dump all content

HacKan hackan at gmail.com
Mon Apr 13 20:37:08 CEST 2020


If you print them, make sure to use an ink printer! Laser last way less
time. If you store an ink printed paper as QR code (which even has data
redundancy) in some sort of folder or plastic content safe from heat and
moist, it should last for decades. How long is of course unknown.

Cryptocurrency people does several things like this to store secret
keys, like printing and plasticizing it or even engraving in metal (wont
do for GPG encrypted content, even using ED would yield a very long
ciphertext).

But all of this means you never rotate your passwords, which is also not
good :P
I usually rotate all of my passwords every year or every other year at
most. So old backups wont matter to me. This is just saying as an
example that each one of us has different needs and wants so there's no
single fit-all solution.

As you stated, QR seems a good solution for your needs and perhaps using
it might let you keep your data encrypted. Otherwise, printing plaintext
and storing it in a bank safe or so could be OK too.

Cheers!

On 4/12/20 5:30 AM, J Rt wrote:
> Ok, thanks. 
>
> I am not really sure that it is so bad. Like, if I use a RPi off
> network for nothing but 'high security' use, and I connect it to a USB
> printer and archive the printed passwords in a safe, I guess this is
> quite ok. The problem is, I need a form of reliable backup for my
> passwords, and I think that paper is still best.
>
> Another solution would be to dump to paper the full password-store and
> encrypted gpg key. That comes with some challenges (starts to be quite
> large files, how to load it back in the computer?). I have started to
> work on a small tool for this (qrdump, for dumping a few 10s to 100s
> of kB as a series of qr codes, if you are
> interested: https://github.com/jerabaul29/qrdump ), but still, is
> there any guarantees that I will be able to scan and assemble this
> back in 10 years? I don't know. By contrast the paper dump of raw
> passwords should be ok in all cases.
>
> lør. 11. apr. 2020, 22:18 skrev HacKan <hackan at gmail.com
> <mailto:hackan at gmail.com>>:
>
>     Well, printing plaintext is the definition of not secure... However,
>     it's not too hard to create a plugin/add-on/script for this.
>
>     One would argue that you could print b64 encoded encrypted password
>     ("armored" in gpg terminology). And then recover them using OCR, but I
>     wouldn't trust such thing as a good backup.
>
>     All in all, I would go for creating the plugin for pass dump as
>     you said.
>
>     Cheers!
>
>     On 4/10/20 2:57 PM, J Rt wrote:
>     > Ok, so we have basically 2 options so far if I understand correctly:
>     >
>     > 1)
>     >
>     > $ pass grep .
>     >
>     > and probably some $ pass grep . > SOME_FILE and then print SOME_FILE
>     > if one wants to print it out.
>     >
>     > This works perfectly. The format is a bit different, but this is no
>     > worries at all. I suppose pass grep . is safe 'by design' as it goes
>     > straight into terminal (?). Then people may do whatever they
>     want with
>     > this, including dumping to a file on permanent storage for printing
>     > unfortunately which may be unsafe. So for somebody wanting to print
>     > the passwords, that may be easy but also quite unsafe especially if
>     > the home folder is not encrypted, right?
>     >
>     > 2)
>     >
>     > the script provided, that should create a tmpfs storage for
>     safety. I
>     > have a problem with this on my machine to get it to work as is as my
>     > tmp is not a tmpfs, but I could of course fix it. It looks a bit
>     > redundant with the grep . on several aspects though.
>     >
>     > Therefore, it seems that there is not real satisfactory solution at
>     > the moment that make it easy for the user to take 'safe' choices if
>     > they want to dump to a file the passwords for printing, right?
>     >
>     > Would it then be a good idea maybe to create a new command to
>     dump to
>     > file? Something that would 1) create a new tmpfs partition 2) dump
>     > there 3) delete automatically the partition after a while to
>     make sure
>     > it disappears? What about something like (this may be bad / very
>     > naive, feedback welcome):
>     >
>     > $ pass dump
>     >
>     > doing something in this kind:
>     >
>     > mkdir /tmp/password-store-dump
>     > sudo mount -t tmpfs -o size=128m tmpfs /tmp/password-store-dump
>     > pass grep . > /tmp/password-store-dump/dump.txt
>     > echo "dump available at: /tmp/password-store-dump/dump.txt; will be
>     > cleaned in 15 minutes"
>     > (sleep 900; sudo umount -l /tmp/password-store-dump) &
>     >
>     > Would it be reasonable to provide a function in this kind to the
>     user?
>     > Then would it be safe to just open the file and print it (of course
>     > the user still needs to remember to reset / clean the printers
>     memory,
>     > but this is another story)?
>
>     -- 
>     HacKan || Iván
>     GPG: 0x35710D312FDE468B
>
>
-- 
HacKan || Iván
GPG: 0x35710D312FDE468B



More information about the Password-Store mailing list