dump all content

HacKan hackan at gmail.com
Sat Apr 11 22:18:07 CEST 2020


Well, printing plaintext is the definition of not secure... However,
it's not too hard to create a plugin/add-on/script for this.

One would argue that you could print b64 encoded encrypted password
("armored" in gpg terminology). And then recover them using OCR, but I
wouldn't trust such thing as a good backup.

All in all, I would go for creating the plugin for pass dump as you said.

Cheers!

On 4/10/20 2:57 PM, J Rt wrote:
> Ok, so we have basically 2 options so far if I understand correctly:
>
> 1)
>
> $ pass grep .
>
> and probably some $ pass grep . > SOME_FILE and then print SOME_FILE
> if one wants to print it out.
>
> This works perfectly. The format is a bit different, but this is no
> worries at all. I suppose pass grep . is safe 'by design' as it goes
> straight into terminal (?). Then people may do whatever they want with
> this, including dumping to a file on permanent storage for printing
> unfortunately which may be unsafe. So for somebody wanting to print
> the passwords, that may be easy but also quite unsafe especially if
> the home folder is not encrypted, right?
>
> 2)
>
> the script provided, that should create a tmpfs storage for safety. I
> have a problem with this on my machine to get it to work as is as my
> tmp is not a tmpfs, but I could of course fix it. It looks a bit
> redundant with the grep . on several aspects though.
>
> Therefore, it seems that there is not real satisfactory solution at
> the moment that make it easy for the user to take 'safe' choices if
> they want to dump to a file the passwords for printing, right?
>
> Would it then be a good idea maybe to create a new command to dump to
> file? Something that would 1) create a new tmpfs partition 2) dump
> there 3) delete automatically the partition after a while to make sure
> it disappears? What about something like (this may be bad / very
> naive, feedback welcome):
>
> $ pass dump
>
> doing something in this kind:
>
> mkdir /tmp/password-store-dump
> sudo mount -t tmpfs -o size=128m tmpfs /tmp/password-store-dump
> pass grep . > /tmp/password-store-dump/dump.txt
> echo "dump available at: /tmp/password-store-dump/dump.txt; will be
> cleaned in 15 minutes"
> (sleep 900; sudo umount -l /tmp/password-store-dump) &
>
> Would it be reasonable to provide a function in this kind to the user?
> Then would it be safe to just open the file and print it (of course
> the user still needs to remember to reset / clean the printers memory,
> but this is another story)?

-- 
HacKan || Iván
GPG: 0x35710D312FDE468B




More information about the Password-Store mailing list