GPG-encrypted vault exports

Feature name

The vault export feature currently has .csv, .json and encrypted .json. I’d really love to see an encrypted (.csv) export that uses a specified GPG public key to encrypt it.

Feature function

  • What will this feature do differently?
    Provide an encrypted export functionality that has more implementations to decrypt, also the ability to use hardware encryption key storage.

  • What benefits will this feature bring?
    Easier and more trustworthy long-term storage of vault backups. The difficulty is delegated to GPG key management, compared to relatively cumbersome vault key management (that could be semi-accidentally rotated without refreshing the backup for ex.).

Related topics + references

  • Are there any related topics that may help explain the need and function of this feature?
    Not as far as I could find on GitHub or forums.

Isn’t this a bit weaker than what’s already offered, since encrypted exports are useless once you rotate your key?

Backups being turned useless isn’t a security feature in any realistic scenario of mine at least. Can you list a scenario where that’s useful?

Someone steals your encrypted backups and a key, but you rotate the key. Only backups made with a specific key will be possible for an attacker to decrypt.

If they steal your encrypted backup and have access to your key to decrypt it, you already have way bigger problems, but even in that case, a hardware-backed GPG key storage mitigates this attack and also doesn’t turn your backups useless.

Correction, the key is only rotated when you click the option to rotate the key. It’s possible to change the master password without changing the AES key.