MacOS Calatine
gopass v.1.9.2
Sometimes it advisable to name a secret file according to a username/login.
Therefore, it would be great if gopass could search within all secret files. The ‘infrastructure’ for this probably already exists, e.g. for gopass audit.
I hope this has not been requested too often—could not find anything related.
Thank you!
Brixy
All 7 comments
I'm sorry, but I don't understand what you're asking for.
Are you looking for something like gopass grep, about the gopassbridge lookup rules or something different?
dominikschulz
on 22 Aug 2020
Thank you for your answer.
I had not found gopass grep as it is not mentioned in gopass -h. Maybe this is what I was thinking of.
I don't understand what you're asking for.
Suppose you have a file secret.gpg with this content:
login: Brixy
url: https://github.com/
It would be excellent if gopass could find/show this secret using gopass show -C Brixy. The search term is not part of the file name, but a term within the file contents.
Brixy
on 22 Aug 2020
This would require decrypting all the secrets to perform a search, it's not really meant to be done in that way.
Instead you can use the path of the secret to store that information, for example:
dev/github.com/Brixydev/github.com/Someoldaccountshops/amazon.com/[email protected]
And then the gopass find will work as intended, plus it integrates well with dmenu, rofi or even fzf.
This is actually assumed as a fallback by the json bridge: https://github.com/gopasspw/gopass/blob/master/docs/setup.md#filling-in-passwords-from-browser
Now, if you don't want to have the username as part of the filename, because it's a secret, you'll have to use gopass grep, which decrypts all the files and tells you in which file it is. Since we are trying to reduce the number of flags, we probably won't add an option to copy the secret directly from gopass grep.
AnomalRoil
on 9 Sep 2020
Thank you very much!
This would require decrypting all the secrets to perform a search, it's not really meant to be done in that way.
OK! I thought this was rather easy to do because gopass audit decrypts all files, too.
This was rather a general suggestion. I use a file tree like you have shown above and can find anything using fd, fzf or gopass itself using fish shell’s autocomplete (which is terrific).
(In an emergency case one could easily store the .password-store/ folder in a .gpg file or e.g. in a gocryptfs drive.)
Brixy
on 9 Sep 2020
It's not hard to do, but it takes a long time (depending on the number of secrets and your crypto setup) and it's very questionable security wise (thinking of e.g. exfiltrating secrets and such).
We started thinking about implementing a fully encrypted backend. There is a proof of concept, but I wouldn't recommend to use it, yet.
dominikschulz
on 9 Sep 2020
Thanks for the detailed answers, guys.
I get your points. Please feel free to close this issue any time if my suggestion does not make sense (concerning security) for this project.
Brixy
on 10 Sep 2020
Closing since:
- it is possible to search for a string in all secrets using
gopass grep, which will decrypt all secrets - the recommended workflow is to avoid decrypting all secrets as much as possible
- hiding the username will become possible once we have a fully encrypted monobloc backend (see also #673 and #1560)
AnomalRoil
on 23 Sep 2020
Related issues
stevesbrain
·
6Comments
braderhart
·
7Comments
FlorinAndrei
·
7Comments
dominikschulz
·
4Comments
fortrieb
·
6Comments
Most helpful comment
Closing since:
gopass grep, which will decrypt all secrets