Thanks for the quick reply. It helps a lot.
Two remaining questions:
-
when I init the repo(or adding more passwords later), all the key-generation, decrypt/encrypt happen at local machine correct? do they ever run on the remote machine(so others can steal it from memory if they really want it).
-
while the hash is derived from scrypt, say after I steal those key files, do I have to use scrypt algorithm to crack them? maybe there is a faster way to crack them without using scrypt as they’re just a static file for me now?
keeping keys local is the true secure way I feel, there are multiple ways to secure local password these days (wallet, usb-key,etc), without a key on the repo, I will never need worry about its safety, but local key might make de-duplication complicated though I don’t really know much there.