[SOLVED] Hide sensitive info from dotfiles

pirj · 2014-08-23 17:06:05

I'm keeping my dotfiles in open. My ~ folder is under control of git, and I commit the changes if I do some corrections to user space config files so that I can easily restore themif I have to use another machine.
I even keep track of installed packages by periodically running

pacman -Qqe > .packages

so that I can restore that all at once.

But there's a huge problem with this. There are some tools that store some passowrds or tokens in the open. These are (just to name a few):
- tox messenger (not using anymore)
- irssi (not using anymore)
- weechat (freenode.net password)
- mcabber (jabber password)
- bitcoin-qt (who knows what, not using anymore)
- engine_yard client (api_token, not using anymore)
- rubygems (api key)
- ...

The problem is they are mostly storing their passwords/tokens along with other configuration I would like to keep.

Is it safe to put those files on a dm-crypt volume and put this crypted disk online?
Mount this volume on log in and keep symlinks to those files from $XDG_CONFIG_HOME
Some kind of password safe?

I'm more afraid to lose those passwords and configs more than someone else pwning them (they are in the open anyway, and I have some suspicious tools like Skype and systemd ;) running).

Last edited by pirj (2014-08-27 23:44:04)

ANOKNUSA · 2014-08-23 17:28:58

This whole post is kind of a mess. I can't tell what you're actually trying to accomplish: Are you worried that you'll lose your data, or that your data will be seen by unwanted eyes? What does dm_crypt have to do with online storage? Are you pushing this Git repository to a remote location or not? If you're worried about losing configutation files, but don't want them on a public repository, ask yourself: What did people do before online backups were a thing?

Also, it sounds like you're keeping your entire $HOME directory under one big Git repository. Don't do that.

pirj · 2014-08-25 13:48:29

I am both worried about losing configuration and do not want to store sensitive data in the open.
I consider pushing dm-crypt'ed volume image along with config files in public so I can access it from another machines when bootstrapping.
Yes, pushing to github.

People were using rsync and tape backups. Unfortunately, I'm not always carrying a flash drive with my configs with me. And losing this drive will mean that I've lost sensitive information. All my servers are behind ssh with PKI-only access, so I will have to carry the keys to access them if I would put that into private repo somewhere on my server.

I'm only keeping the configuration, but yes, whole $HOME is under control of git. I have a comprehensive .gitignore file https://github.com/pirj/dotfiles/blob/master/.gitignore
Whether I install something that writes some files somewhere at $HOME, I either add it to .gitignore, either add it to the repo.

Please explain if you think this is a wrong approach.

Trilby · 2014-08-25 14:03:20

I don't know about pushing encrypted images to github - unless it's a paid account. This seems to go against the intent of their free service, perhaps against the letter of their rules, but definitely against the spirit of them.

But the main comment I wanted to give was an alternative to keeping $HOME under git control. Many users have a 'dotfiles' directory which is a git repo, then dotfiles are just symlinks to the contents of that repo. If you keep your entire $HOME under git control, you need that elaborate git ignore, plus you need to be cautious about what you add or don't add, *and* you may run into issues with nested repos if you use git for any of it's more traditional uses (e.g., ~/code/some_project). Nested git repos certainly can work - but there are a number of 'gotchas' in which they don't behave the way people would expect.

pirj · 2014-08-25 14:17:39

Nested 'code' folder is ignored and works just fine.
I have some submodules (eg oh-my-zsh), works fine too.

If I kept all the files symlinked from ~/dotfiles, I would constantly miss if some tool adds a new file, and it's quite impossible to track. I really like it the way it is. Except for the files with tokens/passwords, specifically weechat and mcabber, that are mixing sensitive information with other configuration.

What I originally expected is some kind of magic tool that may glue files together on the fly or the opinion that dm-crypted volumes are safe when kept in public if password is long enough.

pirj · 2014-08-27 23:43:19

Found a simple and interesting solution: http://dev.weechat.org/post/2013/08/04/Secured-data
In short, WeeChat is able to store sensitive information in a separate file, auto decrypt it on start and substitute passwords for variables in config file.

Wishnthe other tools could do that too.

Last edited by pirj (2014-08-27 23:45:50)

Arch Linux

#1 2014-08-23 17:06:05

[SOLVED] Hide sensitive info from dotfiles

#2 2014-08-23 17:28:58

Re: [SOLVED] Hide sensitive info from dotfiles

#3 2014-08-25 13:48:29

Re: [SOLVED] Hide sensitive info from dotfiles

#4 2014-08-25 14:03:20

Re: [SOLVED] Hide sensitive info from dotfiles

#5 2014-08-25 14:17:39

Re: [SOLVED] Hide sensitive info from dotfiles

#6 2014-08-27 23:43:19

Re: [SOLVED] Hide sensitive info from dotfiles

Board footer