On 11/11/21 13:20, Simão Afonso wrote:
On 2021-11-11 11:56:59, Vasi Vilvoiu wrote:
Hi!
I store the passwords for each of my 5 IMAP accounts as GPG encrypted files,
and fetch them with PassCmd. Problem is I keep my GPG key on a hardware
device which requires a touch on every operation; as such, `mbsync -a`
requires 5 touches that are spread across the sync process.
You can configure the gpg-agent to cache the credentials, no?
https://wiki.archlinux.org/title/GnuPG#gpg-agent
That somewhat goes against my security practices.
I was thinking of implementing support for encrypted configuration files,
which would then only require the touch only once (when calling the tool),
but I'm not sure what the best approach would be. I'm thinking something of
the lines of an 'IncludeCmd' configuration option that would append the
output of whatever command you specify to the configuration string.
What do the maintainters think?
I'm obviously willing to do the work.
What's wrong with:
#!/bin/sh
# mbsync-encrypted
decrypt command <~/.config/mbsyncrc.encrypted >"$XDG_RUNTIME_DIR/mbsyncrc"
mbsync -c "$XDG_RUNTIME_DIR/mbsyncrc" "$@"
rval=$?
rm "$XDG_RUNTIME_DIR/mbsyncrc"
exit $rval
No changes needed to mbsync itself.
AFAIK, tmpfs can reach swap under some circumstances, which is a no-no.
I'd personally still see this ideally implemented in the tool as there
would be less stuff between the encrypted and decrypted data (gpg ->
pipe -> memory versus gpg -> tmpfs -> memory/disk -> tmpfs -> memory.
Best regards,
Vasi Vilvoiu
_______________________________________________
isync-devel mailing list
isync-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/isync-devel
