passforios
passforios copied to clipboard
mssun
Allow import of public keys from other users
Hi,
the user should be able to import more than his own public gpg key and also should be able delete public keys from his device.
in a team setup a secret stored in pass is encrypted with more than your own key.
if you change the secret or create a new one , the app should use all the public keys that are configured in this store to encrypt the secret.
as for now the app only encrypt changed/new secrets with the public key that matches the private key that is configured in the app.
greetings
Hi, I only use pass for personal usage. I'm not familiar with the workflow for a team setup. Could you elaborate more on the workflow (say using the pass command line tool)? Then we can work on supporting team setup. Thanks.
in the pass cmdline tool you can init a password store(or a subfolder) with mutiple keys:
pass init <key1> <key2> <key3>
these key ids are in a file .gpg-id in the root or subfolder
when you create or update a secret it reads the ids from this file and encrypts/reencrypts the secrets with this key ids
from what i see the lib supports this: https://github.com/krzyzanowskim/ObjectivePGP/blob/master/ObjectivePGP/ObjectivePGP.h#L51
- (nullable NSData *) encryptData:(nonnull NSData *)dataToEncrypt usingPublicKeys:(nonnull NSArray *)publicKeys armored:(BOOL)armored error:(NSError * __autoreleasing __nullable * __nullable)error;
Just adding my support for this feature as I just use pass personally (rather than a team setup) but have one GPG key per device for security.
I'm also interested in this feature, not only because I use one gpg key per device but also because I use a yubikey on one device and can't export the secret key to the phone even if I wanted to.
Encrypting to two public keys (yubikey pubkey and phone pubkey) works on my laptop and I can decrypt secrets encrypted in this way on my phone, but I can't go the opposite direction because passforios won't encrypt to multiple pubkeys.
@mssun Any info at all that you could share to help someone else implement this?
Note to anyone else interested in this. This app is more than capable of 'reading' password entries for a Pass repo that are encrypted with multiple keys; I test this just now. It just can't currently encrypt entries that are added or modified with multiple keys.
I created a branch of the underlying Git repo for my Pass repo and cloned the remote with (just) that branch in the Pass app on my iPhone. It was able to decrypt a password entry just fine. I'll manually merge changes I push from my phone to my remote repo into the master Git branch for use on my other devices.
I would also love to see this feature. We are using yubikeys for pass too. But we are not allowed to export the private key from such a yubikey and import them into the iOS app. So the idea is to use a second key for mobile, so we will not harm the yubikey (which we also use for ssh and stuff) integrity if maybe one employee lost his phone. Thanks by the way for your great app :)
