PeterCxy
/
pass-gocrypt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Concatenate the symmetric keys instead of using HMAC-SHA256 

There is no point trying to KDF here. Gocryptfs does its own KDF anyway
(https://nuetzlich.net/gocryptfs/forward_mode_crypto/), and a leaked
gocryptfs password is not really in our security model (because that
compromises the entire storage in any case).
This commit is contained in:
Peter Cai 2022-10-10 20:13:52 -04:00
parent 518e38b11b
commit b014a9a440
2 changed files with 8 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -25,7 +25,7 @@ of the original password store (`gocrypt/`), and all read operations from `pass`
without any special care (other than remembering to unlock the subtree first). The encrypted subdirectory is stored in the original without any special care (other than remembering to unlock the subtree first). The encrypted subdirectory is stored in the original
password store under `.gocrypt/`, and can be managed by `git` just like how it was without encryption. password store under `.gocrypt/`, and can be managed by `git` just like how it was without encryption.
The biggest caveat of this is that write operations (such as `edit` and `generate`) **has** to be prefixed by the `gocrypt` subcommand The biggest caveat of this is that write operations (such as `edit` and `generate`) **have** to be prefixed by the `gocrypt` subcommand
to ensure compatibility when the outer password store is a git repository. Without the prefix, git commits that are normally created to ensure compatibility when the outer password store is a git repository. Without the prefix, git commits that are normally created
automatically by `pass` will not be generated during a write. See the Usage section of this document for examples. automatically by `pass` will not be generated during a write. See the Usage section of this document for examples.
@ -41,7 +41,6 @@ Dependencies:
- pass - pass
- bash - bash
- perl
- gocryptfs - gocryptfs
Usage Usage

22
gocrypt.bash
View File

@ -9,7 +9,6 @@ readonly gocrypt_needs_passphrase_marker=".gocrypt-needs-passphrase"
gocrypt_sys_check() { gocrypt_sys_check() {
which gocryptfs > /dev/null || gocrypt_die "gocryptfs not found in PATH" which gocryptfs > /dev/null || gocrypt_die "gocryptfs not found in PATH"
which perl > /dev/null || gocrypt_die "perl not found in PATH"
} }
gocrypt_env_check() { gocrypt_env_check() {
@ -36,13 +35,6 @@ _cmd_git() {
[ -d '.git' ] && cmd_git "$@" [ -d '.git' ] && cmd_git "$@"
} }
gocrypt_derive_password() {
local data="$1"
local key="$2"
perl <<< "use Digest::SHA qw(hmac_sha256_hex);\$digest=hmac_sha256_hex(\"$data\n\", \"$key\");print(\$digest);"
}
gocrypt_init() { gocrypt_init() {
local needs_passphrase=false local needs_passphrase=false
local passphrase="" local passphrase=""
@ -67,7 +59,6 @@ gocrypt_init() {
if $needs_passphrase; then if $needs_passphrase; then
echo -n "Enter passphrase: " echo -n "Enter passphrase: "
read -s passphrase read -s passphrase
[[ "$passphrase" =~ [^a-zA-Z0-9\ ] ]] && gocrypt_die "Only alphanumeric characters are allowed for now"
local passphrase_confirm="" local passphrase_confirm=""
echo echo
echo -n "Confirm passphrase: " echo -n "Confirm passphrase: "
@ -84,7 +75,7 @@ gocrypt_init() {
mkdir "$gocrypt_dir" mkdir "$gocrypt_dir"
if $needs_passphrase; then if $needs_passphrase; then
touch "$gocrypt_needs_passphrase_marker" touch "$gocrypt_needs_passphrase_marker"
gocrypt_passwd="$(gocrypt_derive_password "$gocrypt_passwd" "$passphrase")" gocrypt_passwd="$gocrypt_passwd$passphrase"
fi fi
gocryptfs -passfile /dev/stdin -init "$gocrypt_dir" <<< "$gocrypt_passwd" || gocrypt_die "Unable to initialize gocryptfs" gocryptfs -passfile /dev/stdin -init "$gocrypt_dir" <<< "$gocrypt_passwd" || gocrypt_die "Unable to initialize gocryptfs"
@ -121,7 +112,7 @@ gocrypt_open() {
local passphrase="" local passphrase=""
echo -n "Enter passphrase: " echo -n "Enter passphrase: "
read -s passphrase read -s passphrase
gocrypt_passwd="$(gocrypt_derive_password "$gocrypt_passwd" "$passphrase")" gocrypt_passwd="$gocrypt_passwd$passphrase"
fi fi
fi fi
@ -169,10 +160,11 @@ usage
You can optionally use an extra piece of symmetric passphrase to encrypt the subdirectory, by You can optionally use an extra piece of symmetric passphrase to encrypt the subdirectory, by
passing the argument -p or --passphrase when invoking this command to initialize. In this case, passing the argument -p or --passphrase when invoking this command to initialize. In this case,
the passphrase you input will be used along with the generated password to derive a new master the passphrase you input will be used along with the generated password to derive the encryption
password for gocryptfs. This second piece of passphrase will not be stored in the password store, key (KEK) of the master key of gocryptfs. This second piece of passphrase will not be stored in
and you will be asked for it every time you invoke \`$PROGRAM gocrypt open\`. This mode adds an the password store, and you will be asked for it every time you invoke \`$PROGRAM gocrypt open\`.
extra layer of protection in case the gpg-encrypted master password is somehow compromised. This mode adds an extra layer of protection in case the gpg-encrypted master password is somehow
compromised.
$PROGRAM gocrypt open $PROGRAM gocrypt open
Mount the encrypted subdirectory to \$PASSWORD_STORE_DIR/$gocrypt_dec_dir. Mount the encrypted subdirectory to \$PASSWORD_STORE_DIR/$gocrypt_dec_dir.