CLAassistant
commented
6 years ago
All committers have signed the CLA.
Closed didlich closed 6 years ago
CLAassistant
commented
6 years ago
All committers have signed the CLA.
overheadhunter
commented
6 years ago Looks good so far. Nice clean style. @markuskreusch will do a full review
didlich
commented
6 years ago @markuskreusch I want to ask you about the time point the password is entered in the case password is read from standard input in the current implementation the user is asked to input the password shortly before vault is decrypted I wonder if we should ask the password in the args processing step, it has the drawback that the password is stored in memory the whole time the cli is running, but has the advantage all the passwords are available before we start processing the vaults.
What do you think?
overheadhunter
commented
6 years ago it has the drawback that the password is stored in memory the whole time the cli is running
Of course we try to have the password as short a time as possible in memory, but even afterwards the derived key would be in memory for as long as the vault is unlocked. An attacker able to create memory dumps would still be able to use this key to decrypt the data. In other words, if the machine is already compromised, all is lost.
So in my opinion it is acceptable to have the password in memory for a longer period, if it serves a purpose.
didlich
commented
6 years ago @markuskreusch, @overheadhunter hi, could you have a look at the changes
markuskreusch
commented
6 years ago I am really sorry for the delay. Forgot about this during the holidays. Looks fine now.
implements feature https://github.com/cryptomator/cli/issues/11