FiloSottile/passage

Storing the .age-recipient file

stsch9 opened this issue · 1 comments

An attacker should not be able to edit the .age-recipient file unnoticed (e.g. add a new recipient unnoticed). Where and how should the .age-recipient file be stored most securely? Should it be signed (e.g. with minisign) if you store it at a location less trusted than the local disk?

pass has support for signing it, which adds a lot of complexity. My recommendation if you active storage attackers are in your threat model is to store it on the local disk and set PASSAGE_RECIPIENTS_FILE.