storing passwords and like sensitive info in linux?

WiseDraco · 10-03-2017, 04:07 AM

Hello!
i do a bit of investigation about subj, and come to vim with blowfish2 encryption.

http://blog.learningtree.com/encrypting-with-vim/

can anyone point out some flaws in that usage?
for me it looks perfect -vim is almost anywhere, decrypted verion not show in filesystem, built-in cipher and so on...

btw, what is nowadays with default encoding in vim?
it is utf8 or what?
any another advices?

Didier Spaier · 10-03-2017, 04:29 AM

Quote:

Originally Posted by WiseDraco

btw, what is nowadays with default encoding in vim?
it is utf8 or what?

Care to read the VIM documentation?

TIP: type UTF-8 in the search field of this page: http://vimdoc.sourceforge.net/

WiseDraco · 10-03-2017, 04:35 AM

ok, thanks:

If your current locale is in an utf-8 encoding, Vim will automatically start
in utf-8 mode.

If you are using another locale:

set encoding=utf-8

slalik · 10-03-2017, 04:51 AM

Quote:

Originally Posted by WiseDraco

Hello!
i do a bit of investigation about subj, and come to vim with blowfish2 encryption.

http://blog.learningtree.com/encrypting-with-vim/

can anyone point out some flaws in that usage?
for me it looks perfect -vim is almost anywhere, decrypted verion not show in filesystem, built-in cipher and so on...

You may also want 'noswapfile' and 'noundofile' options.

I use vim in xterm to keep secret stuff, but with the standard gpg encryption. This is the relevant part of .vimrc:

Code:

set backupskip+=secrets.gpg
  
augroup encrypted
  autocmd!
  autocmd BufReadPre,FileReadPre secrets.gpg
    \ set viminfo= | setlocal noswapfile noundofile bin
  autocmd BufReadPost,FileReadPost secrets.gpg
    \ execute "silent '[,']!gpg --decrypt --quiet --no-use-agent
    \ 2> /dev/null" | setlocal nobin nospell |
    \ execute "doautocmd BufReadPost " . expand("%:r") |
    \ silent! execute "!xdotool key F12 &>/dev/null || true"
  autocmd BufWritePre,FileWritePre secrets.gpg setlocal bin |
    \ '[,']!gpg --encrypt --recipient secrets --quiet --no-use-agent
  autocmd BufWritePost,FileWritePost secrets.gpg silent u | setlocal nobin
  autocmd VimLeave secrets.gpg !clear
augroup END

and this is a part of .Xresources:

Code:

XTerm*VT100.translations: #override \n\
  ...
  Meta<Key>s: secure() string(" view ~/secrets.gpg") string(0x0d) \n\
  <Key>F12: secure() \n\
  ...

As you see, Alt-s in xterm calls vim to read ~/secrets.gpg. The secure mode in xterm prevents typing password in a wrong window

WiseDraco · 10-03-2017, 05:29 AM

Quote:

Originally Posted by slalik

You may also want 'noswapfile' and 'noundofile' options.

I use vim in xterm to keep secret stuff, but with the standard gpg encryption. This is the relevant part of .vimrc:[CODE]set backupskip+=secrets.gpg

thanks for sharing valuable information!

if not secret, why you choose .gpg over vim build-in encryption?

slalik · 10-03-2017, 07:12 AM

Quote:

Originally Posted by WiseDraco

if not secret, why you choose .gpg over vim build-in encryption?

I think that for vim developers encryption is not an important feature. So, if it will be broken, it can take years to fix. For example, in current vim the langmap is broken in some situations (namely, when applied to a multibyte character, vim doesn't check for mappings). This is a known bug for several years and nobody cares to fix it. I don't want to be in a similar situation with encryption.

montagdude · 10-03-2017, 07:56 AM

I use this:

http://slackbuilds.org/repository/14...assword-store/

But any number of password managers would do just as well.

brianL · 10-03-2017, 08:05 AM

Isn't telling the whole internet how you store your passwords & sensitive info a mistake?

enorbet · 10-03-2017, 08:18 AM

Quote:

Originally Posted by brianL

Isn't telling the whole internet how you store your passwords & sensitive info a mistake?

Perhaps not, if one uses this avatar

WiseDraco · 10-03-2017, 08:30 AM

Quote:

Originally Posted by brianL

Isn't telling the whole internet how you store your passwords & sensitive info a mistake?

if your crypto or password sucks, not telling anyone anyhow do not save you, if anyone get interested.

and vice versa - if you have good password and goot algorytm, then i do not see any problems - all world compute power for tens of years not enought to brute-force it.

but if you are important enought, there is a mans in black, and with soldering iron, who can come to you, and in old, fashioned methods, you tell im all your keys, passwords, and all what he want to know in minutes... :P

brianL · 10-03-2017, 08:47 AM

I'm lucky. I'm too poor and insignifant for criminals & 3-letter agencies to take an interest in. So I write my passwords on bits of paper, stowed in places where only I could find them.

WiseDraco · 10-03-2017, 08:52 AM

Quote:

Originally Posted by brianL

I'm lucky. I'm too poor and insignifant for criminals & 3-letter agencies to take an interest in. So I write my passwords on bits of paper, stowed in places where only I could find them.

as i do for many years.
but as systems and passwords and so going to more and more,and my memory get worse it was very useful to have a just file with most important info, who i can have on various systems, and maybe even on my phone -encrypted, and readable only by me, but in any time, and any place.

this tale is all about that... :P

enorbet · 10-03-2017, 09:52 AM

The relative security of anything like an encrypted password file is also related to basic network security. Firewalls can not only have honey pots but fangs as well, or at the very least where intrusion attempts rarely go unnoticed.

Anecdote - I was once on a Linux IRC channel and casually pinged a member who immediately asked me why I pinged him. It turned out he had such attempts STDOUT'ed to an old and LOUD dot matrix printer alerting him with nearly an immediate, and lasting alarm/record. I later learned he was 14 years old. I was impressed and did definitely take note.

frankbell · 10-03-2017, 08:31 PM

I have used KeepassX for a number of years and have been quite happy with it.

There's a SlackBuild.

Richard Cranium · 10-03-2017, 09:00 PM

Quote:

Originally Posted by WiseDraco

if your crypto or password sucks, not telling anyone anyhow do not save you, if anyone get interested.

and vice versa - if you have good password and goot algorytm, then i do not see any problems - all world compute power for tens of years not enought to brute-force it.

but if you are important enought, there is a mans in black, and with soldering iron, who can come to you, and in old, fashioned methods, you tell im all your keys, passwords, and all what he want to know in minutes... :P

https://xkcd.com/538/ sums it up.