Pass: Unix Password Manager

Here's a summary of the themes from the Hacker News discussion, with direct quotes where appropriate:

The "pass" Tool and its Ecosystem

The primary focus of the discussion is the command-line password manager pass (the password-store utility), its strengths, weaknesses, and alternatives. Users share their experiences and preferences regarding its usage, particularly concerning encryption, synchronization, and integration with other tools.

"If you are using age instead of GPG for encryption purposes, I've found this to be useful: https://github.com/FiloSottile/passage" - ragnot
"There are also other pass-like password managers that use age. The developer of one has made a comparison table: https://gitlab.com/retirement-home/seniorpw/-/tree/02dc02d1e.... (Disclosure: pago in the table is mine.)" - networked
"I used pass for many years and loved it. I sync'd my password store between 3+ devices including my Android phone using a git remote." - hyperpl
"Happy pass user for ~8 years now, have ~1300 passwords stored. No issues whatsoever. Use git to sync it across devices, totally awesome." - dclaw
"I have heavily used Pass over the years." - aborsy
"I love pass, but I agree that it would be nice to have an established standard of where to put username etc." - integralid
"Pass is still amazing after all these years." - WD-42
"I use pass myself and I don't care about mobile." - usr1106
"I'm using pass on a phone with Termux. Sure it's a bit clunky but it's been working since 2014 without any interrution or privacy leak. I can't say the same about most password manager." - realusername
"johannes1234321: The android "Password Store" app is okay'ish, integrates with accessibility API to offer auto fill in many apps."
"I haven't used pass in a long time, but I used gopass for a while in a small team and it was pretty great." - johntash
"I really don't know what to recommend family members." - usr1106
"GPG is a big detractor, at least for me. Working with the GPG agent is usually a subpar, if not outright confusing, experience." - rednafi

Deriving Passwords vs. Storing Them

A significant portion of the discussion revolves around the concept of deriving passwords (e.g., using a master secret and the service name) versus storing unique, high-entropy passwords individually. Skepticism is raised about the practicality of derived passwords due to site-specific requirements and the need for rotation.

"Why would you want to store arbitrary individual passwords instead of deriving them with on demand from the service name/domain and a common secret?" - sgsjchs
"If you are doing that, - what if some site has weird password requirements and the derived password doesn’t work - what if a site gets hacked and you need to rotate one password. If you have to store data per-site anyway because of those cases, may as well just store passwords. You can (and should) still generate extremely high entropy passwords." - snailmailman
"[Derived passwords] if your secret leaks and you don't know it (or you do know, but you need some time to change it), the attacker not only gets the snapshot of your password manager but also can derive all future passwords you'll generate, or past ones you long forgot about" - lucb1e
"Not all sites are safe, either by design or by people running them. Having a common secret+service name as password AND having at least one of those sites leaking your plaintext password could mean that your derivation may go public and all your other passwords and services fall because of that." - gmuslera
"But for me, that doesn't outweigh the practical issues" - lucb1e

Mobile Integration and Usability

A recurring theme is the challenge of seamlessly integrating pass with mobile devices, particularly Android. While some users have found workarounds or use specific apps, others find it cumbersome compared to more fully-featured commercial password managers.

"There is still no just-download clients for pass on mobile which I think is why it's not a good option" - obk0943t
"cramsession: I ssh in from my phone, which works pretty well."
"bharrison: Same"
"braincat31415: I use it inside termux on android. There is a termux pass package. But it might be hard to input a complex decryption password on the phone keyboard."
"notpushkin: There’s one for Android, though it has been looking for a new maintainer for a while now: https://github.com/android-password-store/Android-Password-S... Edit: looks like there’s a community fork now! https://github.com/agrahn/Android-Password-Store"
"tretiy3: Life saver! New version lacks OpenKeychain integration (they discuss in issues that it is also no longer maintained). Abandoned version of Android Password Store had some issues with embedded PGP manager and was not working for me. But this fork works!"
"mattacular: there is for iOS - passforios - https://apps.apple.com/us/app/pass-password-store/id12058205... works great."
"acaloiar: No need to forego mobile if you're on iOS [1]."
"Kwpolska: Try KeePassXC on desktop, KeePass2Android on mobile (there's something on iOS too). There are some pass apps for Android, but they're a pain to use."
"The pass android app is really nice too https://play.google.com/store/apps/details?id=dev.msfjarvis.... It also works in termux" - msravi
"Kwpolska: > This app isn't available for your device because it was made for an older version of Android. And no, those apps don't work great, because they involve some clunky GPG app."
"bramgn: Agreed, GPG is not the most intuitive tool, but once you are familiar enough with it, it opens some doors. For me termux and pass (from F-droid) have solved my password management for many years."
"gourlaysama: The app in the Google Store is no longer maintained, hence the warning. It is however available in F-droid [1], and the newer versions don't need the secondary app and do everything internally."
"aorth: The Android Password Store application by msfjarvis was archived last year. It was forked and greatly updated by agrahn. There are APKs on GitHub Releases and F-Droid, but not Google Play Store."
"nixpulvis: I use pass a good amount, but I wish there were better OS/mobile integrations."
"wfleming: What kind of mobile functionality were you looking for? The (unofficial) iOS app is pretty good IMHO and integrates with iOS’s OS-level password filling, and also supports the pass-otp plugin’s format for 2fa codes if you use that plugin."
"avh02: Not the parent, but dwindling yubikey support (for gpg key storage) is an issue, had to pull out a legacy version on Android for it to keep working (they changed the underlying crypto library and lost the support there) No ipad version I've found supports yubikey either"
"hkt: Is bitwarden in some way able to protect passwords while still being unlocked?"
"denismi: I recently moved away from pass after a decade or so. Two main reasons: 1. This laptop up was set up with flatpak versions of all GUI applications, including Firefox, and the browser plugin just doesn't work. ... 2. I realised that the Android app was archived. ... For now I'm content with hosting vaultwarden and using various Bitwarden clients."
"TheCraiggers: Well shit, I didn't realize the Android app was shelved. I checked out the fork and it looks like they're doing good work there."
"nickjj: I made the switch from pass recently too. ... Ultimately I wanted something easier to sync between multiple devices. ... It was a lot easier to sync (1) file with KeePassXC and it has 2 well supported Android apps to choose from."
"jeduardo: That's curious. I moved from KeePassXC to pass precisely because the synchronization story for the database file wasn't working so well."
"jiehong: On MacOS, I tried using the Password App for passwords, but there is no cli to access it in scripts."
"eptcyka: My main issue with pass is that it doesn’t work great on iOS with yubikeys."

Security Considerations and Philosophies

Users discuss various security aspects, including the implications of secret key leakage, metadata privacy, the complexity of GPG, and the pros and cons of hardware security keys and different encryption methods.

"if your secret leaks and you don't know it (or you do know, but you need some time to change it), the attacker not only gets the snapshot of your password manager but also can derive all future passwords you'll generate, or past ones you long forgot about" - lucb1e
"gmuslera: Not all sites are safe, either by design or by people running them. Having a common secret+service name as password AND having at least one of those sites leaking your plaintext password could mean that your derivation may go public and all your other passwords and services fall because of that."
"listeria: presumably the derivation would involve a cryptographically secure, non-reversible function so as to not compromise the secret should one of them be leaked."
"I had attempted to use GNU `pass' first, but sadly, it requires me to manage gnupg, which is a well known minefield of poor default options, and assumes it should be integrated into your shell by storing things in your user profile directory (instead of using the directory relative to where you call it.) This jeopardized my copy-one-file workflow, so despite its ubiquity I had to abandon it." - elevation
"aborsy: Your secret key can be stored in Yubikey, handled by a dedicated OpenPGP agent. This allows deriving a strong key from a weak one. Your password is basically a short PIN with max 3 tries. Every password retrieval can require a physical touch. This is convenient and secure!"
- "Pass makes sense if you use it with a hardware key, with touch enabled. With this setup, it’s hard to beat its security." - aborsy
"jwgarber: Pass is great, but GPG keys are complicated and add a lot of extra overhead if you don't have one already. Frankly I cannot recommend anyone use GPG today for any purpose."
"enkrs: I used pass for a while but couldn’t see what threat model it actually solves: If you let GPG agent cache your key, any script (e.g. an npm post-install) can just run pass ls or pass my/secrets and dump all your credentials. At that point it’s basically just full-disk encryption with extra steps—might as well keep everything in ~/passwords.txt. If you don’t cache the key, you’re forced to type your long GPG password every single time you need a secret."
"aborsy: That’s true for any password manager. If the database/store is unlocked (so the master password is cached or available in RAM), all passwords can be extracted. You have to lock the password manager when you don’t need it."
"charcircuit: Modern operating systems isolate individual apps such that a malicious app can not access the RAM of another app. There is a difference between not making an effort to protect passwords and requiring an OS exploit to do so."
"aborsy: The OS protections apply to all applications. In addition, the job of agents like gpg-agent or ssh-agent is to protect secret keys while they are cached (like preventing OS writing keys to swaps). You can configure them to erase keys after a certain time, require user’s confirmation for each key operation, store gpg keys in internal TPM or external hsm, and would talk to the agent through specific sockets. Unlike browser-based password managers, the agents don’t continuously interact with the browser code and remote elements (probably don’t have network access at all)."
"One area that matters that I forgot to mention in my comment below is that, as a result of all above, Pass doesn’t check the domains and doesn’t protect against phishing. There might be extensions, but at that point, you might as well use keepassxc." - aborsy
"codethief: Memory isolation doesn't really help, though. If you have a malicious process running under the same user account as your password manager, it's still game over since that process could e.g. capture keyboard input, capture your screen, silently install browser extensions to capture your credentials, modify your shell config, .desktop files, $PATH, … to have you e.g. call a backdoored version of your password manager, or put a modified version of sudo on your $PATH that logs your password (=> root access => full memory access)" - codethief
"wltr: And modern operating systems are being … ? macOS, I assume?"
"LtWorf: Can you name one of these modern operating systems?"
"johnisgood: You can use Qubes OS for true VM-level isolation, or use hardware security keys where possible, or run sensitive applications in dedicated VMs. I think that in general it is game over the moment you have malicious processes running. I use firejail for most applications, which I believe is the bare minimum, or bubblewrap."
"yehoshuapw: it took a while to get it to work well, but I use yubikey here, and recommend it. I do need to find and pulg it in sometimes, but overall might leave it plugged in. and I have it configured to require a touch for every operation"
"eptcyka: You can configure the yubikey to need a PIN and/or touch to authorise the use a GPG key."
"rednafi: GPG is a big detractor, at least for me. ... I’d happily take a version that uses ssh-agent instead to achieve the same."
"hamburglar: My tool is actually a deterministic password generator... The one major downside to it is that it is absolutely unusable for sharing passwords because obviously that would require sharing my passphrase, and there is no way to “store” a password that someone else set."
"debarshri: Sharing passphrase becomes even bigger risk as now your surface area is larger as comprise will lead to many credentials bei g leaked."
"liendolucas: I've just discovered this two days ago from the SECUSO password generator: https://secuso.aifb.kit.edu/english/105.php Initially I didn't get it, then I realized that it was using the deterministic password generation approach."

Alternatives and Comparisons to Other Password Managers

Users frequently compare pass to other popular password management solutions like Bitwarden, KeePassXC, and 1Password, discussing their respective advantages and disadvantages, particularly concerning cross-platform support, ease of use, and feature sets.

"Growing tired of Bitwarden in the browser, so this is pretty intriguing. But its hard to forgo mobile compatibility." - andrewrn
"lytedev: Bitwarden has a desktop GUI app as well as an official CLI. If you're comfortable with it, there are also community ones like https://github.com/doy/rbw"
"Kwpolska: Try KeePassXC on desktop, KeePass2Android on mobile (there's something on iOS too)."
"hyperpl: I used pass for many years and loved it. ... I decided to find the next best option and settled on keepassxc and KeePassDX. The backing store is a binary blob but it does surprisingly well via syncthing: autoupdate works and in the event of a conflict the db merge feature hasn't yet failed me."
"drnick1: This is interesting for CLI lovers, but I feel KeepassXC on desktop + KeePassDX on Android (with the password DB stored on my own machine and accessed remotely via Wireguard) is a better solution for normies."
"ggiesen: Bitwarden is pretty usable, we use it at our org, and while still has a rough edge or two for corporate use, gets better all the time."
"ganomi: Another option in that area is https://www.passbolt.com/"
"qudat: My and my buddy have been using “pa” for our company with great success: https://git.j3s.sh/pa It uses age and allows you to use multiple keys for encryption"
"tlamponi: I like pass and use it a lot, especially as it provides a good and safe backup for the case my vaultwarden instance goes up in smokes. There is also a drop-in replacement with has some extra features and a bit better UX in some parts, personally I only really use it for the better support for handling multiple GPG keys, as I got some physical backup keys and it can be also nice teams for a shared vault. https://www.gopass.pw/ https://github.com/gopasspw/gopass"
"enkrs: ... I eventually switched to Bitwarden."
"justusthane: You might already be aware of this, but Bitwarden also has a CLI client that can be used for this purpose, at least casually."
"ggiesen: And can run a local webserver to expose an API (though they still need to tighten up security on it)"
"aborsy: In fact, with Bitwarden, the cached password is exposed to the browser that has a large attack surface (including interacting with random remote servers). There was just a vulnerability in most browser based password managers including Bitwarden that would allow a remote attacker trick a user send out their passwords."
"denismi: For now I'm content with hosting vaultwarden and using various Bitwarden clients."
"jeduardo: How has it been working for you so far? I'm in a similar situation and considering doing the same thing as you, for the same reasons, but I'm curious about how the offline experience is."
"nickjj: I made the switch from pass recently too. ... Ultimately I wanted something easier to sync between multiple devices. ... It was a lot easier to sync (1) file with KeePassXC and it has 2 well supported Android apps to choose from."
"jeduardo: That's curious. I moved from KeePassXC to pass precisely because the synchronization story for the database file wasn't working so well."
"supriyo-biswas: My current employer uses 1password and it has a couple of nifty features like "vaults" shared with a group of people, an "op run" command to inject secrets using a .env file, service accounts to fetch passwords in CI, etc."
"diggan: Sounded nice, but I'm not sure what this actually adds. I'm currently using 1Password for doing "environments", but it's all using the existing op CLI."
"conception: It has dev environments now too! https://developer.1password.com/docs/environments/"
"diggan: So adding a new collaborator to the project would involve adding them to the vault, then there is a shell script in the project that uses the CLI to write a new .env depending on the values from op. Seems like this new environment stuff wouldn't add anything compared to such setup, at least today, is that fair? Seems to be even more manual and require copy-pasting, unless I misunderstand what the feature actually is."
"laszlomjamf: "Normies"? Everything is relative, I guess. I use 1Password and just hope for the best."

Extensibility and Customization

Users highlight the flexibility of pass through its file-based structure, allowing for scripting and custom workflows, as well as discussions around extensions and forks that add functionality like OTP generation or improved UI.

"merlincCorey: Additionally, you can store other data for example one could have scans of important documents that are stored in Pass which means they are GPG encrypted and backed by a git repository so they are versioned and shared across multiple machines."
"mjd: I've been doing basically this for many years now. Each password file is AES-encrypted with my master password. I copy the whole vault around between machines with rsync. When I run 'password bank' a shell script searches ~/private/Passwords for files that contain ‘bank’ and offers a menu, then gpg-decrypts the file I selected. I also use this for scans of my passport, recording my bank account numbers, and anything else I want to keep around."
"elevation: Don't forget keepassxc.cli, which allows you to programmatically set and retrieve secrets.... I used it when I needed to build an encrypted secrets bundle (so that one long password could temporarily unlock some API keys required for a disaster-recovery situation.)"
"PhilipRoman: FYI for desktop there is a "passmenu" script that you can bind to a key in your DE/WM."
"shikaan: Shameless plug. I built a tool[1] to manage Keepass archives in the terminal which might scratch some of the itches I am reading here: it has a TUI, but can be piped into other commands too. [1]: https://github.com/shikaan/keydex"
"mid-kid: The only use case of mine that's not solved by keepass is creating passwords on two separate machines without a direct connection, and merging them later."
"ticoombs: I solve this by Syncthing running on all clients. Very rarely do I ever have a problem with conflicts. Only if I add a new pass while my phone is offline and then make another edit on my computer would there be an issue."
"4k93n2: keepass has a very underrated feature i never see much talk about where you can have multiple vaults and have them open and search both at the same time (or at least the two apps you mentioned support that anyway). most password managers are based around the idea of one single vault which creates the problem of having to treat every password like it needs the maximum amount of security."
"TheCraiggers: Pass actually has a similar feature: different directories in your git repo can have different gpg keys, effectively doing the same thing you like."
"briHass: Also, KeepassXC and OG KeePass with a plugin can auto-open another vault from an entry in the primary vault. This works well if you have the more secure vault open a less secure vault, or in my case open a shared vault used for common passwords off a network share at work."
"InMice: Im thinking of trying this, I just used local files until now with keepass. in my case a synology nas to hold the file, a two bay equipped with 2.5" ssd that i already use for notes, music, and other stuff + wg"
"lucb1e: It uses git, but the commit messages are autogenerated and useless. It might as well have used Dropbox for all the use you get out of it when wanting to find the version before someone corrupted data with their somehow-broken gopass client"
"msravi: There's also the pass-otp extension that generates OTPs! https://github.com/tadfisher/pass-otp"
"ninjin: Thank you for sharing. My solution has been to dump small scripts like this in ~/bin:
```
#!/bin/sh set -eu k=$(pass ARG) oathtool -b --totp "$k"
```
"
"WD-42: Pass is still amazing after all these years. Shameless self plug: I wrote a gnome search provider for it so you can lookup passwords from the overview. Supports OTP as well. https://github.com/Fingel/ripasso-gnome-search-provider"
"trinsic2: I like the idea of storing password data in individual encrypted files and using git to store changes, but I wonder if it creates more friction to retrive the information. It seems like this solution would benefit from a more standardized specification for storing and retrieving information."
"komali2: I can't remember how but pass for me works in brave browser and Firefox, as well as on mobile. It's my only password manager. I'm assuming some browser plugin."
"puffybuf: I store my passwords on an encrypted file partition sqlite database. My script grabs the pass and immediately closes the partition afterwards. You can also just encrypt your passwords into individual encrypted files (one for each password) and have your script clear the gpg agent after a passfile is decrypted."
"hamburglar: I have a different approach I’ve used for about 10 years that I like a lot. All password metadata is stored in a plain JSON file indexed by name (usually site name). Each entry contains at the minimum a username. Optionally it has a version number and some password rules like the length (20 if absent) and the character classes that are allowed, along with how many of each character class are required."
"rendaw: The fact that it's essentially unstructured data makes it hard to work with generically. If you have a username + password and need to use those in a script, you'll need to implement your own parser in your shell language in every script you need it in."
"stabbles: Fair, but you can use your own conventions."
"rendaw: pass generate to generate new passwords, maybe thanks to the above, replaces everything in the pass value by default. So if you had e.g. a password + secret question answers, if you use generate to get a new password it'll wipe out your secret question answers."
"stabbles: Just split it into site/pass, site/secret-question, etc. The fact that it's just using a directory tree is quite nice."
"rendaw: It's very difficult to review history. I stopped using it a while ago, but since everything's encrypted git diff won't give you anything useful"
"stabbles: git diff would be an odd command to run on generated passwords even without encryption. What matters is that you know when the last change was for a password or site with git log <file/dir>, and you can just git checkout -d <old commit sha> if needed."
"eptcyka: pass git diff decrypts the passwords for me."
"maxmoehl: pass sets up a .gitattributes and configures git to convert gpg files to text via a custom driver. This enables a text-diff of the encrypted contents out of the box (at least for a store I've just set up to test this)."
"hkt: There is an established convention for usernames, which is to put "user:" at the start of the line. It can't be the first line of the file but is otherwise not order dependent. The browser plugins and android app implement this and do autofill based on it. That is suggested on the main site."
"upofadown: There is a bit of structure imposed if you want to use the provided automation for inserting passwords in the clipboard. The password comes as the first line. Then you are going to end up with the user name on the second line. Everything past that point is gloriously unstructured. I have a pass entry floating around here with an entire onboarding email in it..."
"stevekemp: For the structure I "solved" that problem by creating folders with three main files:
```
 Websites/foo.com/username Websites/foo.com/password Websites/foo.com/email 
```
"
"rendaw: Yeah sure, but then are the conventions you came up with shared by all the tools in the ecosystem too (ex: browserpass)? Since the keystone (pass) declined to provide strong guidance, you end up with fragmentation and incompatibility."
"integralid: Yeah, but that's just your convention. I, for example, store password in private/foo.com/foo-com-login"
"echo42null: Best practice question for syncing pass across devices: Since exporting and re-importing the private key to a phone seems risky, is the recommended approach to generate a separate GPG key pair on the mobile device and re-encrypt secrets to it?"
"TiddoLangerak: I have a different pubkey per device. I store all the pubkeys in the pass repo, and have a shell script to re-encrypt everything with those keys."
"echo42null: How would you build a dead man’s switch for pass? I’d like my family to be able to access my store if I disappear, but not before. The obvious problem: to re-encrypt for their keys I’d need my private GPG key running somewhere, which defeats the point. Has anyone solved this cleanly without leaving a hot key around?"
"TiddoLangerak: The beauty of pass is that there's a distinction between giving access to the encrypted vault vs giving access to decryption, and you can leverage this."
"integralid: pass is easier for me - it enforces some reasonable structure, works well with other Unix tools, and has a built-in git support. You don't have to use "pass" command for everything, for example for getting passwords interactively I just combine fzf and gpg directly."

`age` vs. `GPG` for Encryption

There's a discussion about using age as an alternative to GPG for encryption, with passage being highlighted as a tool that utilizes age. This suggests a growing interest in simpler, more modern cryptographic tooling.

"ragnot: If you are using age instead of GPG for encryption purposes, I've found this to be useful: https://github.com/FiloSottile/passage"
"networked: There are also other pass-like password managers that use age. The developer of one has made a comparison table: https://gitlab.com/retirement-home/seniorpw/-/tree/02dc02d1e.... (Disclosure: pago in the table is mine.)"
"aborsy: There is a similar tool Passage using Age, maybe that solves it."

Corporate and Team Use Cases

Several users touch upon using password managers in a corporate or team setting, discussing features like shared vaults, access control, and the challenges of managing secrets in a collaborative environment.

"lucb1e: This is fun if you never leave yourself, but be wary with whom you share it. As a company password manager, there is no way to know who's accessed which secret across their lifetime at the firm so you get to change all the passwords constantly. (Or none, if you can't be bothered.) (Don't ask.)"
"lucb1e: Or if someone newly needs access, there's no standard way of re-encrypting the files you're guessing they need. You need to hack something together yourself"
"lucb1e: It uses git, but the commit messages are autogenerated and useless. It might as well have used Dropbox for all the use you get out of it when wanting to find the version before someone corrupted data with their somehow-broken gopass client"
"lucb1e: There is no way to ever erase anything you've accidentally pushed, short of rewriting the git history and breaking it for everyone (or for personal use: other client devices)"
"lucb1e: Does anyone have good experiences with a password manager for a corporate environment? Ideally not having yet-another service to maintain, but also not have a server compromise equal business compromise (so end-to-end encryption between the users; verifying fingerprints or some such). From what I found so far, Bitwarden seems to meet that bill but I don't know if there are also others"
"supriyo-biswas: My current employer uses 1password and it has a couple of nifty features like "vaults" shared with a group of people, an "op run" command to inject secrets using a .env file, service accounts to fetch passwords in CI, etc."
"diggan: Seems like this new environment stuff wouldn't add anything compared to such setup, at least today, is that fair? Seems to be even more manual and require copy-pasting, unless I misunderstand what the feature actually is."
"ggiesen: Bitwarden is pretty usable, we use it at our org, and while still has a rough edge or two for corporate use, gets better all the time."
"ganomi: I have no practical experience yet, but i evaluated the market for a password sharing solution for a team with similar requirements within an enterprise."
"jolmg: You can setup different directories to use different keys, and you don't need to limit yourself to a single key for each password either. You can use multiple. So you can setup structures like: - admins/.gpg-id "admin\n" - techs/.gpg-id "admin\ntech\n" where admin and tech are 2 keys for different groups of people. Admin having more access. Or even better: - site_foo/.gpg-id "bob\nalice\n" - site_bar/.gpg-id "bob\nrobert\n" where each employee has their own key. So you can fine-tune which passwords need changing if an employee leaves, and which passwords an individual employee needs to be able to access."
"jolmg: You can setup git submodules to control which passwords which employees can know to exist. And given that git is being used, you can know which passwords an individual employee ever had access to."
"johntash: I haven't used pass in a long time, but I used gopass for a while in a small team and it was pretty great."
"echo42null: Thanks, I totally forgot about both sides; I only looked on the side of the key."
"TiddoLangerak: The beauty of pass is that there's a distinction between giving access to the encrypted vault vs giving access to decryption, and you can leverage this."
"TiddoLangerak: How I've been doing this is that I have 2 (sets of) backup people. The first set has access to the repo, but can't decrypt. The second set can decrypt (i.e. I have their pubkeys imported), but don't have access to the repo. I've chosen the people such that it's unlikely they collude against me, but in case something happens it's likely they'll be able to get in touch with each other."