Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for encrypted secretes instead of plain text ~/.2fa #6

Open
doronbehar opened this issue Jan 12, 2018 · 2 comments
Open

Support for encrypted secretes instead of plain text ~/.2fa #6

doronbehar opened this issue Jan 12, 2018 · 2 comments

Comments

@doronbehar
Copy link

Hi,

First of all, this is a great command line utility so thank you for making it.

Adding support for a password encrypted using PGP/GPG could be cool. A JSON format like the one outputs the backup mechanism of https://github.com/andOTP/andOTP could be great, because the secrets can be shared easily between the 2fa and andOTP on Android.

Here is an example of a formatted decrypted JSON backup made by andOTP:

[
  {
    "secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
    "label": "Google:doron.behar@gmail.com",
    "period": 30,
    "digits": 6,
    "type": "TOTP",
    "algorithm": "SHA1",
    "tags": []
  },
  {
    "secret": "XXXXXXXXXXXXXXXX",
    "label": "GitHub - GitHub:doronbehar",
    "period": 30,
    "digits": 6,
    "type": "TOTP",
    "algorithm": "SHA1",
    "tags": []
  },
]

I'll be glad to hear your thoughts :)
@heywoodlh
Copy link

TL;DR:
Create an alias or function in your shell to use GPG to encrypt and decrypt your ~/.2fa file:

BASH function:
2fa() { gpg --decrypt ~/.2fa.gpg > ~/.2fa; **/path/to**/go/bin/2fa "$@"; rm ~/.2fa; }

Fish function:

function 2fa
    gpg --decrypt **/path/to**/.2fa.gpg > ~/.2fa
    /path/to/go/bin/2fa $argv
    rm ~/.2fa
end

Long Response:

I was able to solve this by writing a function in my shell (fish) to use gpg to decrypt the file. You could do the same thing with BASH using an alias or just writing a shell script.

It's a sloppy solution but it totally works and relies on the security of GPG rather than keeping the file stored in plaintext.

As an example, here is my function for fish:

function 2fa
    gpg --decrypt ~/.2fa.gpg > ~/.2fa
    /path/to/go/bin/2fa $argv
    rm ~/.2fa
end

This example presumes that the ~/.2fa file has been encrypted with gpg and stored as ~/.2fa.gpg. Once the encrypted file exists, you can remove the original ~/.2fa file that has everything stored in plaintext.

To break down the function:
gpg --decrypt ~/.2fa.gpg > ~/.2fa will decrypt the gpg file and create a ~/.2fa file.
/path/to/go/bin/2fa $argv will run the 2fa binary and accept arguments.
rm ~/.2fa will remove the ~/.2fa file. You could erase it securely using shred instead.

@doronbehar
Copy link
Author

Cool! Thanks for your response, I'm using pass-otp now which fits well to my workflow with pass So I don't need this workaround anymore.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@doronbehar @heywoodlh