Store authentication in separate file

[frabcus]

I like to backup my configuration files, but can't for imap-backup because the password is in the same file as the rest of the configuration. I think it would be good for the passwords to be in a separate file.

This would be similar to how ssh stores its config in .ssh/config but keys are in separate files e.g. id_rsa

I've had a quick look around for standard ways this is done in different commandline tools, but I'm not sure what the best method is. If (as in a few other tickets) non-password authentication methods are added, those keys could go into the separate file too.

[joeyates]

Hi @frabcus

Thank you for opening this issue. It's not something that has come up so far :)

I am, of course open to pull requests on this theme, but any such change would need to introduce the possibility of holding authentication separately as a non-default option. I think the default option needs to remain that of having all the config in one file.

Another point is that, while authentication is very sensitive information, so too is the content of the backups themselves.

For this reason, my suggestion for this use case is actually to change the backup method and to GPG encrypt everything. That way, both config and backups can safely be stored in a form that is cryptographically secure.

[joeyates]

A second option that comes to mind is to redact the password:

sed -r 's/"password": "[^"]+"/"password": "REDACTED"/' /PATH/TO/imap-backup-config.json > BACKUP/PATH/imap-backup-config.json

Would either of these methods work in your case?

[frabcus]

I keep my config files in a git repository - so by "backup" I more mean that. It's private still, but a bit more permissively available than my actual backups.

In the end I just made a copy of the file as you say with the password removed. And I don't change the configuration enough for it to be a huge problem.

Still, I feel like others will hit this problem, and generally it's good practice to keep authentication keys / passwords separately from other things.

[joeyates]

I was thinking about a solution whereby the config file can be a template, and environment variable substitution could be done before loading.

E.g. (here using Ruby ERB templating, but other more widely used templates could be used)

    ...
    {
      "username": "me@example.com",
      "password": "<%= ENV['ME_EXAMPLE_COM_PASSWORD'] %>",
      "local_path": "./catchall_joeyates.info",
      "server": "mail.example.com"
    }
    ....

That kind of solution would make sense if there was one secret, but becomes difficult to manage if the config contains a larger number of accounts.

[joeyates]

We will see if anyone comes up with a proposal for a system of keeping secrets separate from the config :)

In the meantime, I'll close this issue.

[joeyates]

@frabcus, as an update to this issue, I've just released version 14.0.0, with the new single backup which let's you backup single accounts without a configuration file. The password can be in an environment variable or in a file.