Figuring out how to use multiple password stores, each with their own GPG key.
And importantly, how to make the password stores work transparently with the Android app?

The point is to be able to share a specific folder (and all its subfolders) with a collaborator without exposing the secrets in the rest of the passwordstore.

🚨 I just found out, the Android Password Store has been retired by its author https://github.com/android-password-store/Android-Password-Store/discussions/3260 🚨
But there is a fork! https://github.com/agrahn/Android-Password-Store with an app on the F-Droid store https://f-droid.org/packages/app.passwordstore.agrahn

Some ideas from the interwebs:

• symlink folders into the passwordstore
• use direnv to set the environment var PASSWORD_STORE_DIR
• use git submodules

I tried the symlink approach: it works nicely enough on the desktop computer, but not at all on Android with the Passwordstore app.

I considered but did not test the other ideas.

After some more browsing and reading I realized that the pass init command does everything I want.

Starting from the entire passwordstore being encrypted using key A.
Then, assuming you have created GPG key B, re-encrypt folder aaa in passwordstore:

$ pass init --path=aaa B

That's it. Now only key B can decrypt any secrets in the aaa directory (recursively). We can re-encrypt using multiple key by simply listing them, pass init --path=aaa B C D.

• https://askubuntu.com/questions/929307/how-to-change-the-gpg-key-of-the-pass-password-store
• https://lists.zx2c4.com/pipermail/password-store/2020-June/004183.html

Related: how to generate a new GPG keypair

• https://www.linuxbabe.com/security/a-practical-guide-to-gpg-part-1-generate-your-keypair
• https://docs.github.com/en/authentication/managing-commit-signature-verification/generating-a-new-gpg-key

Note that the --expert flag is required to display the option to use ECC (elliptic curve crypto) keys.

taha@rosetta:~
$ gpg --expert --full-gen-key 
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Please select what kind of key you want:
   (1) RSA and RSA (default)
   (2) DSA and Elgamal
   (3) DSA (sign only)
   (4) RSA (sign only)
   (7) DSA (set your own capabilities)
   (8) RSA (set your own capabilities)
   (9) ECC and ECC
  (10) ECC (sign only)
  (11) ECC (set your own capabilities)
  (13) Existing key
  (14) Existing key from card
Your selection? 9
Please select which elliptic curve you want:
   (1) Curve 25519
   (3) NIST P-256
   (4) NIST P-384
   (5) NIST P-521
   (6) Brainpool P-256
   (7) Brainpool P-384
   (8) Brainpool P-512
   (9) secp256k1
Your selection? 1
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

GnuPG needs to construct a user ID to identify your key.

Real name: <my name>
Email address: <email address>
Comment:
You selected this USER-ID:
    "<Real name> (<Comment>) <Email address>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
Please enter the passphrase to
protect your new key
Passphrase: 
Repeat: 
We need to generate a lot of random bytes. It is a good idea to perform
some other action (type on the keyboard, move the mouse, utilize the
disks) during the prime generation; this gives the random number
generator a better chance to gain enough entropy.
gpg: key <short key id> marked as ultimately trusted
gpg: directory '~/.gnupg/openpgp-revocs.d' created
gpg: revocation certificate stored as '~/.gnupg/openpgp-revocs.d/<long key id>.rev'
public and secret key created and signed.

pub   ed25519 2026-02-24 [SC]
      <long key ID>
uid                      <Real name> (<Comment>) <Email address>
sub   cv25519 2026-02-24 [E]

RSA 4096 is only marginally more secure than RSA 2048 and the consensus is that it is not worth it. For better security than RSA 2048, use elliptic curve crypto instead.
https://www.gnupg.org/faq/gnupg-faq.html#no_default_of_rsa4096

How to export your keypair

Export your public key
gpg --armor --export <key id> > pubkey.asc

Export your private key
gpg --export-secret-keys --armor <key id> > privkey.asc

New idea, perhaps better and less hacky

Directly inspired by this great explainer of how using multiple keys for specific folders should be setup https://github.com/agrahn/Android-Password-Store/issues/512#issuecomment-3387614461

Change passphrase of your GPG key

• https://unix.stackexchange.com/questions/336776/how-to-change-passphrase-for-pass-password-manager

taha@rosetta:~
$ gpg --edit-key <key name>
gpg (GnuPG) 2.2.27; Copyright (C) 2021 Free Software Foundation, Inc.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Secret key is available.

sec  rsa2048/<key short id>
     created: 2014-11-28  expires: never       usage: SC  
     trust: ultimate      validity: ultimate
ssb  rsa2048/<key short id>
     created: 2014-11-28  expires: never       usage: E   
[ultimate] (1). <Real name> <Email address>

gpg> passwd
Please enter the passphrase to unlock the OpenPGP secret key:
"<Real name> <Email address>"
2048-bit RSA key, ID <key short id>,
created 2014-11-28.

Passphrase: 
Please enter the new passphrase
Passphrase: 
Repeat: 

Some guides on the why's and what's of password managers

• The best password manager in 2021, The New Oil
• A technical introduction to password managers, Tavis Ormandy. Via Alan Ralph.
• Wikipedia has an informative article on password managers.
• Internetstiftelsen har publicerat en utmärkt guide för hjälpa dig att komma igång med lösenordshanterare.
• Bra råd hos Myndigheten för samhällsskydd och beredskap (MSB) om hur du säkrar din lösenord.
• https://reddit.com/r/sweden/comments/1abpovo/%C3%A4r_det_inte_riskabelt_att_ha_l%C3%B6senordshanterare
• https://lemmy.ml/post/19156372

BitWarden

Open source password management solution, can be self-hosted (how-to)
Integrates with Ansible.

1Password

A cloud-hosted password manager. No longer recommended, as it has regressed into an Electron application mandating remote storage of your password vault.

KeePass

Free, open source, light-weight, and easy-to-use password manager.
These slides discuss the why? how? what? where? of KeePass (presented by F. Morsbach at the first CryptoParty in Uppsala, 2019)

KeePass is written in C# and therefore requires Microsoft's .NET platform.

• Plugins: A list of third-party plugins for KeePass
• Android: Keepass2Android
• iPhone: MiniKeePass
• Chrome / Firefox: Tusk
• Web App: KeeWeb

KeePassXC

Open source, cross-platform.
KeePassXC is developed in C++ and runs natively on all platforms.

• Easy to achieve cloud sync by simply storing your KeePassXC database inside your shared cloud folder (using Nextcloud, for example).

AuthPass

AuthPass supports the KeePass database (KDBX format).
Setup instructions.

Pass

Simple GPG/Git password manager. Adheres to the Unix philosophy, which makes it easy to integrate with anything, e.g., Ansible.
This is my password manager of choice :-)

• Excellent in combination with rofi or dmenu on the Linux desktop, and
• on Android, useful with Password Store (which is a continuation of the retired app of the same name and includes small improvements, e.g., PGP keys now handled internally so no need for OpenKeychain).
• on Android, useable with a combination of Password Store and OpenKeychain.
• Rich ecosystem of plugins, tools: pass-rotate.
• Clever uses of pass, by Vikaly Parnas.

Dashlane

"An intuitive password manager with over with over 8 million users worldwide."
Not open source, as far as I know.

Passbolt

Free, open source, self-hosted, extensible, OpenPGP based.

LessPass

Stateless, open source password manager.

Psono

Open source and self-hosted password manager for teams.

Buttercup

Another open source password manager with desktop, mobile, and browser clients.

LastPass

One of the most widely-used password managers, but that does not mean it's the best. Parent company is LogMeIn. Completely cloud-based, and not open source, obviously. On that basis alone, I do not recommend it. LastPass has suffered a major breach, it is now effectively dead.

Password manager apps that integrate with Nextcloud?

• Keeweb for Keepass
• Enpass
• Passman
• Passwords, native Nextcloud app

More lists of password managers

• https://codeberg.org/alicia/awesome-privacy#password-managers
• https://nextcloud.com/blog/password-managers-for-nextcloud/
• https://github.com/Igglybuff/awesome-piracy#password-vaults
• https://protonmail.com/blog/open-source-password-managers/
• https://www.tomshardware.com/best-picks/best-password-managers
• https://european-alternatives.eu/category/password-managers