You are not logged in.
- Topics: Active | Unanswered
#1 2017-08-31 14:14:49
- marco1475
- Member
- From: Baltimore, MD, USA
- Registered: 2013-10-20
- Posts: 4
/etckeeper and SSMTP plain-text password
Hi,
I am looking into using Etckeeper to version changes to /etc and I came across this in the Arch Wiki:
Warning: Pushing your etckeeper repository to a publicly accessible remote repository can expose sensitive data such as password hashes or private keys. Proceed with caution.
After looking through the files in /etc it seems like the only password stored there is in ssmtp.conf - the username and password for the throw-away GMail account I use to get reports. Even if I don't use a publicly accessible Git repository I will be storing this password in plain text on "somebody else's machine."
Is there a way to hash or encrypt the password in ssmtp.conf, maybe with PGP or pass? Or am I out of luck, since the .conf file is read directly by ssmtp and any decrypting logic would have to be part of ssmtp?
Thanks,
Marek
Offline
#2 2017-08-31 16:30:36
- progandy
- Member
- Registered: 2012-05-17
- Posts: 5,199
Re: /etckeeper and SSMTP plain-text password
Hi, you can use clean (=public) and smudge (=dirty/personal) filters to encrypt your sensitive data before committing and decrypt it during checkout.. You can e.g. encrypt whole files or replace passwords with an identifier string.
You'll have to start with a fresh git repository, or use git filter-branch to get the filter to take for all commits.
Edit: If you go for the search/replace method, then make sure that password changes are reflected in the filter script or make it a bit more robust (e.g. detect a password not by the passphrase, but the configuration keyword, e.g. "DB_PASS" and store the password in a local-only file)
Last edited by progandy (2017-08-31 16:53:04)
| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |
Offline