Any document with security details?
Is there a document that describes the security details of the CLI?
In particular I was curious how the Secret Key was stored. I found that it's stored in plain text in the file ~/.op/config
. That doesn't seem super secure.
If I want to erase all traces of the signin with the CLI, is it enough to delete the entire ~/.op
folder? Is there a better way? Perhaps a CLI command?
1Password Version: Not Provided
Extension Version: Not Provided
OS Version: Not Provided
Sync Type: Not Provided
Comments
-
Another security related issue is that the Security Key will "leak" into the shell history because it's in the
op signin
command.0 -
@pervel No document just yet. We store the Secret Key in a similar way as the other apps, it's just in a more "visible" location. If you delete the config directory and the auth directory in /tmp/, you will have erased the CLI's "existence" on your machine.
As for the secret key in the shell, this is something we circumvented for the Master Password with secure input and the session token with environment variables. The config directory has permissions for the current user only. It's important to note that there's not much we can do to prevent a superuser or someone who's gained shell access to your machine from getting your config file. This is part of the reason that the Master Password and Secret Key work together to create your master key, since one is useless without the other.
Hope that helps, please let me know if you have any other questions!
0 -
I should have said I'm on Mac. Is it in a different location on a Mac?
0 -
-
Thanks, I found it. I do think it would be good with a CLI command to remove a specific named account as well as one to remove all at once.
0 -
That's a great suggestion, something like a
--purge
flag onop signout
perhaps?0 -
That could work. Though maybe it's a bit inconsistent using
op signout
even if you're not actually signed in. So perhaps an entirely new command would be better.0 -
Alright thanks for the ideas. We'll look into some options.
0