Accounts listed in plaintext for all to see

[stephenmuss]

When adding accounts cloak creates the directory ~/.cloak with 0755 permissions and the file ~/.cloak/accounts with 0644 permissions.

All account keys in this file are clearly visible in plain text.

[ethindp]

I've noticed this issue too. Its even worse considering that it doesn't even encrypt account keys or recovery codes or accounts in general. A solution to this might be ring with a randomly-generated key on first run (and for those who already have it, a command to set up account and recovery code encryption).

[evansmurithi]

@ethindp Thanks for the solution. I'm working on a way to encrypt the account contents. For now I'm creating the files using 0o600. This will only permit the owner of the file to view the accounts.

[ethindp]

True, but that doesn't apply on Windows. On Windows they're open to the hole world, and I don't know a library that allows you to control Windows access controls available in Rust.

On 5/6/19, Evans Murithi [email protected] wrote:

@ethindp Thanks for the solution. I'm working on a way to encrypt the account contents. For now I'm creating the files using 0o600. This will only permit the owner of the file to view the accounts.

-- You are receiving this because you were mentioned. Reply to this email directly or view it on GitHub: https://github.com/evansmurithi/cloak/issues/15#issuecomment-489537976

-- Signed, Ethin D. Probst

[Stef16Robbe]

Has this issue been resolved?

[evansmurithi]

@Stef16Robbe still open. PRs are welcome though

[replydev]

I implemented an OTP command line authenticator before knowing of cloak. It supports encryption, import from other apps and a set of other cool features. @Stef16Robbe @ethindp @stephenmuss https://github.com/replydev/cotp