2

I have a program to store passwords protected, however, interface is the terminal and passwords are all written visibly.
I have very limited knowledge on the security, so couldn't be sure if it is safe. I hope question is relevant to here.

Update. The program is something that I wrote. Details are unnecessary but it essentially stores a NumPy array which I put in the cloud. By visible I mean at the end of the day I am reading that NumPy array and printing to terminal. Which I learned it is definitely not safe, thanks to all.

Is there any way to fix it? (hopefully an easy way)

Update My distribution is Ubuntu Desktop 18.04.4

Jo'
  • 133
  • 1
    Terminals has buffers which might reside on disk even without ecryption ( I don't know about gnome-terminal but I'm using Konsole and if you set the scrollback to unlimited then it buffers its contents unencrypted somewhere in the /tmp) and another problem might be your bash_history. Each command that you type ( the exception is when you add a space before your command ) will go to your ~/.bash_history file if you close the terminal properly (i.e not in the event of a system crash ). – Parsa Mousavi May 26 '20 at 08:50
  • 1
    Hello and welcome to askubuntu. What program? And what exactly do you mean by "are all written visibly". If the passwords are stored encrypted and you need to decrypt them to see them, your risk would be malicious software taking screenshots of your screen. So for most purposes you would still be safe. Security is a spectrum not a state, you always have tradeoffs. Anyway, please add the requested information to your question. – Bruni May 26 '20 at 08:53
  • 1
    Hi @Bruni, I updated my question. – Jo' May 26 '20 at 09:05
  • 2
    While being a good learning exercise, writing your own security software is generally a bad idea. There are probably existing tools available that will solve your problem - much better than any one of us. https://www.vice.com/en_us/article/wnx8nq/why-you-dont-roll-your-own-crypto – Andreas F May 26 '20 at 10:32
  • To start with, which Linux distro have you installed (Ubuntu server, Ubuntu desktop, Kubuntu, Lubuntu, Xubuntu, Ubuntu MATE, Mint, et al.), & which release number? Different releases have different tools for us to recommend. Please click [edit] & add that to your question, so all facts we need are in the question. Please don't use Add Comment, since that's our one-way channel to you. All facts about your PC should go in the Question with [edit] as this is a Q&A site, not a general forum, so things work differently here. – K7AAY May 26 '20 at 16:44
  • @AndreasF I am not sure if it is considered as encryption, as I am not trying to share (communicate) the data, rather trying to make it hard to reach without the password. I am pretty sure it can be solved, but hopefully it is hard enough that will not worth doing. – Jo' May 27 '20 at 00:16
  • 2
    I agree with @AndreasF. Writing your own password manager is a bad idea. Putting the data in the cloud is even worse. There are plenty of people with plenty of time who will not stop until they break your data file and steal your passwords. – user68186 May 27 '20 at 00:29
  • 2
    If you really want a "cloud" password manager, there's many ways to achieve this as well as many companies with various platforms that do this as well - I would suggest you DO NOT write your own solution for this and instead use an existing password manager platform instead if you intend to keep your data 'in the cloud'. – Thomas Ward May 27 '20 at 01:53
  • No, I am not really looking for a cloud password manager. I was just worried if it is super easy to reach terminal bash. I learned how to erase it, hopefully it will suffice. – Jo' May 27 '20 at 07:01

2 Answers2

3

Terminals has buffers which might reside on disk even without ecryption ( I don't know about gnome-terminal but I'm using Konsole and if you set the scrollback to unlimited then it buffers its contents unencrypted somewhere in the /tmp)

And another problem might be your bash_history. Each command that you type ( the exception is when you add a space before your command ) will go to your ~/.bash_history file if you close the terminal properly (i.e not in the event of a system crash ).

So if you want to type your sensitive information like passwords in a console command , you have to either delete that line manually or add a space before your command ( I didn't see it anywhere , but I found it myself with trial and error and might not work for other shells other than bash . For example that's not the case in the Z shell. And also might someday get removed from bash. Who knows)

In the ~/.bashrc file there are two variables as follows 

HISTSIZE=2000
HISTFILESIZE=2000

If you set them to a negative number like -1 , then the bash history size would be unlimited . And if you want to disable the bash history feature , you can set them to zero. ( note that the bash history is an useful feature in the case you forgot the commands (i.e syntax or arguments) that you issued. For example I had a bash_history with the age of almost one year ! with almost 60,000 lines !)

Note that if in your terminal you've logged in as another user like root then the bash_history will go to /root/.bash_history not in your home directory.

And if you want to reboot or halt your system via terminal ( when you're working on the server , logged in via console , or just for fun ) then you should issue the command :

history -c && some_halt_command

to prevent the history buffer to be flushed into the bash_history.(although if you disable the feature via the aforementioned variables , I don't think you would need this)

So :
1) Delete that line manually from history
2) Add a space before your command if you use bash (which is default in most (if not all) distros)
3) Disable bash history

Parsa Mousavi
  • 3,305
  • 16
  • 37
0

This is one simple way to leverage existing, secure tools: 

#!/bin/bash

# script to pack, encrypt, and copy all content of "private" 
# dir to another area that is synced with Dropbox. 

cd ~ 
tar -cvf private.tar private/
gpg --symmetric --force-mdc -o private.tar.gpg private.tar
shred -u private.tar
mv private.tar.gpg ~/Dropbox/private

You need to provide a password yourself. Please select a strong (=long) one, e.g. from https://www.grc.com/passwords.htm Alternatively, create a ssh keypair and use that for complete automation e.g. using crontab scheduling.

Andreas F
  • 341