<<< Date Index >>>     <<< Thread Index >>>

Re: mutt and plaintext passwords : muttrc encryption ?



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday, July 28 at 09:53 PM, quoth Michele Martone:
> this seems almost perfect to me. marvelous, elegant, general, thanks ! 
> (so i do not dare to quote a piece of your email ..)

Happy to help!

> still I can't stand the need of a wrapper.. if only one could use 
> multi line shell expansion, and place that `gpg --decrypt` straight 
> into the muttrc.

Well, I thought about that. We can solve it, but there are drawbacks 
(such as needing other software, or using a temporary file).

For example, if you use gpg-agent to store your passphrase, then you 
can encrypt each password as its own file:

     echo password | gpg --encrypt -o ~/.acct1_pass
     echo password2 | gpg --encrypt -o ~/.acct2_pass

Then put this into your muttrc:

     set my_acct1_pass=`gpg --decrypt ~/.acct1_pass`
     set my_acct2_pass=`gpg --decrypt ~/.acct2_pass`

     account-hook account2 'set imap_pass=$my_acct2_pass'

The key to making that convenient, though, is using gpg-agent to store 
your passphrase (so you don't have to enter it multiple times). 

If mutt could pass $my_* variables into shell escapes (or could 
directly manipulate its own variables the way that bash can (e.g. 
${my_acctpwds#*:})), then you could try using a separator character in 
your passwords (such as a colon) and then figure them out within the 
muttrc. For example, you could create the encrypted file like so:

     echo password1:password2 | gpg --encrypt -o ~/.acctpwds

Then put this in your muttrc:

     set my_acctpwds=`gpg --decrypt ~/.acctpwds`
     set my_acct1_pass=`echo $my_acctpwds | cut -d: -f1`
     set my_acct2_pass=`echo $my_acctpwds | cut -d: -f2`

But, of course, since you can't do that... c'est la vie. :)

Now, it's also possible to use a temporary file to do this:

     set my_acctpwds=`gpg --decrypt ~/.acctpwds > ~/tmp/acctpwds`
     set my_acct1_pass=`cut -d: -f1 ~/tmp/acctpwds`
     set my_acct2_pass=`cut -d: -f2 ~/tmp/acctpwds ; rm ~/tmp/acctpwds`

But that's obviously suboptimal if you're trying to avoid ever having 
that stuff on disk in plain text. It may be more acceptable if you 
have a memory-only filesystem somewhere (such as tempfs on Linux), but 
we're getting into the realm of specialized software again.

~Kyle
- -- 
I am ready to meet my Maker. Whether my Maker is ready for the great 
ordeal of meeting me is another matter.
                                                   -- Winston Churchill
-----BEGIN PGP SIGNATURE-----
Comment: Thank you for using encryption!

iEYEARECAAYFAkiOOPYACgkQBkIOoMqOI17KYwCeKXdZMcTLvL/yDoLib7TrQXR9
BasAoJxchtRVq0yZfSs77uX5nUMRYk1v
=EBqZ
-----END PGP SIGNATURE-----