Teqleez Motley wrote on 2/13/19 3:49 PM:
Hi all,
In the GUI qubes backup tool, when making a new backup, there is this info
right below where one enters the optional password:
"Save settings as default backup profile: [X](tick box)"
"WARNING: password will be saved in dom0 in plain text."
Two questions:
a) Where exactly does qubes save this password/backup settings (file+folder,
please)
Looks like this happened to be resolved 7 days ago with
https://github.com/QubesOS/qubes-issues/issues/4777, but it's in
/etc/qubes/backup/qubes-manager-backup.conf.
b) It seems to be ticked by default (per 4.0.1-RC/December, not the latest
bugfix which I am about to prepare to upgrade to...), in case that is not
changed this last month, isn't that default setting actually bad (for the
personal...) security?
What if a person does not pay attention to that second sentence (making a
backup in a rush, thinking one knows this tool, so not reading all info each
time, etc..., but enters a password to protect the current backup, then
unknowingly saves it as plain text...
I'd say that the check box should at least be UNchecked by default.
Besides, it is not obvious that that is what one wants as default: To actually
save the new settings (loose/replace the last default..) without making a
concious choice, so for that reason alone it should not be checked.
Not sure why it's checked by default. I have to clear it every time too.
Could try submitting a code change for it and see if it gets merged, or
a new issue.
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/01d4c81c-7545-05de-6ddd-638cc2d6e9f3%40danwin1210.me.
For more options, visit https://groups.google.com/d/optout.
