a feature I have already planed for the future releases. I guess 'pass' was made for a single user. But 'git-secret' was made for multiple people. So you can invite someone to share your encrypted files and easily remove them. Also, I have noticed that 'pass' stores the encrypted files in the separate repository. Well, that's an arguable way to go. It has some benefits like: code-repository and pass-repository may have different access rights, different people involved. But there's a lack in consistency when you have two separate repositories. 2016-03-14 2:52 GMT+03:00 Robin H. Johnson <robbat2@xxxxxxxxxx>: > Have you seen the much older pwstore tool? > https://github.com/formorer/pwstore > > It does have some notable features missing from git-secret and similar > tools to this day. > - Whitelist of trusted keys to detect addition of unexpected keys. > - Specify what users/groups have access to any given file (via a header > in each file, which implies that the file must be plaintext). > > I've wondered if storing metadata about the objects in notes might > improve matters: > - a clearsigned block with verifiable readable data (eg who in a team > can access) > - an encrypted block with the inner key (nice side effect that this > separates versioning of the wrapped inner key from the versioning of > the object). > > This also a nice property that when you revoke/remove an outer (user) > key, can know implicitly the old secrets they had access to (which > should probably be rotated, as you don't know if they have a copy of > them outside of the system). > > Yes, I'm aware of other system's like Hashicorp's Vault, but do > appreciate the simplicity of git-secret, pass [1], pwstore [2] and other > simpler tools. > > [1] https://www.passwordstore.org/ > [2] https://github.com/formorer/pwstore > It's at least as old as the Git history indicates, possibly > older, I don't know if the Git history included a full conversion of > SVN history. > > -- > Robin Hugh Johnson > Gentoo Linux: Developer, Infrastructure Lead, Foundation Trustee > E-Mail : robbat2@xxxxxxxxxx > GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85 -- To unsubscribe from this list: send the line "unsubscribe git" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html