The store in the case of pass, is a plain text file, whose contents are encrypted strings. If you trust the encryption, you can put it anywhere you like. Keep the keys secret and safe, though!
Until you have to fire one of your disgruntled employees, who has a copy of all your secrets that you now need to rotate.
A repository that an attacker only needs to get access to once, after which they can perform offline attacks against at their leisure.
A repository that contains the history of changed values, possibly making the latter easier, if you used the same encryption secret for rotated values.
This is an awful idea. Use a proper secret management tool you need to authenticate to using OIDC or Passkeys, and load secrets at runtime within the process. Everything else is dangerous.
The store in the case of pass, is a plain text file, whose contents are encrypted strings. If you trust the encryption, you can put it anywhere you like. Keep the keys secret and safe, though!
Until you have to fire one of your disgruntled employees, who has a copy of all your secrets that you now need to rotate.
A repository that an attacker only needs to get access to once, after which they can perform offline attacks against at their leisure.
A repository that contains the history of changed values, possibly making the latter easier, if you used the same encryption secret for rotated values.
This is an awful idea. Use a proper secret management tool you need to authenticate to using OIDC or Passkeys, and load secrets at runtime within the process. Everything else is dangerous.