I've written a number of filesystem-based databases, and the problem that always comes up is keeping the entries consistent. You don't want a password database where the master password is different between entries, but with this system, you can't enforce that invariant until it's too late.
A better idea might be a system where the canonical source of truth is an application-controlled database, but where you can export entries to a directory tree and import entries from a directory tree. This makes syncing more difficult (export to directory tree on both sides, rsync, import on both sides), but it ensures that invariants are checked at sync time rather than use time.
I suppose you can write a validation command that you always run after sync, but how many people are going to run that? You don't realized you've been burned by having an extra password for an obscure site until that happens.
That issue is solved here using GPG. Presuming you know how GPG works, your golden. Groking GPG is an issue, however -- it's an app that is not exactly user friendly.
For me, I love this, because I can secure passwords using my private key, stored on a GPG card. Of course, there are probably less than 250 people on earth doing that. :)
Whoa nice you have a GPG smart card? Very cool. There were some people giving out USB tokens at FOSDEM which looked sort of neat but I haven't gotten it working reliably.
GPG is mostly easy to use -- gpg -e -r [email protected] file.txt -- will encrypt that file for that recipient. Most of the basic stuff are easy. For creating a key and setting that up, I suppose this isn't super intuitive and nobody has those commands memorized, but there are so many guides out there for doing this. I think I started with the gentoo gpg guide [http://www.gentoo.org/doc/en/gnupg-user.xml].
Anyway, you're correct -- this is one of the reasons pass uses GPG.
I have a GPG smartcard. The problem is that no readily-available card readers work under Linux. I had one on a Dell laptop of Core Duo vintage many years ago; after I got a new machine, I could never find a working card reader.
This seems really complicated. The whole point is to keep things simple and easy and not bloated with lots of applications and database formats and whatnot.
In any case, the GPG files have the ID of the key needed to decrypt them, so you can encrypt files with different keys, and so long as you have that key in your keychain still, you're good.
I guess I could add a simple convenience command "pass normalize" that decrypts everything and re-encrypts it using a single key. This would be a pretty simple way of doing it.
A better idea might be a system where the canonical source of truth is an application-controlled database, but where you can export entries to a directory tree and import entries from a directory tree. This makes syncing more difficult (export to directory tree on both sides, rsync, import on both sides), but it ensures that invariants are checked at sync time rather than use time.
I suppose you can write a validation command that you always run after sync, but how many people are going to run that? You don't realized you've been burned by having an extra password for an obscure site until that happens.