https://rot256.dev/post/pass/

Make sure you understand how exactly it encrypts your data, and what are the things that are still exposed by it.

I give this article a chance, but some assumptions are outright false. For example:

> No Post-Quantum security

Yeah, no. The beauty of PGP is being able to select your encryption algorithm. Somehow, arguing that AES-256 is more resistant to for example Ed25519 is just factually incorrect and people that use KeePass are not memorizing 40 character passwords to unlock their password manager.

> No Service Privacy / Leaks Changes

Pass doesn't make assumptions. If you want to encrypt filenames then wrap it with gocryptfs or cryfs or pass-tomb. The nice thing about syncing with pass is having auditable changes that doesn't require a complete database resync. Imagine someone modifying your password store with KeePass. You are not going to have diff to tell what has been changed. With Password Store, you can see exactly what has been changed between syncs.

> No authentication of values

Again, something that you can change in your PGP settings. I'm not going through the full article, but in all honesty it just sounds like this person doesn't like GnuPG and doesn't understand it. Lest not forget that pass is by the same individual that created wireguard and a slew of other security-focused tools and I think their reputation speaks for itself.

There is also "passage": https://github.com/FiloSottile/passage

It's pass with age-encryption instead of pgp.

Discussed here: https://news.ycombinator.com/item?id=29597729