Consequences of secret key stored in plain text in ~/.op/config?

I've been mucking around with the new CLI and it's pretty nice! I have some files sitting in my home folder that contain access tokens and the like that I set environment variables with to use in some Node.js applications I write, and was intrigued by the idea of replacing them with a dynamic call to op so the tokens don't have to be sitting on there in plain text. So instead of export API_KEY=<key> I could do an eval $(op signin <address>) at the top of the script then do export API_KEY=$(op get item '<item name>' --fields 'api key') and as soon as the terminal session is closed, that environment variable is gone. I made that change and it works a treat, except I see the secret key now lives in ~/.op/config` in plain text, which feels to me less appealing than having the individual API keys sitting that way, heh.

I see in the 1Password white paper that under macOS the secret key is stored in the macOS keychain, would it make sense to do that with the CLI as well? Or am I entirely misunderstanding the threat model for this and it's not really a concern at all? 😅 (I'm not any sort of security person, just someone with a vague interest).

Cheers!


1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided

Comments

  • I'd be interested to hearing the answer to this as well. I know, ssh keys are stored in ~/.ssh, etc., but...

  • Aye, that thought had occurred to me as well, but they're (ideally) password-protected.

    Though I guess by the same logic, the secret key isn't any use unless you also have the master password...

  • BenBen AWS Team

    Team Member

    Hi folks,

    I'm sorry for the delayed reply here. I'd be happy to help with that.

    the secret key isn't any use unless you also have the master password...

    This is a big part of it. Another big part is that the Secret Key isn't intended to be secret within your system. The purpose of the Master Password is to protect your data that is on your computer. The purpose of the Secret Key is to protect the data that is on our servers.

    About your Secret Key

    Ben

  • edited May 27

    Ahh, makes sense, I missed that distinction! Cheers Ben. :)

    I guess by the same token I should ensure that I don't have Time Machine or Backblaze backing up the ~/.op directory either. (My backups to Backblaze are encrypted with my own passphrase anyway, but still).

  • BenBen AWS Team

    Team Member

    If you are encrypting your backups it may not be necessary to exclude the files from those backups, but that's certainly something you may want to consider based on your use case.

    Ben

  • That does make sense and is the type of thing I might have overlooked. Can I ask if the regular macOS app stores the secret key somewhere 'available' that can accidentally get propagated unintentionally via a backup?

  • BenBen AWS Team

    Team Member
    edited May 28

    Yes - it does, as does your web browser if you use it to log into the web app. From our Security Design White Paper:

    Locally exposed Secret Keys
    Once a client is enrolled, it will store a copy of the Secret Key on the local device. Because the Secret Key must be used to derive the user’s MUK it cannot be encrypted by the same MUK. Although lightly obfuscated, the Secret Key is stored on the local device unencrypted. Where possible, the Secret Key will be put into something provided by your system for storing authentication secrets. For 1Password for Mac and 1Password for iOS that will use the iOS and OS X keychains respectively. But when 1Password has been used from a web browser, the Secret Key is stored in the browser’s local data store, a fairly exposed location.
    Recall that the Secret Key is designed so that an attacker will not be in a position to launch an offline password guessing attack if she captures data from the server alone. It does succeed at that goal, but in the current version, our ability to protect the Secret Key on your computer is limited by the tools available to that particular client.

    Ben

  • Ahh, okay. So at least the app's secret key on macOS is nominally encrypted in a backup, as it lives in the system keychain. That is good to know. I will make sure to exclude the CLI secret key from backups.

    I guess there wasn't a way for the CLI program to read the secret key from the system keychain?

  • BenBen AWS Team

    Team Member

    Ahh, okay. So at least the app's secret key on macOS is nominally encrypted in a backup, as it lives in the system keychain. That is good to know. I will make sure to exclude the CLI secret key from backups.

    :+1:

    I guess there wasn't a way for the CLI program to read the secret key from the system keychain?

    Not currently, though that may be a choice we can reconsider in the future. :)

    Ben

Leave a Comment

BoldItalicStrikethroughOrdered listUnordered list
Emoji
Image
Align leftAlign centerAlign rightToggle HTML viewToggle full pageToggle lights
Drop image/file