CODEVOID
Distfiles Pastebin Smokeping

No plaintext passwords, please!

Try to keep your passwords out of your dotfiles. In many cases, this can be done with gpg (or a command line based password manager).

Here are some examples:

MSMTP

In the .msmtprc you can use passwordeval instead of password and make it retrieve the password using a command.

passwordeval "gpg -d $HOME/.msmtp-pw.gpg"

OfflineIMAP

Offlineimap supports to retrieve the password using a python program that implements a “get_pass” function. We can use this by writing a little python script that calls gpg or the password manager.

In the .offlineimaprc set the python file and remotepasseval. The get_pass function takes 3 arguments, which are used to select the correct password from the file.

pythonfile=~/.offlineimap.py
remotepasseval=get_pass("mail","user","993")

Create a file ~/.offlineimap.py with the following content:

#!/usr/bin/python3
import re, os
def get_pass(machine, login, port):
    s = 'machine %s login %s port %s password ([^ ]*)\n' % (machine, login, port)
    p = re.compile(s)
    authinfo = os.popen("gpg -d /home/sdk/.offlineimap-pw.gpg").read()
    return p.search(authinfo).group(1)

The password file needs to contain entries like below. More than one entry is supported. So if you have more than one account configured, you can call get_pass(...) multiple times and select different passwords for each account.

machine mail login sdk port 993 password securepassword

Mutt

In ~/.muttrc, we can use the source command to read configuration entries.

source "gpg -d $HOME/.mutt-pw.gpg |"

The password file needs to contain valid mutt configuration options:

set imap_pass=supersecurepassword
set imap_user=sdk

Vim can help…

Vim does not need a password, but it can help with those gpg files. Instead of decrypting/changing/encrypting these password files, you can use the vim-gpg plugin, which does that for you. Once it’s installed, you can edit .gpg files directly and it takes over the cumbersome de/encryption.

password-store

I’m using password-store for the task instead of gpg. This works by replacing all the “gpg -d $file” commands with the corresponding “pass $folder/$account” command. It works the same way, but password-store takes care of editing the files and also versions and syncs them across devices (using git).


--
hacked together with vim and make