Comment by mcny

Comment by mcny 5 days ago

What is a proper solution for this? I don't imagine gpg can help if you encrypt it but decrypt it when you login to gnome, right? However, it would be too much of a hassle to have to authenticate each time you need a token. I imagine macOS people have access to the secure enclave using touch ID but then even that is not available on all devices.

I feel like we are barking up the wrong tree here. The plain text token thing can't be fixed. We have to protect our computers from malware to begin with. Maybe Microsoft was right to use secure admin workstations (saw) for privileged access but then again it is too much of a hassle.

sakisv 5 days ago

The way I solve the plain text problem is through a combination of direnv[1] and pass[2].

For a given project, I have a `./creds` directory which is managed with pass and it contains all the access tokens and api keys that are relevant for that project, one per file, for example, `./creds/cloudflare/api_token`. Pass encrypts all these files via gpg, for which I use a key stored on a Yubikey.

Next to the `./creds` directory, I have an `.envrc` which includes some lines that read the encrypted files and store their values in environment variables, like so: `export CLOUDFLARE_API_TOKEN=$(pass creds/cloudflare/api_token)`.

Every time that I `cd` into that project's directory, direnv reads and executes that file (just once) and all these are stored as environment variables, but only for that terminal/session.

This solves the problem of plain-text files, but of course the values remain in ENV and something malicious could look for some well known variable names to extract from there. Personally I try to install things in a new termux tab every time which is less than ideal.

I'd like to see if and how other people solve this problem

[1]: https://direnv.net/ [2]: https://www.passwordstore.org/

Reply View 4 replies

gerardnico 5 days ago

You can even go further and delete all your secrets from your env by creating wrapper scripts
Example : https://github.com/combostrap/devfiles/blob/main/dev-scripts...
It’s not completely full proof but at least gpg asks my passphrase only when I run the script

Reply View | 0 replies
hrimfaxi 5 days ago

At least with direnv your exports are removed when you leave the directory.

Reply View | 0 replies
internet_points 5 days ago

but if you `cd project && npm install compromised-package` then compromised-package's setup script can still read your env vars, right?

Reply View | 1 reply
- tinodb 3 days ago
  
  Yes, but I guess that is still much better than that it can read all your .env files on your machine
  
  Reply View | 0 replies

L-four 5 days ago

I think the correct solution is to use a keyring. On Linux there's gnome keyring and last time I worked on a IOS app there was something similar.

This does mean entering your keyring password a lot.

https://en.wikipedia.org/wiki/GNOME_Keyring

Reply View 5 replies

1718627440 5 days ago

> This does mean entering your keyring password a lot.
Not when you put that keyrings password into the user keyring. I think it is also cached by default.

Reply View | 4 replies
- masfuerte 5 days ago
  
  Then what stops the malware accessing the keyring?
  
  Reply View | 3 replies
  
  1718627440 5 days ago
  
  The security boundary on the OS is the user of the process. If you run the malware under the same user as the key, than yes of course it has access. But in production you don't run software under the same user, and on the developer machine you wouldn't put the production key in the user keychain.
  
  Reply View | 0 replies
  
  mxey 5 days ago
  
  On disk, it’s encrypted. The running service, at least on macOS, only hands the item out to specific apps, based on their code signing identity.
  
  Reply View | 1 reply
  
  ElectricalUnion 5 days ago
  
  Who signs an "app" when I download it from Homebrew?
  If all Homebrew "apps" are the same key then accepting a keyring notification on one app is a lost cause at it would allows things vulnerable to RCE to read/write everything?
  
  Reply View | 0 replies

flir 5 days ago

It might be possible to lash up a cross-plaform solution with KeePassXC. It's got an API that can be accessed from the command line (chezmoi uses it to add secrets to dotfiles). Yes, you'd be authenticating every time you need a token but that might not be too much of a burden if you spend most of your time on a machine with a fingerprint scanner.

otoh I wouldn't do it, because I don't believe I could implement it securely.

Reply View 1 reply

data-ottawa 5 days ago

I’ve got this work 1password setup, the only issue is if you have background tasks.
I had a Borg backup script for example and 1password needed me to authenticate to run it.
Authenticating for ssh and git is great.

Reply View | 0 replies

__turbobrew__ 4 days ago

Yubikey/TouchID

Reply View 0 replies