I only recently added a second key to my password store, and ran pass init to "rotate" the encryption and add a 2nd key.
It's my impression that you push these changes to the git repo, so any other employee would pull and the files would already be fixed to exclude the former employee.
So it's not a case of each employee having to run pass init, they just pull from git and get the updated files.
I believe pass for teams requires a key manager who does this and pushes to git for all employees. The optimal security would be that employees only have read access but that's not very practical.
Yes, but this doesn't lock people out of decrypting old copies, it's git, they can rolllback to before their key was removed, and decrypt every old secret they had access tobwhich hasn't been rotated yet.
The key-rotation on every employee-change is the hard part.
It's my impression that you push these changes to the git repo, so any other employee would pull and the files would already be fixed to exclude the former employee.
So it's not a case of each employee having to run pass init, they just pull from git and get the updated files.
I believe pass for teams requires a key manager who does this and pushes to git for all employees. The optimal security would be that employees only have read access but that's not very practical.