2

I have a program to store passwords protected, however, interface is the terminal and passwords are all written visibly.
I have very limited knowledge on the security, so couldn't be sure if it is safe. I hope question is relevant to here.

Update. The program is something that I wrote. Details are unnecessary but it essentially stores a NumPy array which I put in the cloud. By visible I mean at the end of the day I am reading that NumPy array and printing to terminal. Which I learned it is definitely not safe, thanks to all.

Is there any way to fix it? (hopefully an easy way)

Update My distribution is Ubuntu Desktop 18.04.4

Jo'
  • 133

2 Answers2

3

Terminals has buffers which might reside on disk even without ecryption ( I don't know about gnome-terminal but I'm using Konsole and if you set the scrollback to unlimited then it buffers its contents unencrypted somewhere in the /tmp)

And another problem might be your bash_history. Each command that you type ( the exception is when you add a space before your command ) will go to your ~/.bash_history file if you close the terminal properly (i.e not in the event of a system crash ).

So if you want to type your sensitive information like passwords in a console command , you have to either delete that line manually or add a space before your command ( I didn't see it anywhere , but I found it myself with trial and error and might not work for other shells other than bash . For example that's not the case in the Z shell. And also might someday get removed from bash. Who knows)

In the ~/.bashrc file there are two variables as follows 

HISTSIZE=2000
HISTFILESIZE=2000

If you set them to a negative number like -1 , then the bash history size would be unlimited . And if you want to disable the bash history feature , you can set them to zero. ( note that the bash history is an useful feature in the case you forgot the commands (i.e syntax or arguments) that you issued. For example I had a bash_history with the age of almost one year ! with almost 60,000 lines !)

Note that if in your terminal you've logged in as another user like root then the bash_history will go to /root/.bash_history not in your home directory.

And if you want to reboot or halt your system via terminal ( when you're working on the server , logged in via console , or just for fun ) then you should issue the command :

history -c && some_halt_command

to prevent the history buffer to be flushed into the bash_history.(although if you disable the feature via the aforementioned variables , I don't think you would need this)

So :
1) Delete that line manually from history
2) Add a space before your command if you use bash (which is default in most (if not all) distros)
3) Disable bash history

Parsa Mousavi
  • 3,433
0

This is one simple way to leverage existing, secure tools: 

#!/bin/bash

# script to pack, encrypt, and copy all content of "private" 
# dir to another area that is synced with Dropbox. 

cd ~ 
tar -cvf private.tar private/
gpg --symmetric --force-mdc -o private.tar.gpg private.tar
shred -u private.tar
mv private.tar.gpg ~/Dropbox/private

You need to provide a password yourself. Please select a strong (=long) one, e.g. from https://www.grc.com/passwords.htm Alternatively, create a ssh keypair and use that for complete automation e.g. using crontab scheduling.

Andreas F
  • 361