Managing a shared set of secrets with a compromised identity

[mattpascoe]

I'm curious what folks are doing to share their secrets with friends/family or a small team?

Clearly you set up multiple recipients using their public identity.

Specifically I'm curious what people do to share the encrypted files. I would assume most people would say to use git. You commit your change and push it to a remote repository and share it that way.

What I'm specifically thinking through (and I have not yet seen documentation discuss this finer point) is the case where someones identity is compromised. Lets say my private identity file gets stolen (passphrase aside).

Great! I quickly go rotate my keys and push back to git. All is well everything is encrypted with all new identities that are no longer compromised. BUT if this was in a public git repo then now all they have to do is just check out an older commit and they can decrypt whatever was in there at that time.

So I'm guessing the only protection here is to NEVER commit your encrypted files to a public git repo! You should have at least another layer of credentials that protects the git repo as well so it is not public.

Basically, just because it is encrypted and you have rotated keys does not make it 'safe'. You must also ensure that the bad actor does not have access to any historical versions of the encrypted files. This can be difficult given certain situations. It can be managed but I never see this nuance discussed in any documentation. I feel like there might be a lot of folks thinking things are just great because its 'encrypted' and they may not realize the risk that exists in certain situations. I'm ultimately trying to design my workflow around sharing that mitigates these types of scenarios.

Thoughts?

[felixfontein]

So I'm guessing the only protection here is to NEVER commit your encrypted files to a public git repo! You should have at least another layer of credentials that protects the git repo as well so it is not public.

Yes, that's something I would definitely avoid (except maybe for things that aren't that important / sensitive; though I wouldn't do that either).

If you want to avoid git (like when sharing secrets with not that git-adept friends / family), you can also use other file sharing / synchronization tools, like Syncthing.