Comment by jolmg

> As a company password manager, there is no way to know who's accessed which secret across their lifetime at the firm so you get to change all the passwords constantly.

You can setup different directories to use different keys, and you don't need to limit yourself to a single key for each password either. You can use multiple. So you can setup structures like:

- admins/.gpg-id "admin\n"

- techs/.gpg-id "admin\ntech\n"

where admin and tech are 2 keys for different groups of people. Admin having more access. Or even better:

- site_foo/.gpg-id "bob\nalice\n"

- site_bar/.gpg-id "bob\nrobert\n"

where each employee has their own key. So you can fine-tune which passwords need changing if an employee leaves, and which passwords an individual employee needs to be able to access.

You can setup git submodules to control which passwords which employees can know to exist.

And given that git is being used, you can know which passwords an individual employee ever had access to, were their access to change over time.