Password security - was MyPasswordSafe converter to KeePassX available
Gregory Galperin
grg-webvisible+blu-iSp611qFfoI3uPMLIKxrzw at public.gmane.org
Sun Dec 12 21:26:07 EST 2010
On Sat, Dec 11, 2010 at 08:33:30PM -0500, Bill Mills-Curran wrote:
> On Fri, Dec 10, 2010 at 11:18:14PM -0500, Ryan Pugatch wrote:
> > From: Ryan Pugatch <rpug-vYTEC60ixJUAvxtiuMwx3w at public.gmane.org>
> > To: blu <discuss-mNDKBlG2WHs at public.gmane.org>
> > Date: Fri, 10 Dec 2010 23:18:14 -0500
> > Subject: Password security - was MyPasswordSafe converter to KeePassX available
> >
> <snip>
> >
> > This seems like a pretty neat idea. Maybe I'm just set in my ways, but
> > I just keep my passwords stored in a gpg encrypted file.
> >
> > I have a Makefile which I use to easily decrypt/view/edit/encrypt and it
> > uses bcwipe to securely erase the unencrypted version.
>
> I also keep my (too many) passwords in a gpg encrypted file. I
> decrypt in an xemacs shell so there's no decrypted file on disk.
> (Yes, I'm sure it exists in swap somewhere.)
>
> Bill
I do the same kind of thing, and wrote a set of hooks to make xemacs pretend
it's a regular file and do the de/encryption behind the scenes for me. the
ways in which it doesn't act like a normal file are:
* you obviously have to type in your passphrase to open the file and before
saves after the passphrase timeout
* I turn off auto-save so unencrypted versions don't get written to disk.
it does do version control (e.g. kept-new-versions) on the encrypted files.
* when you save, it's a bit annoying that due to the encrypt-save-decrypt
it moves you to the start of the file every time
this works in my xemacs but last time I tried this in emacs it didn't. it
might need you to (require 'cl), I'm not sure. relevant fragment from my
.emacs below in case someone else finds it useful.
--grg
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;;;;
;;;; GPG/mailcrypt
;;;;
(ignore-errors (require 'mailcrypt)
;;(require 'mailcrypt-init) ;; which of these is right?
(if (string< "3.4" mc-version)
(mc-setversion "gpg")) ; only for mc-version > 3.4
(autoload 'mc-install-write-mode "mailcrypt" nil t)
(autoload 'mc-install-read-mode "mailcrypt" nil t))
;; If you have more than one key, specify the one to use
;(setq mc-gpg-user-id "0x12345678")
;; Always sign encrypted messages
(setq mc-pgp-always-sign t)
;; Allow self to decrypt all encrypted sent messages.
(setq mc-encrypt-for-me t)
;; How long should mailcrypt remember your passphrase
(setq mc-passwd-timeout 600)
;; note: (setf mc-passwd-cache nil) to wipe the remembered passphrases now
;; TBD: should make this an easy command and/or key binding.
;; To sign automatically every message sent
;(add-hook 'message-send-hook 'my-sign-message)
;(defun my-sign-message ()
; (if (yes-or-no-p "Sign message? ")
; (mc-sign-message)))
;(setq mc-pgp-keyserver-address "wwwkeys.us.pgp.net"
; mc-pgp-keyserver-port 11371
; mc-pgp-keyserver-url-template "/pks/lookup?op=get&search=%s")
;; Mnemonic shortcut.
(defun forget-passphrase ()
(interactive)
(mc-deactivate-passwd))
;;;
;;; Auto-Encrypted files
;;;
;; also note there's an "mc-auto-encrypt" package available online.
;; This is the auto-encryption function to be used as a load hook:
;; ;;; Local Variables:
;; ;;; eval: (grg-auto-encrypt "grg-F9EOTng7swpUX5oH2E+m6wslLGjC9pICYKB5T7WKXak at public.gmane.org")
;; ;;; End:
;; Errors in the initial decryption (such as when loading an empty file with
;; only the above local variable) seems to prevent the hooks from being set
;; up in some xemacs versions. Either bootstrap by loading a valid encrypted
;; file with the new name (deleting the old contents), or manually set the
;; before-save-hook, save, immediately exit, and then reload to get everything
;; set up correctly.
;; Partially stolen off the web from crs-auto-encrypt by Charles Sebold.
(defun grg-auto-encrypt (encrypt-key-email-address-string)
;; Create a before-save-hook (used by auto encryption functions).
;; Stolen verbatim off the web from Charles Sebold (csebold-Qq3zl6YTP9U at public.gmane.org).
;; These hooks might be useful in other functions; but if I do this at the
;; top level, I probably at least need to re-run the make-local-hooks here.
(defvar before-save-hook nil)
(make-local-hook 'before-save-hook)
(defadvice save-buffer (before crs-before-save-run-hooks)
"Run before-save-hook before saving."
(run-hooks 'before-save-hook))
(ad-activate 'save-buffer)
(make-local-hook 'after-save-hook)
;; Urk -- the encrypt-decrypt combo adds a blank line before Local Variables
;; each time it's called... need to redefine mc-gpg-msg-end-line here?
;; But: it seems to work OK on xemacs 21.4.6 + mc 3.5.6.
(make-local-variable 'mc-gpg-msg-end-line)
(setq mc-gpg-msg-end-line "^-----END PGP MESSAGE-----\n?")
(mc-decrypt)
(not-modified) ; decrypting makes it appear modified; reset.
(auto-save-mode nil) ; else we save #files# in clear text!
; (should I try auto-save-visited-file-name? auto-save would
; be nice as long as it leaves me at the current point. TBD.)
(make-local-variable 'recipient-string)
(setq recipient-string encrypt-key-email-address-string)
(make-local-variable 'pre-save-point)
(add-hook 'before-save-hook
(lambda ()
(setq pre-save-point (point))
;; NOTE! it's important that the recipient not be empty -- that
;; saves the file in plaintext!
;; I should really be looking at the return value here...
(mc-encrypt-generic recipient-string nil 0
(save-excursion
(end-of-buffer)
(re-search-backward "[L]ocal Variables:"
nil t)
(beginning-of-line)
(point)))
(goto-char pre-save-point))
nil t) ; make hook buffer-local
(add-hook 'after-save-hook
(lambda ()
(mc-decrypt) ; leave the buffer decrypted
(not-modified) ; decrypting makes it appear modified; reset.
(goto-char pre-save-point)) ; FIXME: why isn't this working???
nil t) ; make hook buffer-local
)
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
More information about the Discuss
mailing list