Suggestion for E2EE cloud sync

[aclifton314]

I'm a huge fan of lesspass and use it everyday. I am thankful for all the work that has gone into it to make it a straightforward and reliable project. I understand the developer's desire to want to return to the original mission of lesspass and I do not fault them for wanting to slow things down.

That being said, I would like to make a suggestion that might help address some of the key points listed in the decomissioning blog post. I use another application for note taking and making todo lists called Joplin. Joplin has adopted an end to end encrypted syncing scheme that allows the user to determine which service they sync to (Dropbox, Nextcloud, etc.). Here is their workflow for E2EE and here is there description of synchronization.

Admittedly, I am remarkably naive about the workload an undertaking like this would require, let alone how it would be able to fit into Lesspass (if at all). It seems to me that lifting from parts of Joplin and incorporating this functionality into LessPass might alleviate the server costs mentioned in the blog post. As well, perhaps it might ignite some motivation for the developers knowing they could address some concerns expressed by others while still maintaining their high expectations for security and privacy.

If the developers and others have any interest in pursuing this, I'd be happy to start a conversation about it. I have experience in C++ and and very comfortable with Python. I'd be willing to learn about other languages as needed as well. I wanted to throw the idea to the developers and see what they thought about it. Again, thank you for all the hard work put into LessPass and I look forward to any replies.

[Nitrousoxide]

Less pass should be able to encrypt its own site and username list export no? It should be relatively straightforward to use the master password to encrypt/decrypt the site and username (and password counter) export and keep multiple instances in sync that way.

Not hosting the export yourself as the project head and instead requiring the user to use another service like google drive, icloud, webdav, etc eliminates some concerns that you might have had regarding you hanging on to a bunch of Personally Identifying Information that puts you at risk.

The naive way to handle it would be to just download the new version of the export if the unix time stamp on it is newer than the last one for the local instance and it has a different hash. Though I guess this could result in conflicts where two offline applications make different changes and later try to upload the new export.