Christian Weisgerber <na...@mips.inka.de> wrote:
> --------------->
> #!/bin/sh
>
> SAFE=$HOME/.pwsafe
> TMPFILE=`mktemp /tmp/pwsafeXXXXXXXXXX` || exit 1
>
> trap 'rm -P "$TMPFILE"' 0 1 2 15
>
> STTY=`stty -g`
> echo -n "Password: "
> stty -echo
> read PASSWORD
> stty "$STTY"
>
> set -e
> echo -n "$PASSWORD" | openssl aes-256-cbc -d -in "$SAFE" -out "$TMPFILE"
> -pass stdin
> ${EDITOR-${VISUAL-vi}} "$TMPFILE"
> echo -n "$PASSWORD" | openssl aes-256-cbc -in "$TMPFILE" -out "$SAFE" -pass
> stdin
> <---------------
So this stood up to review here pretty well.
The major potential leak is that the decrypted content is temporarily
stored as a cleartext file. If your storage is backed by some sort
of log-structured filesystem, like a flash memory medium, the
cleartext will not actually be overwritten and may be recoverable.
Also, your editor may scatter additional cleartext copies around,
for instance vi's recovery files.
--
Christian "naddy" Weisgerber na...@mips.inka.de
