Add a --reencrypt option to fsck
#2015
Labels
feature
Enhancements and new features
good-first-issue
Good for beginners starting to contribute
gpg
GPG related
Hacktoberfest
ux
User experience / User Interface related
Milestone
Comments
AnomalRoil
added
feature
|
for me that flag doesn't seem to actually re-encrypt anything because when I run it twice in a row, I get the same list of passwords that needs re-encrypting. I would have expected --decrypt to actually do that. Maybe I'm doing something wrong, but I try: as the help command says and it runs exactly as if I had not passed that. I then tried this and still the same result. |
|
That seems to be a bug of some kind then. |
dominikschulz
added a commit
to dominikschulz/gopass
that referenced
this issue
Jan 17, 2022
Fixes gopasspw#2015 RELEASE_NOTES=[BUGFIX] Always re-encrypt when fsck is invoked with --decrypt. Signed-off-by: Dominik Schulz <[email protected]>
dominikschulz
added a commit
to dominikschulz/gopass
that referenced
this issue
Jan 18, 2022
Fixes gopasspw#2015 RELEASE_NOTES=[BUGFIX] Always re-encrypt when fsck is invoked with --decrypt. Signed-off-by: Dominik Schulz <[email protected]>
AnomalRoil
pushed a commit
that referenced
this issue
Jan 18, 2022
* Always re-encrypt when fsck is invoked with --decrypt * Explain convertedSecret check Fixes #2015 RELEASE_NOTES=[BUGFIX] Always re-encrypt when fsck is invoked with --decrypt. Signed-off-by: Dominik Schulz <[email protected]>
kpitt
pushed a commit
to kpitt/gopass
that referenced
this issue
Jul 21, 2022
* Always re-encrypt when fsck is invoked with --decrypt * Explain convertedSecret check Fixes gopasspw#2015 RELEASE_NOTES=[BUGFIX] Always re-encrypt when fsck is invoked with --decrypt. Signed-off-by: Dominik Schulz <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It can happen that we are doing a "key rotation" or have changed some things related to PGP that require us to fully re-encrypt our store.
Currently the only process to do so it adding a dummy recipient and then removing it.
This is not really desirable as it can lead to side effects such as committing secrets with a "weaker" key or so to our pw store.
Ideally we should be able to use
fsck --reencryptin order to decrypt all secrets and "re-encrypt" it with the current set of recipients.This would also help solving issues such as "My process failed while I was adding a recipient", "I ^C Gopass in the middle of the removal of a recipient" or other things like that and would fit nicely under
fsckresponsabilites, IMO.This would also have helped for example in #1977 when it was needed to fully re-encrypt the store using a downgraded PGP version because the latest PGP version wasn't being properly supported and cross-compatible for our usecase.
This also help with "expired subkeys": I can just add a new subkey to my key and "re-encrypt" the whole store.
So it would relate to: #1969, #1107, #1430
What it should do: re-encrypt in place all secrets for the current set of recipients, using the "main" encryption subkey of a key (or the specified subkeys) for each recipient, and then commit/push/sync the whole as per existing config.
The text was updated successfully, but these errors were encountered: