Well, printing plaintext is the definition of not secure... However, it's not too hard to create a plugin/add-on/script for this.
One would argue that you could print b64 encoded encrypted password ("armored" in gpg terminology). And then recover them using OCR, but I wouldn't trust such thing as a good backup. All in all, I would go for creating the plugin for pass dump as you said. Cheers! On 4/10/20 2:57 PM, J Rt wrote: > Ok, so we have basically 2 options so far if I understand correctly: > > 1) > > $ pass grep . > > and probably some $ pass grep . > SOME_FILE and then print SOME_FILE > if one wants to print it out. > > This works perfectly. The format is a bit different, but this is no > worries at all. I suppose pass grep . is safe 'by design' as it goes > straight into terminal (?). Then people may do whatever they want with > this, including dumping to a file on permanent storage for printing > unfortunately which may be unsafe. So for somebody wanting to print > the passwords, that may be easy but also quite unsafe especially if > the home folder is not encrypted, right? > > 2) > > the script provided, that should create a tmpfs storage for safety. I > have a problem with this on my machine to get it to work as is as my > tmp is not a tmpfs, but I could of course fix it. It looks a bit > redundant with the grep . on several aspects though. > > Therefore, it seems that there is not real satisfactory solution at > the moment that make it easy for the user to take 'safe' choices if > they want to dump to a file the passwords for printing, right? > > Would it then be a good idea maybe to create a new command to dump to > file? Something that would 1) create a new tmpfs partition 2) dump > there 3) delete automatically the partition after a while to make sure > it disappears? What about something like (this may be bad / very > naive, feedback welcome): > > $ pass dump > > doing something in this kind: > > mkdir /tmp/password-store-dump > sudo mount -t tmpfs -o size=128m tmpfs /tmp/password-store-dump > pass grep . > /tmp/password-store-dump/dump.txt > echo "dump available at: /tmp/password-store-dump/dump.txt; will be > cleaned in 15 minutes" > (sleep 900; sudo umount -l /tmp/password-store-dump) & > > Would it be reasonable to provide a function in this kind to the user? > Then would it be safe to just open the file and print it (of course > the user still needs to remember to reset / clean the printers memory, > but this is another story)? -- HacKan || Iván GPG: 0x35710D312FDE468B