I would like to use git to back-up, vc, and sync everything crucial on my text-based system, but some content, most notably my passwords file, are gpg encypted. This breaks git because reviewing changes essentially produces comparisons of gibberish. Does anyone know a solution for syncing/VC of encrypted data, which won't be only passwords?
@worldsendless maybe not the answer you’re looking for, but adding those files (or the directory) to gitignore might be the best way to go. It’s not a great idea to track passwords in git anyhow, even if they’re encrypted
@turak
As long as the repo is treated as a secret, the https://www.passwordstore.org/ style of using git to track changes to passwords should be fine. An obvious way to protect the repo is to encrypt the directory, e.g. with pass-tomb.
@worldsendless
@Parienve @turak
Wow. Motherload of the ideas I've been looking for! Let me see if I understand the workflow right:
1. create Pass location, in which
2. every file represents one password
3. git-control the whole location, so eg /Pass/.git
Is it a decision of tomb vs git? The tomb bit is the one I'm having a harder time piece together. Tomb encrypts entire directories, right?
@worldsendless @turak
It's more like:
0. Install dependencies (Debian)
sudo apt install pass tomb pass-extension-tomb
1. pass-tomb: create and open the tomb (encrypted directory)
pass tomb -v $your_gpg_id
2. pass: initialize the store (directory) in the tomb
pass init $your_gpg_id
3. pass: initialize the repo in the store
pass git init
pass automatically makes commits to the repo, and you can perform arbitrary git commands in your store by prepending "pass". `man pass` explains in more detail.
Each file is typically either a single password, or a newline-separated set of account details for a single account.
pass does not require you to organize your store in any particular way, although tools like browser extensions may be more opinionated. One fairly common strategy is to have a subdirectory for each domain name, with each filename matching the account login name, and with the password as the first line of the file.
When you're done using the store, use `pass close` to tell pass-tomb to close the tomb. `pass open` does the reverse.
