> With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password.
What the password goes to can potentially be _very_ sensitive. One of my side projects is a keyring manager; similarly, it feeds the data through GPG. However, the keyring is one file (i.e., all the stuff is rolled together). I also disagree with the design choice of taking the names of the objects on the keyring as a command line argument: they end up in history files. (This is the same argument, really; if you consider the name of the object on the keyring to be sensitive, then you don't want it as a filename (it's not encrypted) or as an arg (it's in a history file… not encrypted).)
not built in but if you're on linux you can always overlay ecryptfs on your password safe directory, or just have your passwords in a separate vm entirely that is used only for that
I don't have it running yet but I am planning to write something where you have a vm you can connect to with the same/similar command syntax and it would pop up a window of some sort saying 'I received a request for password xyz, yes/no' this way you can have your main system and/or other vms have access to the password store in a controlled manner.
If you have this vm running an FDE install then it would make it also super easy to backup all your passwords, just shutdown the vm and copy the vdi, would only be a few gigs (don't need too much software in this install, just the base system, gpg and whatever ncurses daemon to listen for password requests)
ecryptfs doesn't obfuscate filenames (it is a "stacked" filesystem) so that's not going to do any good. You'll need block-level encryption such as LUKS and a loopback mount if you want to keep that hidden, at least when that partition isn't mounted.
